LWN.net Logo

LWN.net Weekly Edition for November 16, 2006

Resisting the binary blob

Last week, LWN pointed at a software review claiming that Fedora Core 6 was so bad that the whole distribution should simply be shut down. The failing which led to such a dire prescription was a lack of proprietary software. According to the reviewer:

I appreciate the fact that distributions like Fedora Core are still focused on free-as-in-rights software, but today's Web content requires more proprietary browser plugins than yesterday's did, and today's hardware is increasingly designed to be dependent on proprietary binary blobs in the form of firmware and driver packages... Users do not want to hear reasons and excuses for why the operating environment doesn't work with their favorite Web sites or computer hardware -- all they know is that it doesn't work, and making it work is not a simple or obvious process.

This reviewer is not the only one to express this point of view; there would appear to be a rising chorus out there calling on Linux distributors to load up their systems with proprietary code. Some distributors have heeded this call, as witnessed by (for example) Ubuntu's decision to include more binary drivers by default in its next release.

It's not too hard to see where this pressure is coming from. A prospective user with a problematic laptop will be happier with a distribution which "just works." Most of the people who truly care about free software are likely to be using a free system already, so it is easy to imagine that the next wave of users will be less concerned - at the outset - about software freedom. So they will gravitate toward a system which does what they want to do (running on closed hardware, playing patent-encumbered media, etc.) without concerning themselves much about the provenance of the software they are using.

The fact that many of these users worry little about software freedom now does not mean that they will never care, however. Very few of us were born knowing that free software is a better solution, that using free software is an important part of being free in general. Just like most of us have learned, over time, that saving some of the money we earn, while perhaps being inconvenient in the short term, brings long-term benefits, we have also learned that using free software - and helping to improve that software - is better in the long term. Certainly some subset of the new users coming to Linux will come to understand this fact as well.

But it will not matter how well these users understand the fine points of software freedom if, by the time they have figured it out, there are no free operating systems for them to run. If we want free systems then, we have to build and use free systems now. There can be a place for a binary blob which enables a specific bit of hardware to work; your editor would argue that running such a blob is not an inherently immoral act. But it is not necessarily a wise act, and a distribution which quietly installs such blobs on an unsuspecting user's system in the name of "it just works" is not necessarily doing that user any favors.

As a thought experiment, consider how things might have gone if the Linux community had accepted the "just works (most of the time)" non-free Java implementation that Sun made available. Linux distributors, rather than put large amounts of work into making Java code work with free alternatives, could have simply shipped Sun's version. Had they done so, would we have (the promise of) a GPL-licensed Java from Sun now? If we simply accept proprietary drivers in the name of "it just works," when, exactly, do we think free drivers will become available?

So criticism of Fedora - or any other distributor which sticks to free software principles - is, at best, misplaced. There are proprietary systems out there for people who want to run them, but Linux is about free software. It makes no sense to try to push proprietary code onto a distribution which has set a goal of being 100% free, and it is silly to criticize such a distribution for containing only free software. We should, instead, be appreciative of the vast amount of work that has gone into giving us a 100% free system - and help to improve that system.

Along these lines, it becomes natural to wonder why the Free Software Foundation has not recognized the work done by the Fedora Project to make its distribution entirely free. Instead, the FSF has put its energy into promoting obscure distributions like gNewSense and UTUTO. It seems that the Fedora developers and the FSF have been talking about recognition for Fedora, resulting in the posting of this message from Richard Stallman. It covers a number of issues, including firmware, fonts, patents, and more. One sticking point, it would seem, is this:

We can certainly go through the [Fedora packaging] guidelines. We have not yet done so, but we know of one problem in the current policy: it says that packages can be included which qualify as open source but not as free software. In other words, not all packages need to meet the definition of free software.

Given the people involved with Fedora, and the work that has been done to eliminate packages with problematic licensing, your editor has no qualms in saying that Fedora is a truly free distribution. It is unfortunate that the work which has gone into the creation of this distribution is not as widely recognized as it should be. If we want to promote free software, and if we want to live in a world where we can use exclusively free software, we should not hesitate to acknowledge the work of those who have built free systems, and who have not given in to those pushing for the addition of proprietary code. They are doing the work we so very much want to see done, and we are far richer for it.

Comments (131 posted)

Some notes on free Java

The free software community would appear to have developed a winning strategy for bringing semi-proprietary code under a free license. Just create a project to reimplement that code, and name the project "Harmony." About the time that the Harmony project starts to make some real progress, the original code base will be relicensed to the GPL, and everybody will be happy.

This approach worked well with the first Harmony project, which was created to make a free version of the then-proprietary Qt library. In September, 2000, Trolltech finally made Qt available under the GPL. More recently, a Project Harmony set out to create a free Java implementation. A year and a half later, Sun Microsystems finally let go, and has promised to release Java as free software - and under the GPL at that.

Clearly some serious thought needs to be put into picking an appropriate target for the next Harmony project.

Actually, the "Harmony" name may not become available for a while yet; a quick look at the mailing list shows that, unlike the previous Harmony project, the current Harmony developers are continuing full-speed with their work. One might well wonder why, given that the "real" Java code is now promised to the community. It may be partly a matter of momentum, and partly waiting until the code actually becomes available (it will be a few months yet). Sun's interesting choice of the GPL also appears to be relevant. The Harmony project, being under the Apache umbrella, is using the Apache license, which is not compatible with the GPL. So the Harmony developers will not be able to make use of Sun's code in their project. If they want an Apache-licensed Java, they will have to continue to work to create it themselves.

There appears to be some concern within Harmony that Sun will require copyright assignments from those who would contribute to the GPL code base, and that, in turn, would allow Sun to make use of contributed code in proprietary projects. There are Harmony developers who are unwilling to contribute under those conditions. It has also been suggested in the Harmony camp that Sun might use patents to enforce Java compatibility. So Harmony may well continue for a while.

Another project which will be affected by this release is GNU Classpath. Unlike Harmony, however, Classpath uses a "GPL plus exception" license which allows the use of the library in proprietary applications. Sun's choice of the GPL makes life easy for the Classpath developers - especially since Sun adopted the same exception. But it does leave open the question of whether Classpath is needed at all. The real answer there probably depends on the shape of the actual code release; there may be parts of the "real" Java class library which Sun is unable to release, and which might then be substituted from Classpath. It also seems that Classpath has managed to build a dynamic and effective development community; the desire to continue to develop in that environment may keep Classpath going for a while yet.

Many pixels have been expended in attempts to analyze Sun's choice of the GPL. Most likely, Sun went with the GPL because (1) the response to the CDDL has been lukewarm at best, and (2) experience shows that GPL-licensed code is relatively resistant to the creation of incompatible forks. Sun's ostensible reason for resisting free licensing all these years was a fear of incompatible versions, so fork resistance should have been on their minds. Also worthy of note is the fact that Sun has specified that it is using version 2 of the GPL. A switch to GPLv3 seems likely once the license is final (see Jonathan Schwartz's weblog), but Sun is not committing to that ahead of time.

Sun has made some hints that Solaris might move over to the GPL as well. This would be a significant change, as it would allow Solaris code to find its way into the Linux kernel. There must be useful code within Solaris, even if some of the more interesting parts (the ZFS filesystem, say) would be a major challenge to port.

In any case, Sun's freeing of Java is a significant - if a bit overdue - gift to the community. It will enable the Java language to become a first-class citizen within Linux distributions and make a powerful language fully available to free software developers. Sun certainly cannot be faulted for failing to contribute in recent years. Soon, it will be up to the community to take this code and do great things with it.

Comments (17 posted)

Open Firmware is now free

A full twenty years ago, Mitch Bradley sat down to write the firmware (BIOS) code for Sun's upcoming SPARCstation line. The resulting code, then called OpenBoot, shipped on SPARC systems for years, and found its way into other vendors' computers as well. Mr. Bradley eventually left Sun to continue to work with this code, now called Open Firmware. It has proved to be useful for system manufacturers who found it to be a quick way to get their hardware going. Twenty years later, he is still at it at his company, FirmWorks.

As of this week, however, one aspect of Mr. Bradley's job has changed: he is now working with free software. Between code releases by Sun Microsystems and FirmWorks, the entire Open Firmware system is now free. Most of it is available under the BSD or MIT license; it can be browsed on the net or obtained from the Subversion repository at svn://openbios.org/openfirmware.

Open Firmware is an interesting system. At its core, it is an interpreter for the Forth language; most of the higher-level functionality is implemented in Forth and run on the interpreter. That will make the Open Firmware source relatively opaque for those of us who are not accustomed to working in stack-based languages; Open Firmware will certainly have the only ext2 filesystem code which looks like this:

    : ext2fsfread   ( addr count 'fh -- #read )
       drop 
       dup bsize > abort" Bad size for ext2fsfread"
       file-size  lblk# bsize *  -	( addr count rem )
       umin swap			( actual addr )
       lblk# read-file-block	( actual )
       dup  0>  if  lblk#++  then	( actual )

The use of Forth does help to keep the Open Firmware code compact and quick, however. This system can work with several different filesystems, perform TCP/IP networking (including functioning as an HTTP server or client), work with USB devices, and drive a wide range of devices in general. And it all fits in about 350KB of flash, with the ability to shoehorn it into 256KB if need be.

Open Firmware can also be useful for debugging hardware issues. The Forth interpreter is available at the system console, allowing a sufficiently clued developer to poke at device registers directly and see what happens. This feature is especially useful when trying to bring up new hardware which is displaying unexpected behavior. As Mr. Bradley has been heard to say:

I find that a certain amount of foot shooting is necessary, especially when dealing with new, possibly-broken hardware with dubious documentation. Interactivity at the lowest level lets you get all the foot-shooting done quickly, and more importantly, lets you examine the wounds in great detail.

Open Firmware is a foot-shooting tool of substantial power.

The Open Firmware code was widely used, even when it was a proprietary product. This code will be even more widely distributed soon. Back in October, the One Laptop Per Child project announced that it would be adopting Open Firmware for its systems. LinuxBIOS will remain on those systems as the low-level BIOS, but Open Firmware will be the code which performs boot loading and presents the firmware-level interface to the user. The OLPC decision was based on smaller size, greater speed, and greater flexibility of the Open Firmware code. Once Open Firmware set on the path toward a free release, OLPC's decision was relatively easy.

In the future, the now-free nature of Open Firmware may cause it to appear on a number of new systems, in places where a proprietary BIOS would have been found before. As a result, a part of our systems which has traditionally been proprietary and closed might just become open and free. So, while many of us may never work with this code directly, we'll likely benefit from its freedom anyway.

Comments (13 posted)

LWN comes out early next week

Thursday, November 23, is the Thanksgiving holiday in the U.S. As has become traditional, LWN will be published one day early next week so that we all have time to join our families and begin the task of serious eating. We'll return to the normal schedule the following week.

Comments (2 posted)

Page editor: Jonathan Corbet

Security

November: the month of kernel bugs

November 15, 2006

This article was contributed by Jake Edge.

A security researcher has proclaimed November to be the 'Month of Kernel Bugs' (MoKB) and is releasing one bug each day to highlight unreported issues with various kernels. The associated web site currently has six separate Linux bugs listed as well as bugs for MacOS, FreeBSD, Solaris and Windows. The project was first announced on the bugtraq mailing list along with a tool that can fuzz various Linux filesystems.

The Linux bugs described are all filesystem related; they were found using the fsfuzzer tool to generate various kinds of improperly formatted filesystem data and to feed it to the Linux filesystem code. This leads to various kinds of kernel problems, mostly crashes. Bugs have been found in several different filesystem types: ext2, ext3, iso9660, cramfs, and squashfs. The vulnerability found for cramfs actually exists in the zlib decompression code and could potentially lead to arbitrary code execution.

While these bugs are fairly serious, they are also fairly difficult to exploit. Other than iso9660, it is rare that a Linux user will mount a filesystem generated by some external, potentially malicious, entity. USB flash drives might provide a vector for exploiting some of these bugs, but users are hopefully savvy enough to be wary of mounting them if they do not know where they came from. Administrators may also remove the ability for regular users to mount filesystems, especially on sensitive machines such as servers.

Kernel bugs that allow arbitrary code execution are particularly serious because they can provide a way to completely take over the system. If an attacker can convince someone to mount a specially crafted cramfs image, they may be able to cause all manner of mayhem with that system. Attacks targeted at a specific person or company would seem to be the biggest concern as it would be somewhat difficult to use as a vector for a widespread infection; the logistics of distributing thousands of USB keychains to create a Linux botnet would be daunting. The money that could be earned by renting out the botnet, however, might be enough for some, especially if they could find a way to do it anonymously.

Two of the reported bugs against Windows wireless drivers would seem to be of little interest to Linux users, but, unfortunately, that is not the case. As mentioned here, Ndiswrapper is often used to provide Linux 'support' for many wireless adapters and, as Dave Jones points out, this makes Linux potentially vulnerable as well. It may be that the vendors release a fix promptly, but until they do, users of those drivers are vulnerable to attack. And, in any case, propagating a fix in a Windows network driver to a substantial portion of its users is not a simple thing to do.

The MoKB announcement mentions the possibility of 'silent fixes' of these problems; at least so far, that does not seem to be happening. Silent fixes are ones that fix a security problem, but in some way obfuscate the security implications of the fix (or, at least, are not accompanied by a security advisory). Proprietary vendors are well known for this kind of behavior, but one would hope open source developers are more, well, open about those kinds of things. The only fix that seems to have made its way into the kernel so far is for a an ext3/ext4 bug that was found prior to the MoKB. It was clearly described as a crash in the patch and the fsfuzzer tool was referenced. It did not specifically mention it as a security problem, but opinions differ on whether denial of service that is not caused externally should be considered a security issue.

While the fixes are not silent, they also do not seem to be very high on anyone's priority list, either. So far, there do not seem to be patches for any of the MoKB reported issues posted to the linux kernel mailing list. The zlib inflate issue, with its memory corruption potential, would seem like one that should be fixed relatively soon even if its exploit potential is low.

So far, MoKB has produced some interesting bugs, especially on other operating systems. We will be keeping an eye out for any others that might have a bigger impact on Linux users and for fixes going into the kernel. November is only half over.

Comments (10 posted)

New vulnerabilities

avahi: sender id check

Package(s):avahi CVE #(s):CVE-2006-5461
Created:November 13, 2006 Updated:December 20, 2006
Description: Steve Grubb discovered that netlink messages were not being checked for their sender identity. This could lead to local users manipulating the Avahi service.
Alerts:
Ubuntu USN-380-2 2006-12-14
Fedora FEDORA-2006-1340 2006-12-11
Fedora FEDORA-2006-1339 2006-11-28
Gentoo 200611-13 2006-11-20
Mandriva MDKSA-2006:215 2006-11-20
Ubuntu USN-380-1 2006-11-11

Comments (1 posted)

bugzilla: multiple vulnerabilities

Package(s):bugzilla CVE #(s):CVE-2006-5453 CVE-2006-5454 CVE-2006-5455
Created:November 10, 2006 Updated:August 28, 2007
Description: Bugzilla has the following vulnerabilities:

Input data passed to various fields is not properly sanitized before being passed back to users.

Users can gain unauthorized access to read attachment descriptions while using diff mode.

HTTP GET and HTTP POST requests can be used to perform unauthorized actions due to improper verification.

Input that is passed to showdependencygraph.cgi is not properly sanitized before being returned to users.

Alerts:
Debian DSA-1208-1 2006-11-11
Gentoo 200611-04 2006-11-09

Comments (none posted)

ftpd: privilege escalation

Package(s):ftpd CVE #(s):CVE-2006-5778
Created:November 10, 2006 Updated:February 14, 2007
Description: Ftpd is vulnerable to a privilege escalation attack, an incorrect seteuid() call can be used by an FTP user to gain unauthorized access to files or directories.
Alerts:
Gentoo 200611-05:02 2006-11-10
Debian DSA-1217-1 2006-11-20
Gentoo 200611-05 2006-11-10

Comments (none posted)

kernel: denial of service

Package(s):kernel CVE #(s):CVE-2006-5757
Created:November 13, 2006 Updated:November 14, 2007
Description: From the MOKB-05-11-2006 advisory: "The ISO9660 filesystem handling code of the Linux 2.6.x kernel fails to properly handle corrupted data structures, leading to an exploitable denial of service condition. This particular vulnerability seems to be caused by a race condition and a signedness issue. When performing a read operation on a corrupted ISO9660 fs stream, the isofs_get_blocks() function will enter an infinite loop when __find_get_block_slow() callback from sb_getblk() fails ("due to various races between file io on the block device and getblk")."
Alerts:
Fedora FEDORA-2007-599 2007-06-21
Fedora FEDORA-2006-1223 2006-11-12
Fedora FEDORA-2006-1221 2006-11-10

Comments (none posted)

openldap: denial of service

Package(s):openldap CVE #(s):CVE-2006-5779
Created:November 10, 2006 Updated:December 1, 2006
Description: openldap has a denial of service vulnerability. Remote attackers can create special LDAP Bind requests to trigger a libldap assertion failure.
Alerts:
rPath rPSA-2006-0221-1 2006-11-30
Gentoo 200611-25 2006-11-28
SuSE SUSE-SA:2006:072 2006-11-24
Mandriva MDKSA-2006:208-1 2006-11-21
Ubuntu USN-384-1 2006-11-20
Mandriva MDKSA-2006:208 2006-11-14
OpenPKG OpenPKG-SA-2006.033 2006-11-10

Comments (none posted)

pdns: buffer overflow

Package(s):pdns CVE #(s):CVE-2006-4251
Created:November 15, 2006 Updated:November 16, 2006
Description: The PowerDNS nameserver suffers from a buffer overflow which can be exploited to cause a denial of service, with the potential for the execution of arbitrary code.
Alerts:
SuSE SUSE-SA:2006:070 2006-11-16
Debian DSA-1211-1 2006-11-14

Comments (none posted)

trac: cross-site request forgery

Package(s):trac CVE #(s):CVE-2006-5848 CVE-2006-5878
Created:November 13, 2006 Updated:December 13, 2006
Description: It was discovered that Trac, a wiki and issue tracking system for software development projects, performs insufficient validation against cross-site request forgery, which might lead to an attacker being able to perform manipulation of a Trac site with the privileges of the attacked Trac user.
Alerts:
Gentoo 200612-14 2006-12-12
Debian DSA-1209-2 2006-11-12
Debian DSA-1209-1 2006-11-12

Comments (none posted)

Updated vulnerabilities

apache: cross-site scripting

Package(s):apache CVE #(s):CVE-2006-3918
Created:August 9, 2006 Updated:April 4, 2008
Description: From the Red Hat advisory: "A bug was found in Apache where an invalid Expect header sent to the server was returned to the user in an unescaped error message. This could allow an attacker to perform a cross-site scripting attack if a victim was tricked into connecting to a site and sending a carefully crafted Expect header."
Alerts:
SuSE SUSE-SA:2008:021 2008-04-04
Ubuntu USN-575-1 2008-02-04
SuSE SUSE-SA:2006:051 2006-09-08
Debian DSA-1167-1 2005-09-04
Red Hat RHSA-2006:0619-01 2006-08-10
Red Hat RHSA-2006:0618-01 2006-08-08

Comments (none posted)

asterisk: arbitrary code execution

Package(s):asterisk CVE #(s):CVE-2006-5444
Created:October 19, 2006 Updated:December 6, 2006
Description: The Asterisk telephony PBX application has a heap overflow vulnerability in the skinny channel driver. A remote attacker can use this to arbitrarily execute code with the privileges of the Asterisk user. See this vulnerability report for more information.
Alerts:
Debian DSA-1229-1 2006-12-06
SuSE SUSE-SA:2006:069 2006-11-16
Gentoo 200610-15 2006-10-30
OpenPKG OpenPKG-SA-2006.024 2006-10-19

Comments (none posted)

bind: denial of service

Package(s):bind CVE #(s):CVE-2006-4095 CVE-2006-4096
Created:September 7, 2006 Updated:February 1, 2007
Description: Bind has two denial of service vulnerabilities.

Recursive servers queries for SIG records will trigger an assertion failure if more than one RR set is returned.

An INSIST failure can be triggered by sending a large number of recursive queries.

Alerts:
Fedora FEDORA-2007-164 2007-01-31
Gentoo 200609-11 2006-09-15
Slackware SSA:2006-257-01 2006-09-15
Fedora FEDORA-2006-966 2006-09-11
Debian DSA-1172-1 2006-09-09
Mandriva MDKSA-2006:163 2006-09-08
rPath rPSA-2006-0166-1 2006-09-08
Ubuntu USN-343-1 2006-09-07
OpenPKG OpenPKG-SA-2006.019 2006-09-07

Comments (none posted)

busybox: insecure password generation

Package(s):busybox CVE #(s):CVE-2006-1058
Created:May 5, 2006 Updated:May 2, 2007
Description: The BusyBox 1.1.1 passwd command does not use a proper salt when generating passwords. This would create an instance where a brute force attack could take very little time.
Alerts:
Red Hat RHSA-2007:0244-02 2007-05-01
Fedora FEDORA-2006-511 2006-05-04
Fedora FEDORA-2006-510 2006-05-04

Comments (2 posted)

bzip2: race condition and infinite loop

Package(s):bzip2 CVE #(s):CAN-2005-0953 CAN-2005-1260
Created:May 17, 2005 Updated:January 10, 2007
Description: A race condition in bzip2 1.0.2 and earlier allows local users to modify permissions of arbitrary files via a hard link attack on a file while it is being decompressed, whose permissions are changed by bzip2 after the decompression is complete. Also specially crafted bzip2 archives may cause an infinite loop in the decompressor.
Alerts:
rPath rPSA-2007-0004-1 2007-01-09
Debian DSA-741-1 2005-07-07
Red Hat RHSA-2005:474-01 2005-06-16
OpenPKG OpenPKG-SA-2005.008 2005-06-10
SuSE SUSE-SR:2005:015 2005-06-07
Debian DSA-730-1 2005-05-27
Mandriva MDKSA-2005:091 2005-05-18
Ubuntu USN-127-1 2005-05-17

Comments (2 posted)

cpio: arbitrary code execution

Package(s):cpio CVE #(s):CVE-2005-4268
Created:January 2, 2006 Updated:March 17, 2010
Description: Richard Harms discovered that cpio did not sufficiently validate file properties when creating archives. Files with e. g. a very large size caused a buffer overflow. By tricking a user or an automatic backup system into putting a specially crafted file into a cpio archive, a local attacker could probably exploit this to execute arbitrary code with the privileges of the target user (which is likely root in an automatic backup system).
Alerts:
CentOS CESA-2010:0145 2010-03-17
Red Hat RHSA-2010:0145-01 2010-03-15
rPath rPSA-2007-0094-1 2007-05-07
Red Hat RHSA-2007:0245-02 2007-05-01
Ubuntu USN-234-1 2006-01-02

Comments (none posted)

vixie-cron: privilege escalation

Package(s):cron CVE #(s):CVE-2006-2607
Created:May 31, 2006 Updated:June 1, 2009
Description: The Vixie cron daemon does not check the return code from setuid(); if that call can be made to fail, a local attacker may be able to execute commands as root.
Alerts:
Ubuntu USN-778-1 2009-06-01
Red Hat RHSA-2006:0539-01 2006-07-12
Gentoo 200606-07 2006-06-09
SuSE SUSE-SA:2006:027 2006-05-31
rPath rPSA-2006-0082-1 2006-05-25

Comments (1 posted)

cscope: buffer overflows

Package(s):cscope CVE #(s):CVE-2006-4262
Created:October 2, 2006 Updated:June 16, 2009
Description: Will Drewry of the Google Security Team discovered several buffer overflows in cscope, a source browsing tool, which might lead to the execution of arbitrary code.
Alerts:
CentOS CESA-2009:1101 2009-06-16
Red Hat RHSA-2009:1101-01 2009-06-15
Gentoo 200610-08 2006-10-20
Debian DSA-1186-1 2006-09-30

Comments (none posted)

cscope: buffer overflows

Package(s):cscope CVE #(s):CVE-2004-2541
Created:May 22, 2006 Updated:June 19, 2009
Description: A buffer overflow in Cscope 15.5, and possibly multiple overflows, allows remote attackers to execute arbitrary code via a C file with a long #include line that is later browsed by the target.
Alerts:
CentOS CESA-2009:1102 2009-06-19
CentOS CESA-2009:1101 2009-06-16
Red Hat RHSA-2009:1102-01 2009-06-15
Red Hat RHSA-2009:1101-01 2009-06-15
Gentoo 200606-10 2006-06-11
Debian DSA-1064-1 2006-05-19

Comments (1 posted)

Cyrus-SASL: DIGEST-MD5 Pre-Authentication Denial of Service

Package(s):cyrus-sasl CVE #(s):CVE-2006-1721
Created:April 21, 2006 Updated:September 4, 2007
Description: Cyrus-SASL contains an unspecified vulnerability in the DIGEST-MD5 process that could lead to a Denial of Service. An attacker could possibly exploit this vulnerability by sending specially crafted data stream to the Cyrus-SASL server, resulting in a Denial of Service even if the attacker is not able to authenticate.
Alerts:
Red Hat RHSA-2007:0878-01 2007-09-04
Red Hat RHSA-2007:0795-01 2007-09-04
SuSE SUSE-SA:2006:025 2006-05-05
Fedora FEDORA-2006-515 2006-05-04
Debian DSA-1042-1 2006-04-25
Mandriva MDKSA-2006:073 2006-04-24
Ubuntu USN-272-1 2006-04-24
Gentoo 200604-09 2006-04-21

Comments (none posted)

ffmpeg: buffer overflows

Package(s):ffmpeg CVE #(s):CVE-2006-4799 CVE-2006-4800
Created:September 14, 2006 Updated:May 28, 2007
Description: the AVI processing code in FFmpeg has a number of buffer overflow vulnerabilities. If an attacker can trick a user into loading a specially crafted crafted AVI, arbitrary code can be executed with the user's privileges.
Alerts:
Gentoo 200609-09 2006-09-13

Comments (2 posted)

freeradius: several vulnerabilities

Package(s):freeradius CVE #(s):CVE-2005-4745 CVE-2005-4746
Created:August 8, 2006 Updated:April 24, 2007
Description: Several remote vulnerabilities have been discovered in freeradius, a high-performance RADIUS server, which may lead to SQL injection or denial of service.
Alerts:
Mandriva MDKSA-2007:092 2007-04-23
Debian DSA-1145-1 2006-08-08

Comments (none posted)

freetype: integer overflows

Package(s):freetype CVE #(s):CVE-2006-0747 CVE-2006-1861 CVE-2006-2493 CVE-2006-2661 CVE-2006-3467
Created:June 8, 2006 Updated:June 1, 2010
Description: The FreeType library has several integer overflow vulnerabilities. If a user can be tricked into installing a specially crafted font file, arbitrary code can be executed with the privilege of the user.
Alerts:
Gentoo 201006-01 2010-06-01
Fedora FEDORA-2009-5644 2009-05-28
Fedora FEDORA-2009-5558 2009-05-28
CentOS CESA-2009:0329 2009-05-22
Red Hat RHSA-2009:1062-01 2009-05-22
Red Hat RHSA-2009:0329-02 2009-05-22
Gentoo 200710-09 2007-10-09
Debian DSA-1178-1 2006-09-16
Ubuntu USN-341-1 2006-09-06
Gentoo 200609-04 2006-09-06
rPath rPSA-2006-0157-1 2006-08-25
Mandriva MDKSA-2006:148 2006-08-24
Red Hat RHSA-2006:0635-01 2006-08-21
Red Hat RHSA-2006:0634-01 2006-08-21
Fedora FEDORA-2006-912 2006-08-14
SuSE SUSE-SA:2006:045 2006-08-01
OpenPKG OpenPKG-SA-2006.017 2006-07-28
Ubuntu USN-324-1 2006-07-27
Slackware SSA:2006-207-02 2006-07-27
Mandriva MDKSA-2006:129 2006-07-20
Gentoo 200607-02 2006-07-09
SuSE SUSE-SA:2006:037 2006-06-27
Mandriva MDKSA-2006:099-1 2006-06-13
Mandriva MDKSA-2006:099 2006-06-12
rPath rPSA-2006-0100-1 2006-06-12
Debian DSA-1095-1 2006-06-10
Ubuntu USN-291-1 2006-06-08

Comments (none posted)

gcc: file overwrite vulnerability

Package(s):gcc CVE #(s):CVE-2006-3619
Created:September 6, 2006 Updated:March 14, 2008
Description: The fastjar utility found in the GNU compiler collection does not perform adequate file path checking, allowing the creation or overwriting of files outside of the current directory tree.
Alerts:
Mandriva MDVSA-2008:066 2007-03-13
Red Hat RHSA-2007:0473-01 2007-06-11
Red Hat RHSA-2007:0220-02 2007-05-01
Debian DSA-1170-1 2006-09-06

Comments (none posted)

gdb: buffer overflow

Package(s):gdb CVE #(s):CVE-2006-4146
Created:September 15, 2006 Updated:June 12, 2007
Description: A buffer overflow in dwarfread.c and dwarf2read.c debugging code in GNU Debugger (GDB) 6.5 allows user-assisted attackers, or restricted users, to execute arbitrary code via a crafted file with a location block (DW_FORM_block) that contains a large number of operations.
Alerts:
Red Hat RHSA-2007:0469-01 2007-06-11
Red Hat RHSA-2007:0229-02 2007-05-01
Ubuntu USN-356-1 2006-10-02
Fedora FEDORA-2006-975 2006-09-14

Comments (none posted)

gdm: improper file permissions

Package(s):gdm CVE #(s):CVE-2006-1057
Created:April 19, 2006 Updated:May 2, 2007
Description: The .ICEauthority file may be created with the wrong ownership and permissions; gdm 2.14.2 fixes the problem.
Alerts:
Red Hat RHSA-2007:0286-02 2007-05-01
Mandriva MDKSA-2006:083 2006-05-09
Ubuntu USN-278-1 2006-05-03
Debian DSA-1040-1 2006-04-24
Fedora FEDORA-2006-338 2006-04-19

Comments (none posted)

gedit: format string vulnerability

Package(s):gedit CVE #(s):CAN-2005-1686
Created:June 9, 2005 Updated:February 5, 2009
Description: A format string vulnerability has been discovered in gedit. Calling the program with specially crafted file names caused a buffer overflow, which could be exploited to execute arbitrary code with the privileges of the gedit user.
Alerts:
Fedora FEDORA-2009-1189 2009-01-29
Fedora FEDORA-2009-1187 2009-01-29
Debian DSA-753-1 2005-07-12
Mandriva MDKSA-2005:102 2005-06-15
Red Hat RHSA-2005:499-01 2005-06-13
Gentoo 200506-09 2005-06-11
Ubuntu USN-138-1 2005-06-09

Comments (1 posted)

grip: buffer overflow

Package(s):grip CVE #(s):CAN-2005-0706
Created:March 10, 2005 Updated:November 19, 2008
Description: Grip, a CD ripper, has a buffer overflow vulnerability that can occur when the CDDB server returns more than 16 matches.
Alerts:
Fedora FEDORA-2008-9604 2008-11-19
Fedora FEDORA-2008-9521 2008-11-19
Fedora-Legacy FLSA:152919 2005-09-15
Mandriva MDKSA-2005:074 2005-04-20
Mandriva MDKSA-2005:075 2005-04-20
Gentoo 200504-07 2005-04-08
Mandrake MDKSA-2005:066 2005-04-01
Red Hat RHSA-2005:304-01 2005-03-28
Gentoo 200503-21 2005-03-17
Fedora FEDORA-2005-203 2005-03-09
Fedora FEDORA-2005-202 2005-03-09

Comments (none posted)

gzip: multiple vulnerabilities

Package(s):gzip CVE #(s):CVE-2006-4334 CVE-2006-4335 CVE-2006-4336 CVE-2006-4337 CVE-2006-4338
Created:September 19, 2006 Updated:January 20, 2010
Description: Tavis Ormandy of the Google Security Team discovered two denial of service flaws in the way gzip expanded archive files. If a victim expanded a specially crafted archive, it could cause the gzip executable to hang or crash.

Tavis Ormandy of the Google Security Team discovered several code execution flaws in the way gzip expanded archive files. If a victim expanded a specially crafted archive, it could cause the gzip executable to crash or execute arbitrary code.

Alerts:
Debian DSA-1974-1 2010-01-20
Fedora FEDORA-2007-557 2007-05-31
Gentoo 200611-24 2006-11-28
Fedora-Legacy FLSA:211760 2006-11-13
Fedora FEDORA-2006-989 2006-10-10
SuSE SUSE-SA:2006:056 2006-09-26
Gentoo 200609-13 2006-09-23
Trustix TSLSA-2006-0052 2006-09-22
Mandriva MDKSA-2006:167 2006-09-20
Slackware SSA:2006-262-01 2006-09-20
OpenPKG OpenPKG-SA-2006.020 2006-09-20
Debian DSA-1181-1 2006-09-19
rPath rPSA-2006-0170-1 2006-09-19
Ubuntu USN-349-1 2006-09-19
Red Hat RHSA-2006:0667-01 2006-09-19

Comments (1 posted)

gzip: arbitrary command execution

Package(s):gzip CVE #(s):CAN-2005-0758
Created:August 1, 2005 Updated:January 10, 2007
Description: zgrep in gzip before 1.3.5 does not handle shell metacharacters like '|' and '&' properly when they occurred in input file names. This could be exploited to execute arbitrary commands with user privileges if zgrep is run in an untrusted directory with specially crafted file names.
Alerts:
OpenPKG OpenPKG-SA-2007.002 2007-01-08
Mandriva MDKSA-2006:027 2006-01-30
Mandriva MDKSA-2006:026 2006-01-30
Fedora-Legacy FLSA:158801 2005-11-14
Fedora-Legacy FLSA:157696 2005-08-10
Ubuntu USN-161-1 2005-08-04
Ubuntu USN-158-1 2005-08-01

Comments (2 posted)

ImageMagick: buffer overflows

Package(s):ImageMagick CVE #(s):CVE-2006-5456
Created:October 31, 2006 Updated:March 8, 2007
Description: Multiple buffer overflows in GraphicsMagick before 1.1.7 and ImageMagick 6.0.7 allow user-assisted attackers to cause a denial of service and possibly execute execute arbitrary code via (1) a DCM image that is not properly handled by the ReadDCMImage function in coders/dcm.c, or (2) a PALM image that is not properly handled by the ReadPALMImage function in coders/palm.c.
Alerts:
Slackware SSA:2007-066-06 2007-03-08
rPath rPSA-2007-0029-1 2007-02-08
rPath rPSA-2006-0218-1 2006-11-27
Gentoo 200611-19 2006-11-24
Fedora FEDORA-2006-1285 2006-11-22
Fedora FEDORA-2006-1286 2006-11-22
Debian DSA-1213-1 2006-11-19
SuSE SUSE-SA:2006:066 2006-11-14
Gentoo 200611-07 2006-11-13
Ubuntu USN-372-1 2006-11-01
Mandriva MDKSA-2006:193 2006-10-30

Comments (2 posted)

imlib2: arbitrary code execution

Package(s):imlib2 CVE #(s):CVE-2006-4806 CVE-2006-4807 CVE-2006-4808 CVE-2006-4809
Created:November 6, 2006 Updated:August 13, 2007
Description: M. Joonas Pihlaja discovered that imlib2 did not sufficiently verify the validity of ARGB, JPG, LBM, PNG, PNM, TGA, and TIFF images. If a user were tricked into viewing or processing a specially crafted image with an application that uses imlib2, the flaws could be exploited to execute arbitrary code with the user's privileges.
Alerts:
Mandriva MDKSA-2007:156 2007-08-10
Gentoo 200612-20 2006-12-20
Fedora FEDORA-EXTRAS-2006-004 2006-11-09
Mandriva MDKSA-2006:198-1 2006-11-06
Mandriva MDKSA-2006:198 2006-11-06
Ubuntu USN-376-2 2006-11-06
Ubuntu USN-376-1 2006-11-03

Comments (none posted)

ingo1: missing input sanitizing

Package(s):ingo1 CVE #(s):CVE-2006-5449
Created:November 3, 2006 Updated:November 27, 2006
Description: It was discovered that the Ingo email filter rules manager performs insufficient escaping of user-provided data in created procmail rules files, which allows the execution of arbitrary shell commands.
Alerts:
Gentoo 200611-22 2006-11-27
Debian DSA-1204-1 2006-11-02

Comments (none posted)

kdelibs: integer overflow

Package(s):kdelibs CVE #(s):CVE-2006-4811
Created:October 18, 2006 Updated:March 5, 2007
Description: The KDE khtml library can pass untrusted parameters into Qt, allowing a hostile user to trigger an integer overflow there and execute arbitrary code.
Alerts:
Gentoo 200703-06 2007-03-04
Gentoo 200611-02 2006-11-06
Red Hat RHSA-2006:0725-01 2006-11-01
Debian DSA-1200-1 2006-10-30
Slackware SSA:2006-298-01 2006-10-26
rPath rPSA-2006-0195-2 2006-10-18
Mandriva MDKSA-2006:186 2006-10-19
rPath rPSA-2006-0195-1 2006-10-18
Red Hat RHSA-2006:0720-01 2006-10-18

Comments (none posted)

kdelibs: kate backup file permission leak

Package(s):kdelibs kate kwrite CVE #(s):CAN-2005-1920
Created:July 19, 2005 Updated:September 21, 2010
Description: Kate / Kwrite, as shipped with KDE 3.2.x up to including 3.4.0, creates a file backup before saving a modified file. These backup files are created with default permissions, even if the original file had more strict permissions set. See this advisory for more information.
Alerts:
Gentoo 200611-21 2006-11-27
Debian DSA-804-2 2005-11-10
Debian DSA-804-1 2005-09-08
Red Hat RHSA-2005:612-01 2005-07-27
Ubuntu USN-150-1 2005-07-21
Mandriva MDKSA-2005:122 2005-07-20
Fedora FEDORA-2005-594 2005-07-19

Comments (1 posted)

kernel: denial of service

Package(s):kernel CVE #(s):CVE-2006-4623
Created:October 18, 2006 Updated:November 14, 2007
Description: The kernel DVB layer can be caused to crash with maliciously-formatted unidirectional lightweight encapsulation (ULE) data.
Alerts:
Ubuntu USN-489-1 2007-07-19
rPath rPSA-2006-0194-1 2006-10-17

Comments (none posted)

kernel: denial of service

Package(s):kernel CVE #(s):CVE-2006-4535 CVE-2006-4538
Created:September 18, 2006 Updated:January 5, 2009
Description: Sridhar Samudrala discovered a local denial of service vulnerability in the handling of SCTP sockets. By opening such a socket with a special SO_LINGER value, a local attacker could exploit this to crash the kernel. (CVE-2006-4535)

Kirill Korotaev discovered that the ELF loader on the ia64 and sparc platforms did not sufficiently verify the memory layout. By attempting to execute a specially crafted executable, a local user could exploit this to crash the kernel. (CVE-2006-4538)

Alerts:
Red Hat RHSA-2008:0787-01 2009-01-05
Red Hat RHSA-2007:1049-01 2007-12-03
Mandriva MDKSA-2006:182 2006-10-11
Red Hat RHSA-2006:0689-01 2006-10-05
Debian DSA-1184-2 2006-09-26
Debian DSA-1184-1 2006-09-25
Debian DSA-1183-1 2006-09-25
Ubuntu USN-347-1 2006-09-18

Comments (none posted)

kernel: denial of service

Package(s):kernel CVE #(s):CVE-2006-4572 CVE-2006-4997
Created:November 6, 2006 Updated:January 17, 2007
Description: Some vulnerabilities were discovered in the Linux 2.6 kernel:

There are possibly exploitable bugs in the netfilter for IPv6 code. (CVE-2006-4572)

The ATM subsystem of the Linux kernel could allow a remote attacker to cause a Denial of Service (panic) via unknown vectors that cause the ATM subsystem to access the memory of socket buffers after they are freed. (CVE-2006-4997)

Alerts:
Red Hat RHSA-2007:0013-01 2007-01-17
Red Hat RHSA-2007:0012-01 2007-01-17
Debian DSA-1237-1 2006-12-17
rPath rPSA-2006-0204-1 2006-11-09
Mandriva MDKSA-2006:197 2006-11-03

Comments (none posted)

kernel: denial of service by memory consumption

Package(s):kernel CVE #(s):CVE-2006-2936
Created:July 17, 2006 Updated:November 14, 2007
Description: The ftdi_sio driver (usb/serial/ftdi_sio.c) in Linux kernel 2.6.x up to 2.6.17, and possibly later versions, allows local users to cause a denial of service (memory consumption) by writing more data to the serial port than the driver can handle, which causes the data to be queued.
Alerts:
SuSE SUSE-SA:2007:035 2007-06-14
Mandriva MDKSA-2006:151 2006-08-25
Mandriva MDKSA-2006:150 2006-08-25
Ubuntu USN-331-1 2006-08-03
rPath rPSA-2006-0130-1 2006-07-17

Comments (none posted)

kernel: denial of service

Package(s):kernel CVE #(s):CVE-2006-2935 CVE-2006-4145 CVE-2006-3745
Created:September 1, 2006 Updated:July 30, 2008
Description: Previous versions of the kernel package are subject to several vulnerabilities. Certain malformed UDF filesystems can cause the system to crash (denial of service). Malformed CDROM firmware or USB storage devices (such as USB keys) could cause system crash (denial of service), and if they were intentionally malformed, can cause arbitrary code to run with elevated privileges. In addition, the SCTP protocol is subject to a remote system crash (denial of service) attack.
Alerts:
Red Hat RHSA-2008:0665-01 2008-07-24
SuSE SUSE-SA:2007:053 2007-10-12
SuSE SUSE-SA:2006:064 2006-11-10
Red Hat RHSA-2006:0710-01 2006-10-19
SuSE SUSE-SA:2006:057 2006-09-28
Trustix TSLSA-2006-0051 2006-09-15
Ubuntu USN-346-2 2006-09-14
Ubuntu USN-346-1 2006-09-14
rPath rPSA-2006-0162-1 2006-08-31

Comments (none posted)

krb5: local privilege escalation

Package(s):krb5 CVE #(s):CVE-2006-3083
Created:August 9, 2006 Updated:July 7, 2010
Description: Some kerberos applications fail to check the results of setuid() calls, with the result that, if that call fails, they could continue to execute as root after thinking they had switched to a nonprivileged user. A local attacker who can cause these calls to fail (through resource exhaustion, presumably) could exploit this bug to gain root privileges.
Alerts:
Mandriva MDVSA-2010:129 2010-07-07
SuSE SUSE-SR:2006:022 2006-09-08
Gentoo 200608-21 2006-08-23
Ubuntu USN-334-1 2006-08-16
Fedora FEDORA-2006-905 2006-08-09
Mandriva MDKSA-2006:139 2006-09-09
Gentoo 200608-15 2006-08-10
rPath rPSA-2006-0150-1 2006-08-09
Red Hat RHSA-2006:0612-01 2006-08-08
Debian DSA-1146-1 2006-08-09

Comments (none posted)

libgadu: memory alignment bug

Package(s):libgadu CVE #(s):CAN-2005-2370
Created:July 29, 2005 Updated:June 25, 2007
Description: Szymon Zygmunt and Michal Bartoszkiewicz discovered a memory alignment error in libgadu (from ekg, console Gadu Gadu client, an instant messaging program) which is included in gaim, a multi-protocol instant messaging client, as well. This can not be exploited on the x86 architecture but on others, e.g. on Sparc and lead to a bus error, in other words a denial of service.
Alerts:
Debian DSA-813-1 2005-09-15
Red Hat RHSA-2005:627-01 2005-08-09
Debian DSA-769-1 2005-07-29

Comments (none posted)

libgd2: denial of service

Package(s):libgd2 CVE #(s):CVE-2006-2906
Created:June 14, 2006 Updated:January 16, 2007
Description: Certain GIF images can cause libgd2 to go into an infinite loop, adversely affecting the performance of image processing applications.
Alerts:
rPath rPSA-2007-0008-1 2007-01-15
Debian DSA-1117-1 2006-07-21
Mandriva MDKSA-2006:113 2006-06-27
Mandriva MDKSA-2006:112 2006-06-27
Ubuntu USN-298-1 2006-06-13

Comments (none posted)

libmms: buffer overflows

Package(s):libmms CVE #(s):CVE-2006-2200
Created:July 6, 2006 Updated:December 25, 2006
Description: Several buffer overflows were found in libmms. By tricking a user into opening a specially crafted remote multimedia stream with an application using libmms, a remote attacker could overwrite an arbitrary memory portion with zeros, thereby crashing the program.
Alerts:
Slackware SSA:2006-357-05 2006-12-25
Gentoo 200607-07 2006-07-20
Mandriva MDKSA-2006:121 2006-07-12
Mandriva MDKSA-2006:117-1 2006-07-12
Ubuntu USN-315-1 2006-07-12
Mandriva MDKSA-2006:117 2006-07-06
Ubuntu USN-309-1 2006-07-05

Comments (none posted)

libpam-ldap: insecure password control

Package(s):libpam-ldap CVE #(s):CVE-2006-5170
Created:November 3, 2006 Updated:December 21, 2006
Description: Steve Rigler discovered that the PAM module for authentication against LDAP servers processes PasswordPolicyReponse control messages incorrectly, which might lead to an attacker being able to login into a suspended system account.
Alerts:
Gentoo 200612-19 2006-12-20
SuSE SUSE-SR:2006:027 2006-11-24
Red Hat RHSA-2006:0719-01 2006-11-15
Mandriva MDKSA-2006:201 2006-11-07
Trustix TSLSA-2006-0061 2006-11-03
Debian DSA-1203-1 2006-11-02

Comments (none posted)

libpng: buffer overflow

Package(s):libpng CVE #(s):CVE-2006-3334
Created:July 19, 2006 Updated:December 15, 2008
Description: In pngrutil.c, the function png_decompress_chunk() allocates insufficient space for an error message, potentially overwriting stack data, leading to a buffer overflow.
Alerts:
Gentoo 200812-15 2008-12-14
Mandriva MDKSA-2006:213 2006-11-16
rPath rPSA-2006-0133-1 2006-07-19
Gentoo 200607-06 2006-07-19

Comments (none posted)

libpng: heap based buffer overflow

Package(s):libpng CVE #(s):CVE-2006-0481
Created:February 13, 2006 Updated:December 15, 2008
Description: A heap based buffer overflow bug was found in the way libpng strips alpha channels from a PNG image. An attacker could create a carefully crafted PNG image file in such a way that it could cause an application linked with libpng to crash or execute arbitrary code when the file is opened by a victim.
Alerts:
Gentoo 200812-15 2008-12-14
Red Hat RHSA-2006:0205-01 2006-02-13

Comments (1 posted)

libtiff: buffer overflow

Package(s):libtiff CVE #(s):CVE-2006-2193
Created:June 15, 2006 Updated:September 1, 2008
Description: The t2p_write_pdf_string function in libtiff 3.8.2 and earlier is vulnerable to a buffer overflow. Attackers can use a TIFF file with UTF-8 characters in the DocumentName tag to overflow a buffer, causing a denial of service, and possibly the execution of arbitrary code.
Alerts:
CentOS CESA-2008:0848 2008-08-30
Red Hat RHSA-2008:0848-01 2008-08-28
Fedora FEDORA-2006-952 2006-09-05
SuSE SUSE-SA:2006:044 2006-08-01
Gentoo 200607-03 2006-07-09
SuSE SUSE-SR:2006:014 2006-06-20
Trustix TSLSA-2006-0036 2006-06-16
Mandriva MDKSA-2006:102 2006-06-14

Comments (none posted)

libvncserver: authentication bypass

Package(s):libvncserver CVE #(s):CVE-2006-2450
Created:August 4, 2006 Updated:March 19, 2007
Description: LibVNCServer fails to properly validate protocol types effectively letting users decide what protocol to use, such as "Type 1 - None". LibVNCServer will accept this security type, even if it is not offered by the server.
Alerts:
Gentoo 200703-19 2007-03-18
Gentoo 200608-12 2006-08-07
Gentoo 200608-05 2006-08-04

Comments (none posted)

libX11: file descriptor leak

Package(s):libX11 CVE #(s):CVE-2006-5397
Created:November 7, 2006 Updated:November 8, 2006
Description: The Xinput module (modules/im/ximcp/imLcIm.c) in X.Org libX11 1.0.2 and 1.0.3 opens a file for reading twice using the same file descriptor, which causes a file descriptor leak that allows local users to read files specified by the XCOMPOSEFILE environment variable via the duplicate file descriptor.
Alerts:
Mandriva MDKSA-2006:199 2006-11-06

Comments (1 posted)

libxml2 - arbitrary code execution

Package(s):libxml2 CVE #(s):CAN-2004-0110
Created:February 26, 2004 Updated:August 19, 2009
Description: Yuuichi Teranishi discovered a flaw in libxml2 versions prior to 2.6.6. When fetching a remote resource via FTP or HTTP, libxml2 uses special parsing routines. These routines can overflow a buffer if passed a very long URL. If an attacker is able to find an application using libxml2 that parses remote resources and allows them to influence the URL, then this flaw could be used to execute arbitrary code.
Alerts:
Fedora FEDORA-2009-8594 2009-08-15
Fedora FEDORA-2009-8582 2009-08-15
Fedora-Legacy FLSA:1324 2004-07-19
Conectiva CLA-2004:836 2004-03-31
Gentoo 200403-01 2004-03-06
Trustix TSLSA-2004-0010 2004-03-05
OpenPKG OpenPKG-SA-2004.003 2004-03-05
Netwosix NW-2004-0004 2004-03-04
Debian DSA-455-1 2004-03-03
Mandrake MDKSA-2004:018 2004-03-03
Red Hat RHSA-2004:091-02 2004-03-03
Whitebox WBSA-2004:090-01 2004-03-01
Red Hat RHSA-2004:090-01 2004-02-26
Fedora FEDORA-2004-087 2004-02-25
Red Hat RHSA-2004:091-01 2004-02-26

Comments (none posted)

libxml2: multiple buffer overflows

Package(s):libxml2 CVE #(s):CAN-2004-0989
Created:October 28, 2004 Updated:August 19, 2009
Description: libxml2 prior to version 2.6.14 has multiple buffer overflow vulnerabilities, if a local user passes a specially crafted FTP URL, arbitrary code may be executed.
Alerts:
Fedora FEDORA-2009-8594 2009-08-15
Fedora FEDORA-2009-8582 2009-08-15
Ubuntu USN-89-1 2005-02-28
Red Hat RHSA-2004:650-01 2004-12-16
Conectiva CLA-2004:890 2004-11-18
Red Hat RHSA-2004:615-01 2004-11-12
Mandrake MDKSA-2004:127 2004-11-04
Debian DSA-582-1 2004-11-02
Gentoo 200411-05 2004-11-02
Trustix TSLSA-2004-0055 2004-10-29
OpenPKG OpenPKG-SA-2004.050 2004-10-31
Ubuntu USN-10-1 2004-10-28
Fedora FEDORA-2004-353 2004-10-28

Comments (none posted)

linux-restricted-modules: nVidia driver vulnerability

Package(s):linux-restricted-modules CVE #(s):CVE-2006-5379
Created:November 6, 2006 Updated:January 11, 2007
Description: Derek Abdine discovered that the NVIDIA Xorg driver did not correctly verify the size of buffers used to render text glyphs. When displaying very long strings of text, the Xorg server would crash. If a user were tricked into viewing a specially crafted series of glyphs, this flaw could be exploited to run arbitrary code with root privileges.
Alerts:
Mandriva MDKSA-2007:007 2007-01-10
Gentoo 200611-03 2006-11-07
Ubuntu USN-377-1 2006-11-03

Comments (none posted)

lynx: arbitrary command execution

Package(s):lynx CVE #(s):CVE-2005-2929
Created:November 14, 2005 Updated:September 14, 2009
Description: An arbitrary command execute bug was found in the lynx "lynxcgi:" URI handler. An attacker could create a web page redirecting to a malicious URL which could execute arbitrary code as the user running lynx.
Alerts:
Gentoo 200909-15 2009-09-12
Fedora-Legacy FLSA:152832 2005-12-17
OpenPKG OpenPKG-SA-2005.026 2005-12-03
Fedora FEDORA-2005-1079 2005-11-14
Fedora FEDORA-2005-1078 2005-11-14
Gentoo 200511-09 2005-11-13
Mandriva MDKSA-2005:211 2005-11-12
Red Hat RHSA-2005:839-01 2005-11-11

Comments (none posted)

mono: symlink vulnerability

Package(s):mono CVE #(s):CVE-2006-5072
Created:October 4, 2006 Updated:December 1, 2006
Description: The mono System.CodeDom.Compiler classes suffer from a temporary file symlink vulnerability which could be used to overwrite files, or, in this case, even inject arbitrary code into a running mono application.
Alerts:
SuSE SUSE-SA:2006:073 2006-12-01
Gentoo 200611-23 2006-11-28
Mandriva MDKSA-2006:188 2006-10-27
Fedora FEDORA-2006-1012 2006-10-06
Ubuntu USN-357-1 2006-10-04

Comments (none posted)

firefox: multiple vulnerabilities

Package(s):mozilla firefox thunderbird CVE #(s):CVE-2006-4565 CVE-2006-4566 CVE-2006-4571 CVE-2006-4253 CVE-2006-4567 CVE-2006-4568 CVE-2006-4569
Created:September 15, 2006 Updated:November 14, 2006
Description: Two flaws were found in the way Firefox/Thunderbird processed certain regular expressions. A malicious web page/HTML email could crash the browser or possibly execute arbitrary code as the user running Firefox/Thunderbird. (CVE-2006-4565, CVE-2006-4566)

A number of flaws were found in Firefox/Thunderbird. A malicious web page/HTML email could crash the browser or possibly execute arbitrary code as the user running Firefox/Thunderbird. (CVE-2006-4571)

A flaw was found in the handling of JavaScript timed events. A malicious web page could crash the browser or possibly execute arbitrary code as the user running Firefox/Thunderbird. (CVE-2006-4253)

A flaw was found in the Firefox/Thunderbird auto-update verification system. An attacker who has the ability to spoof a victim's DNS could get Firefox to download and install malicious code. In order to exploit this issue an attacker would also need to get a victim to previously accept an unverifiable certificate. (CVE-2006-4567)

Firefox did not properly prevent a frame in one domain from injecting content into a sub-frame that belongs to another domain, which facilitates website spoofing and other attacks (CVE-2006-4568)

Firefox did not load manually opened, blocked popups in the right domain context, which could lead to cross-site scripting attacks. In order to exploit this issue an attacker would need to find a site which would frame their malicious page and convince the user to manually open a blocked popup. (CVE-2006-4569)

Alerts:
Debian DSA-1210-1 2006-11-14
Gentoo 200610-04 2006-10-16
Ubuntu USN-361-1 2006-10-10
Debian DSA-1192-1 2006-10-06
Gentoo 200610-01 2006-10-04
Debian DSA-1191-1 2006-10-05
Ubuntu USN-354-1 2006-10-02
Gentoo 200609-19 2006-09-28
Mandriva MDKSA-2006:169 2006-09-22
Ubuntu USN-352-1 2006-09-25
Ubuntu USN-351-1 2006-09-22
SuSE SUSE-SA:2006:054 2006-09-22
Ubuntu USN-350-1 2006-09-21
Mandriva MDKSA-2006:168 2006-09-20
Red Hat RHSA-2006:0677-01 2006-09-15
Red Hat RHSA-2006:0676-01 2006-09-15
Red Hat RHSA-2006:0675-01 2006-09-15
rPath rPSA-2006-0169-1 2006-09-15
Slackware SSA:2006-257-03 2006-09-15
Fedora FEDORA-2006-977 2006-09-14
Fedora FEDORA-2006-976 2006-09-14

Comments (none posted)

mysql: format string bug

Package(s):mysql CVE #(s):CVE-2006-3469
Created:July 21, 2006 Updated:July 30, 2008
Description: Jean-David Maillefer discovered a format string bug in the date_format() function's error reporting. By calling the function with invalid arguments, an authenticated user could exploit this to crash the server.
Alerts:
Red Hat RHSA-2008:0768-01 2008-07-24
Slackware SSA:2006-211-01 2006-07-31
Ubuntu USN-321-1 2006-07-21

Comments (none posted)

MySQL: privilege violations

Package(s):mysql CVE #(s):CVE-2006-4031 CVE-2006-4226
Created:August 25, 2006 Updated:July 30, 2008
Description: MySQL 4.1 before 4.1.21 and 5.0 before 5.0.24 allows a local user to access a table through a previously created MERGE table, even after the user's privileges are revoked for the original table, which might violate intended security policy (CVE-2006-4031).

MySQL 4.1 before 4.1.21, 5.0 before 5.0.25, and 5.1 before 5.1.12, when run on case-sensitive filesystems, allows remote authenticated users to create or access a database when the database name differs only in case from a database for which they have permissions (CVE-2006-4226).

Alerts:
Red Hat RHSA-2008:0768-01 2008-07-24
Red Hat RHSA-2008:0364-01 2008-05-21
Red Hat RHSA-2007:0152-01 2007-04-03
Red Hat RHSA-2007:0083-01 2007-02-19
Fedora FEDORA-2006-1298 2006-11-27
Fedora FEDORA-2006-1297 2006-11-27
Ubuntu USN-338-1 2006-09-05
Mandriva MDKSA-2006:149 2006-08-24

Comments (none posted)

MySQL: logging bypass

Package(s):mysql CVE #(s):CVE-2006-0903
Created:April 4, 2006 Updated:May 21, 2008
Description: MySQL 5.0.18 and earlier allows local users to bypass logging mechanisms via SQL queries that contain the NULL character, which are not properly handled by the mysql_real_query function. NOTE: this issue was originally reported for the mysql_query function, but the vendor states that since mysql_query expects a null character, this is not an issue for mysql_query.
Alerts:
Red Hat RHSA-2008:0364-01 2008-05-21
Ubuntu USN-274-2 2006-05-15
Ubuntu USN-274-1 2006-04-27
Mandriva MDKSA-2006:064 2006-04-03

Comments (2 posted)

nbd: arbitrary code execution

Package(s):nbd CVE #(s):CVE-2005-3534
Created:January 6, 2006 Updated:March 7, 2011
Description: Kurt Fitzner discovered that the NBD (network block device) server did not correctly verify the maximum size of request packets. By sending specially crafted large request packets, a remote attacker who is allowed to access the server could exploit this to execute arbitrary code with root privileges.
Alerts:
SuSE SUSE-SR:2006:001 2006-01-13
Ubuntu USN-237-1 2006-01-06

Comments (none posted)

ncompress: buffer underflow

Package(s):ncompress CVE #(s):CVE-2006-1168
Created:August 10, 2006 Updated:February 21, 2012
Description: The ncompress compression utility has a missing boundary check. A local user can use a maliciously created file to cause a a .bss buffer underflow.
Alerts:
Gentoo 200610-03 2006-10-06
Red Hat RHSA-2006:0663-01 2006-09-12
Mandriva MDKSA-2006:140 2006-08-09
Debian DSA-1149-1 2006-08-10
Red Hat RHSA-2012:0308-03 2012-02-21
Scientific Linux SL-busy-20120321 2012-03-21

Comments (none posted)

openldap: security bypass

Package(s):openldap CVE #(s):CVE-2006-4600
Created:September 29, 2006 Updated:June 12, 2007
Description: slapd in OpenLDAP before 2.3.25 allows remote authenticated users with selfwrite Access Control List (ACL) privileges to modify arbitrary Distinguished Names (DN).
Alerts:
Red Hat RHSA-2007:0430-01 2007-06-11
Red Hat RHSA-2007:0310-02 2007-05-01
Trustix TSLSA-2006-0055 2006-10-06
rPath rPSA-2006-0176-1 2006-09-29
Mandriva MDKSA-2006:171 2006-09-28

Comments (none posted)

openoffice.org: several vulnerabilities

Package(s):openoffice.org CVE #(s):CVE-2006-2198 CVE-2006-2199 CVE-2006-3117
Created:June 30, 2006 Updated:January 4, 2007
Description: Several vulnerabilities have been discovered in OpenOffice.org, a free office suite.
  • It turned out to be possible to embed arbitrary BASIC macros in documents in a way that OpenOffice.org does not see them but executes them anyway without any user interaction. (CVE-2006-2198)
  • It is possible to evade the Java sandbox with specially crafted Java applets. (CVE-2006-2199)
  • Loading malformed XML documents can cause buffer overflows and cause a denial of service or execute arbitrary code. (CVE-2006-3117)
Alerts:
Fedora FEDORA-2007-005 2007-01-03
rPath rPSA-2006-0173-1 2006-09-26
Gentoo 200607-12 2006-07-28
Ubuntu USN-313-2 2006-07-19
Ubuntu USN-313-1 2006-07-11
Mandriva MDKSA-2006:118 2006-07-07
Debian DSA-1104-2 2006-07-06
Red Hat RHSA-2006:0573-01 2006-07-03
SuSE SUSE-SA:2006:040 2006-07-03
Fedora FEDORA-2006-770 2006-07-03
Fedora FEDORA-2006-764 2006-06-30
Debian DSA-1104-1 2006-06-30

Comments (none posted)

OpenSSH: denial of service

Package(s):openssh CVE #(s):CVE-2006-4925 CVE-2006-5052
Created:October 6, 2006 Updated:November 15, 2007
Description: packet.c in ssh in OpenSSH allows remote attackers to cause a denial of service (crash) by sending an invalid protocol sequence with USERAUTH_SUCCESS before NEWKEYS, which causes newkeys[mode] to be NULL.

An unspecified vulnerability in portable OpenSSH before 4.4, when running on some platforms, allows remote attackers to determine the validity of usernames via unknown vectors involving a GSSAPI "authentication abort."

Alerts:
Red Hat RHSA-2007:0703-02 2007-11-15
Red Hat RHSA-2007:0540-04 2007-11-07
Fedora FEDORA-2007-394 2007-04-03
Gentoo 200611-06 2006-11-13
SuSE SUSE-SA:2006:062 2006-10-20
rPath rPSA-2006-0185-1 2006-10-05

Comments (none posted)

openssh: privilege separation issue

Package(s):openssh CVE #(s):CVE-2006-5794
Created:November 8, 2006 Updated:April 5, 2007
Description: From the OpenSSH 4.5 announcement: "Fix a bug in the sshd privilege separation monitor that weakened its verification of successful authentication. This bug is not known to be exploitable in the absence of additional vulnerabilities."
Alerts:
Fedora FEDORA-2007-395 2007-04-03
Fedora FEDORA-2006-1215 2006-11-20
Fedora FEDORA-2006-1214 2006-11-20
SuSE SUSE-SR:2006:026 2006-11-17
Trustix TSLSA-2006-0063 2006-11-15
Red Hat RHSA-2006:0738-01 2006-11-15
rPath rPSA-2006-0207-1 2006-11-09
Mandriva MDKSA-2006:204 2006-11-08
OpenPKG OpenPKG-SA-2006.032 2006-11-08

Comments (none posted)

openssh: remote denial of service

Package(s):openssh CVE #(s):CVE-2006-4924 CVE-2006-5051
Created:September 27, 2006 Updated:September 17, 2008
Description: Openssh 4.4 fixes some security issues, including a pre-authentication denial of service, an unsafe signal hander and on portable OpenSSH a GSSAPI authentication abort could be used to determine the validity of usernames on some platforms.
Alerts:
Debian DSA-1638-1 2008-09-16
Debian DSA-1212-1 2006-11-15
Fedora FEDORA-2006-1011 2006-10-03
Debian DSA-1189-1 2006-10-04
Mandriva MDKSA-2006:179 2006-10-03
Ubuntu USN-355-1 2006-10-02
OpenPKG OpenPKG-SA-2006.022 2006-10-01
Slackware SSA:2006-272-02 2006-09-29
Red Hat RHSA-2006:0698-01 2006-09-28
Red Hat RHSA-2006:0697-01 2006-09-28
Gentoo 200609-17:02 2006-09-27
rPath rPSA-2006-0174-1 2006-09-27
Gentoo 200609-17 2006-09-27

Comments (none posted)

openssl: insufficient signature checking

Package(s):openssl CVE #(s):CVE-2006-4339
Created:September 5, 2006 Updated:November 15, 2006
Description: Philip Mackenzie, Marius Schilder, Jason Waddle and Ben Laurie of Google Security discovered that the OpenSSL library did not sufficiently check the padding of PKCS #1 v1.5 signatures if the exponent of the public key is 3 (which is widely used for CAs). This could be exploited to forge signatures without the need of the secret key.
Alerts:
Mandriva MDKSA-2006:207 2006-11-14
Slackware SSA:2006-310-01 2006-11-07
OpenPKG OpenPKG-SA-2006.029 2006-11-06
SuSE SUSE-SA:2006:061 2006-10-19
Slackware SSA:2006-257-02 2006-09-15
Gentoo 200609-05:02 2006-09-07
Debian DSA-1174-1 2006-09-11
Debian DSA-1173-1 2006-09-10
Red Hat RHSA-2006:0661-01 2006-09-06
Gentoo 200609-05 2006-09-07
Mandriva MDKSA-2006:161 2006-09-06
rPath rPSA-2006-0163-1 2006-09-05
OpenPKG OpenPKG-SA-2006.018 2006-09-06
Fedora FEDORA-2006-953 2006-09-05
Ubuntu USN-339-1 2006-09-05

Comments (none posted)

openssl: multiple vulnerabilities

Package(s):openssl CVE #(s):CVE-2006-2937 CVE-2006-2940 CVE-2006-3780 CVE-2006-4343 CVE-2006-3738
Created:September 28, 2006 Updated:December 12, 2006
Description: OpenSSL has a number of denial of service vulnerabilities including: two vulnerabilities involving invalid ASN.1 structures, a buffer overflow in the SSL_get_shared_ciphers() function and an SSLv2 client crash that can be caused by a malicious server.
Alerts:
Gentoo 200612-11 2006-12-11
Gentoo 200610-11 2006-10-24
Debian DSA-1195-1 2006-10-10
SuSE SUSE-SR:2006:024 2006-10-06
Ubuntu USN-353-2 2006-10-04
Mandriva MDKSA-2006:178 2006-10-02
Mandriva MDKSA-2006:177 2006-10-02
Mandriva MDKSA-2006:172-1 2006-10-02
Debian DSA-1185-2 2006-10-02
rPath rPSA-2006-0175-2 2006-09-28
Fedora FEDORA-2006-1004 2006-09-28
Trustix TSLSA-2006-0054 2006-09-29
Slackware SSA:2006-272-01 2006-09-29
rPath rPSA-2006-0175-1 2006-09-28
Red Hat RHSA-2006:0695-01 2006-09-28
Mandriva MDKSA-2006:172 2006-09-28
Debian DSA-1185-1 2006-09-28
Ubuntu USN-353-1 2006-09-28
SuSE SUSE-SA:2006:058 2006-09-28
OpenPKG OpenPKG-SA-2006.021 2006-09-28

Comments (none posted)

php: several vulnerabilities

Package(s):php CVE #(s):CVE-2006-4481 CVE-2006-4484 CVE-2006-4485
Created:September 8, 2006 Updated:June 13, 2008
Description: The file_exists and imap_reopen functions in PHP before 5.1.5 do not check for the safe_mode and open_basedir settings, which allows local users to bypass the settings (CVE-2006-4481).

A buffer overflow in the LWZReadByte function in ext/gd/libgd/gd_gif_in.c in the GD extension in PHP before 5.1.5 allows remote attackers to have an unknown impact via a GIF file with input_code_size greater than MAX_LWZ_BITS, which triggers an overflow when initializing the table array (CVE-2006-4484).

The stripos function in PHP before 5.1.5 has unknown impact and attack vectors related to an out-of-bounds read (CVE-2006-4485).

Alerts:
SuSE SUSE-SR:2008:013 2008-06-13
Mandriva MDVSA-2008:077 2007-03-26
SuSE SUSE-SR:2008:005 2008-03-06
Red Hat RHSA-2008:0146-01 2008-02-28
Fedora FEDORA-2008-1643 2008-02-13
Foresight FLEA-2008-0007-1 2008-02-11
Fedora FEDORA-2008-1122 2008-02-05
Fedora FEDORA-2008-1131 2008-02-05
SuSE SUSE-SR:2008:003 2008-02-07
Mandriva MDVSA-2008:038 2007-02-07
rPath rPSA-2008-0046-1 2008-02-06
Gentoo 200802-01 2008-02-06
rPath rPSA-2006-0182-1 2006-10-05
SuSE SUSE-SA:2006:052 2006-09-21
Red Hat RHSA-2006:0669-01 2006-09-21
Mandriva MDKSA-2006:162 2006-09-07

Comments (1 posted)

php: buffer overflows

Package(s):php CVE #(s):CVE-2006-5465
Created:November 3, 2006 Updated:January 18, 2010
Description: The Hardened-PHP Project discovered buffer overflows in htmlentities/htmlspecialchars internal routines to the PHP Project. Of course the whole purpose of these functions is to be filled with user input. (The overflow can only be when UTF-8 is used)
Alerts:
Mandriva MDVSA-2010:007 2010-01-15
SuSE SUSE-SA:2006:067 2006-11-15
rPath rPSA-2006-0205-1 2006-11-09
Red Hat RHSA-2006:0731-01 2006-11-10
Red Hat RHSA-2006:0730-01 2006-11-06
Debian DSA-1206-1 2006-11-06
Fedora FEDORA-2006-1169 2006-11-06
Fedora FEDORA-2006-1168 2006-11-06
Slackware SSA:2006-307-01 2006-11-06
OpenPKG OpenPKG-SA-2006.028 2006-11-06
Ubuntu USN-375-1 2006-11-02
Mandriva MDKSA-2006:196 2006-11-02

Comments (none posted)

phpbb2: missing input sanitizing

Package(s):phpbb2 CVE #(s):CVE-2006-1896
Created:May 22, 2006 Updated:February 11, 2008
Description: It was discovered that phpbb2, a web based bulletin board, insufficiently sanitizes values passed to the "Font Color 3" setting, which might lead to the execution of injected code by admin users.
Alerts:
Debian DSA-1066-1 2006-05-20

Comments (none posted)

phpbb2: multiple vulnerabilities

Package(s):phpbb2 CVE #(s):CVE-2005-3310 CVE-2005-3415 CVE-2005-3416 CVE-2005-3417 CVE-2005-3418 CVE-2005-3419 CVE-2005-3420 CVE-2005-3536 CVE-2005-3537
Created:December 22, 2005 Updated:February 11, 2008
Description: The phpbb2 web forum has a number of vulnerabilities including: a web script injection problem, a protection mechanism bypass, a security check bypass, a remote global variable bypass, cross site scripting vulnerabilities, an SQL injection vulnerability, a remote regular expression modification problem, missing input sanitizing, and a missing request validation problem.
Alerts:
Debian DSA-925-1 2005-12-22

Comments (none posted)

phpMyAdmin: multiple vulnerabilities

Package(s):phpmyadmin CVE #(s):CVE-2005-4079 CVE-2005-3665
Created:December 12, 2005 Updated:November 20, 2006
Description: Stefan Esser reported multiple vulnerabilities found in phpMyAdmin. The $GLOBALS variable allows modifying the global variable import_blacklist to open phpMyAdmin to local and remote file inclusion, depending on your PHP version (CVE-2005-4079, PMASA-2005-9). Furthermore, it is also possible to conduct an XSS attack via the $HTTP_HOST variable and a local and remote file inclusion because the contents of the variable are under total control of the attacker (CVE-2005-3665, PMASA-2005-8).
Alerts:
Debian DSA-1207-2 2006-11-19
Debian DSA-1207-1 2006-11-09
SuSE SUSE-SA:2006:004 2006-01-26
Gentoo 200512-03 2005-12-11

Comments (none posted)

postgresql: SQL injection

Package(s):postgresql CVE #(s):CVE-2006-2313 CVE-2006-2314
Created:May 24, 2006 Updated:June 6, 2007
Description: The PostgreSQL team has put out a set of "urgent updates" (in the form of the 7.3.15, 7.4.13, 8.0.8, and 8.1.4 releases) closing a newly-discovered set of SQL injection issues. Details about the problem can be found on the technical information page; in short: multi-byte encodings can be used to defeat normal string sanitizing techniques. The update fixes one problem related to invalid multi-byte characters, but punts on another by simply disallowing the old, unsafe technique of escaping single quotes with a backslash.
Alerts:
Fedora FEDORA-2007-0249 2007-06-06
Trustix TSLSA-2006-0059 2006-10-27
Gentoo 200607-04 2006-07-09
SuSE SUSE-SA:2006:030 2006-06-09
Ubuntu USN-288-3 2006-06-09
Ubuntu USN-288-2 2006-06-09
Mandriva MDKSA-2006:098 2006-06-07
Debian DSA-1087-1 2006-06-03
Ubuntu USN-288-1 2006-05-29
rPath rPSA-2006-0080-1 2006-05-24
Red Hat RHSA-2006:0526-02 2006-05-23
Fedora FEDORA-2006-578 2006-05-23
Fedora FEDORA-2006-579 2006-05-23

Comments (1 posted)

postgresql: several vulnerabilities

Package(s):postgresql-8.1 CVE #(s):CVE-2006-5540 CVE-2006-5541 CVE-2006-5542
Created:November 3, 2006 Updated:November 8, 2006
Description: Michael Fuhr discovered an incorrect type check when handling unknown literals. By attempting to coerce such a literal to the ANYARRAY type, a local authenticated attacker could cause a server crash. (CVE-2006-5541)

Josh Drake and Alvaro Herrera reported a crash when using aggregate functions in UPDATE statements. A local authenticated attacker could exploit this to crash the server backend. This update disables this construct, since it is not very well defined and forbidden by the SQL standard. (CVE-2006-5540)

Sergey Koposov discovered a flaw in the duration logging. This could cause a server crash under certain circumstances. (CVE-2006-5542)

Alerts:
Ubuntu USN-369-2 2006-11-01

Comments (none posted)

quake: buffer overflow

Package(s):quake3-bin CVE #(s):CVE-2006-2236
Created:May 10, 2006 Updated:January 12, 2009
Description: Games based on the Quake 3 engine are vulnerable to a buffer overflow exploitable by a hostile game server.
Alerts:
Gentoo 200901-06 2009-01-11
Gentoo 200605-12 2006-05-10

Comments (none posted)

rpm: arbitrary code execution

Package(s):rpm CVE #(s):CVE-2006-5466
Created:November 6, 2006 Updated:August 28, 2007
Description: An error was found in the RPM library's handling of query reports. In some locales, certain RPM packages would cause the library to crash. If a user was tricked into querying a specially crafted RPM package, the flaw could be exploited to execute arbitrary code with the user's privileges.
Alerts:
Fedora FEDORA-2007-668 2007-08-27
Gentoo 200611-08 2006-11-13
Mandriva MDKSA-2006:200 2006-11-07
Ubuntu USN-378-1 2006-11-04

Comments (none posted)

ruby: denial of service

Package(s):ruby CVE #(s):CVE-2006-5467
Created:October 30, 2006 Updated:December 13, 2006
Description: The CGI library in Ruby 1.8 allowed a remote attacker to cause a denial of service via an HTTP request with a multipart MIME body that contained an invalid boundary specifier, which would result in an infinite loop and CPU consumption.
Alerts:
Debian DSA-1235-1 2006-12-13
Debian DSA-1234-1 2006-12-13
Fedora FEDORA-2006-1441 2006-12-11
Fedora FEDORA-2006-1440 2006-12-11
Gentoo 200611-12 2006-11-20
Red Hat RHSA-2006:0729-01 2006-11-08
OpenPKG OpenPKG-SA-2006.030 2006-11-06
Ubuntu USN-371-1 2006-10-31
Fedora FEDORA-2006-1110 2006-10-30
Mandriva MDKSA-2006:192 2006-10-27

Comments (none posted)

shadow-utils: mailbox creation vulnerability

Package(s):shadow-utils CVE #(s):CVE-2006-1174
Created:May 25, 2006 Updated:June 12, 2007
Description: The useradd tool from the shadow-utils package has a potential security problem. When a new user's mailbox is created, the permissions are set to random garbage from the stack, potentially allowing the file to be read or written during the time before fchmod() is called.
Alerts:
Red Hat RHSA-2007:0431-01 2007-06-11
rPath rPSA-2007-0096-1 2007-05-11
Red Hat RHSA-2007:0276-02 2007-05-01
Gentoo 200606-02 2006-06-07
Mandriva MDKSA-2006:090 2006-05-24

Comments (none posted)

texinfo: temporary file vulnerability

Package(s):texinfo CVE #(s):CAN-2005-3011
Created:October 5, 2005 Updated:November 9, 2006
Description: Texinfo prior to version 4.8-r1 suffers from a temporary file vulnerability.
Alerts:
Ubuntu USN-194-2 2006-01-09
Fedora FEDORA-2005-991 2005-10-14
Fedora FEDORA-2005-990 2005-10-14
Mandriva MDKSA-2005:175 2005-10-06
Ubuntu USN-194-1 2005-10-06
Gentoo 200510-04 2005-10-05

Comments (none posted)

texinfo: buffer overflow

Package(s):texinfo CVE #(s):CVE-2006-4810
Created:November 8, 2006 Updated:November 27, 2006
Description: Texinfo contains a buffer overflow which could be exploited (via a specially-crafted info file) to run arbitrary code.
Alerts:
rPath rPSA-2006-0219-1 2006-11-27
Debian DSA-1219-1 2006-11-27
Gentoo 200611-16 2006-11-21
OpenPKG OpenPKG-SA-2006.034 2006-11-15
Ubuntu USN-379-1 2006-11-09
Fedora FEDORA-2006-1203 2006-11-09
Fedora FEDORA-2006-1202 2006-11-09
Red Hat RHSA-2006:0727-01 2006-11-08
Mandriva MDKSA-2006:203 2006-11-08

Comments (none posted)

thttpd: insecure temporary files

Package(s):thttpd CVE #(s):CVE-2006-4248
Created:November 3, 2006 Updated:December 1, 2006
Description: Marco d'Itri discovered that thttpd, a small, fast and secure webserver, makes use of insecure temporary files when its logfiles are rotated, which might lead to a denial of service through a symlink attack.
Alerts:
Debian DSA-1205-2 2006-12-01
Debian DSA-1205-1 2006-11-02

Comments (none posted)

Mozilla products: multiple vulnerabilities

Package(s):thunderbird firefox seamonkey CVE #(s):CVE-2006-5463 CVE-2006-5747 CVE-2006-5748 CVE-2006-5464
Created:November 8, 2006 Updated:December 11, 2006
Description: Numerous vulnerabilities have been found in the Mozilla JavaScript and HTML rendering code, leading to possible remote code execution attacks. This CERT advisory contains details.
Alerts:
Gentoo 200612-08 2006-12-10
Gentoo 200612-07 2006-12-10
Gentoo 200612-06 2006-12-10
Debian DSA-1227-1 2006-12-04
Debian DSA-1225-2 2006-12-03
Debian DSA-1225-1 2006-12-03
Debian DSA-1224-1 2006-12-03
Ubuntu USN-381-1 2006-11-16
Ubuntu USN-382-1 2006-11-16
SuSE SUSE-SA:2006:068 2006-11-16
Slackware SSA:2006-313-01 2006-11-10
rPath rPSA-2006-0206-1 2006-11-09
Mandriva MDKSA-2006:206 2006-11-09
Mandriva MDKSA-2006:205 2006-11-09
Fedora FEDORA-2006-1199 2006-11-08
Red Hat RHSA-2006:0735-01 2006-11-08
Red Hat RHSA-2006:0734-01 2006-11-08
Red Hat RHSA-2006:0733-02 2006-11-08
Fedora FEDORA-2006-1194 2006-11-08
Fedora FEDORA-2006-1192 2006-11-08
Fedora FEDORA-2006-1191 2006-11-08
Fedora FEDORA-2006-1191 2006-11-08

Comments (none posted)

tin: buffer overflow

Package(s):tin CVE #(s):CVE-2006-0804
Created:February 19, 2006 Updated:November 24, 2006
Description: An allocation off-by-one bug exists in the TIN news reader version 1.8.0 and earlier which can lead to a buffer overflow.
Alerts:
Gentoo 200611-18 2006-11-24
OpenPKG OpenPKG-SA-2006.005 2006-02-19

Comments (none posted)

unzip: long file name buffer overflow

Package(s):unzip CVE #(s):CVE-2005-4667
Created:February 6, 2006 Updated:May 2, 2007
Description: A buffer overflow in UnZip 5.50 and earlier allows local users to execute arbitrary code via a long filename command line argument. NOTE: since the overflow occurs in a non-setuid program, there are not many scenarios under which it poses a vulnerability, unless unzip is passed long arguments when it is invoked from other programs.
Alerts:
Red Hat RHSA-2007:0203-02 2007-05-01
Fedora-Legacy FLSA:180159 2006-04-04
Debian DSA-1012-1 2006-03-21
Mandriva MDKSA-2006:050 2006-02-27
Ubuntu USN-248-2 2006-02-15
Ubuntu USN-248-1 2006-02-13
Fedora FEDORA-2006-098 2006-02-06

Comments (1 posted)

w3c-libwww: possible stack overflow

Package(s):w3c-libwww CVE #(s):CVE-2005-3183
Created:October 14, 2005 Updated:May 2, 2007
Description: xtensive testing of libwww's handling of multipart/byteranges content from HTTP/1.1 servers revealed multiple logical flaws and bugs in Library/src/HTBound.c
Alerts:
Red Hat RHSA-2007:0208-02 2007-05-01
Ubuntu USN-220-1 2005-12-01
Mandriva MDKSA-2005:210 2005-11-09
Fedora FEDORA-2005-953 2005-10-07
Fedora FEDORA-2005-952 2005-10-07

Comments (1 posted)

wireshark: multiple vulnerabilities

Package(s):wireshark ethereal CVE #(s):CVE-2006-4574 CVE-2006-4805 CVE-2006-5468 CVE-2006-5469 CVE-2006-5740
Created:November 3, 2006 Updated:November 14, 2006
Description: There are multiple vulnerabilities in Wireshark (formerly Ethereal):
  • Off-by-one error in the MIME Multipart dissector in Wireshark 0.10.1 through 0.99.3 allows remote attackers to cause a denial of service (crash) via certain vectors that trigger an assertion error related to unexpected length values. CVE-2006-4574
  • epan/dissectors/packet-xot.c in the XOT dissector (dissect_xot_pdu) in Wireshark 0.9.8 through 0.99.3 allows remote attackers to cause a denial of service (memory consumption and crash) via an encoded XOT packet that produces a zero length value when it is decoded. CVE-2006-4805
  • Unspecified vulnerability in the HTTP dissector in Wireshark 0.99.3 allows remote attackers to cause a denial of service (crash) via unspecified vectors. CVE-2006-5468
  • Unspecified vulnerability in the WBXML dissector in Wireshark 0.10.11 through 0.99.3 allows remote attackers to cause a denial of service (crash) via certain vectors that trigger a null dereference. CVE-2006-5469
  • Unspecified vulnerability in the LDAP dissector in Wireshark 0.99.3 allows remote attackers to cause a denial of service (crash) via a crafted LDAP packet. CVE-2006-5740
Alerts:
SuSE SUSE-SA:2006:065 2006-11-14
Red Hat RHSA-2006:0726-01 2006-11-09
Mandriva MDKSA-2006:195 2006-11-02
Debian DSA-1201-1 2006-10-31
rPath rPSA-2006-0202-1 2006-11-01
Fedora FEDORA-2006-1140 2006-11-01
Fedora FEDORA-2006-1141 2006-11-01

Comments (none posted)

WordPress: multiple vulnerabilities

Package(s):wordpress CVE #(s):CVE-2006-5705
Created:October 30, 2006 Updated:November 17, 2006
Description: This vendor announcement identifies several vulnerabilities in WordPress versions prior to 2.0.5.
Alerts:
Gentoo 200611-10 2006-11-17
OpenPKG OpenPKG-SA-2006.027 2006-10-30

Comments (2 posted)

wv: integer overflow

Package(s):wv CVE #(s):CVE-2006-4513
Created:November 2, 2006 Updated:December 7, 2006
Description: The wv library has an integer overflow vulnerability in the DOC file parser. If a user can be tricked into opening a maliciously crafted MSWord file, a remote attacker can execute arbitrary code with the privileges of the user.
Alerts:
Gentoo 200612-01 2006-12-07
Mandriva MDKSA-2006:202 2006-11-07
Ubuntu USN-374-1 2006-11-01

Comments (none posted)

xine-lib: code execution

Package(s):xine-lib CVE #(s):CVE-2006-4799
Created:October 4, 2006 Updated:November 21, 2006
Description: The xine-lib package does not properly validate AVI headers, enabling an attacker to run arbitrary code via a specially crafted AVI file.
Alerts:
Debian DSA-1215-1 2006-11-20
Ubuntu USN-358-1 2006-10-04

Comments (none posted)

xine-lib: buffer overflow

Package(s):xine-lib CVE #(s):CVE-2006-1664
Created:April 27, 2006 Updated:February 27, 2008
Description: xine-lib does an improper input data boundary check on MPEG streams. A specially crafted MPEG file can be created that can cause arbitrary code execution when the file is accessed.
Alerts:
Gentoo 200802-12 2008-02-26
Gentoo 200604-16 2006-04-26

Comments (none posted)

xine-ui: format string vulnerabilities

Package(s):xine-ui CVE #(s):CVE-2006-2230
Created:June 9, 2006 Updated:January 24, 2007
Description: Several format string vulnerabilities have been discovered in xine-ui, the user interface of the xine video player, which may cause a denial of service.
Alerts:
Gentoo 200701-18 2007-01-23
Debian DSA-1093-1 2006-06-08

Comments (none posted)

xinit: race condition

Package(s):xinit CVE #(s):CVE-2006-5214
Created:October 17, 2006 Updated:August 9, 2007
Description: A race condition allows local users to see error messages generated during another user's X session. This could allow potentially sensitive information to be leaked.
Alerts:
Fedora FEDORA-2007-659 2007-08-08
Fedora FEDORA-2007-1409 2007-08-02
Ubuntu USN-364-1 2006-10-16

Comments (1 posted)

X.org: local privilege escalations

Package(s):xorg-x11 CVE #(s):CVE-2006-4447
Created:August 28, 2006 Updated:April 30, 2007
Description: Several X.org libraries and X.org itself contain system calls to set*uid() functions, without checking their result. Local users could deliberately exceed their assigned resource limits and elevate their privileges after an unsuccessful set*uid() system call. This requires resource limits to be enabled on the machine.
Alerts:
Gentoo 200704-22 2007-04-27
Mandriva MDKSA-2006:160 2006-08-31
Gentoo 200608-25 2006-08-28

Comments (none posted)

X.Org: buffer overflow

Package(s):xorg-x11-server xorg-x11 CVE #(s):CVE-2006-1526
Created:May 3, 2006 Updated:January 10, 2007
Description: There is a buffer overflow in the Xrender extension of the X.Org server; any process which is able to connect to the server may be able to exploit this overflow to run arbitrary code. Since the X server runs as root on most systems, this vulnerability could be exploited to gain root access. See the X.Org advisory for more information.
Alerts:
Fedora-Legacy FLSA:190777 2006-06-06
Trustix TSLSA-2006-0024 2006-05-05
Mandriva MDKSA-2006:081-1 2006-05-04
Ubuntu USN-280-1 2006-05-04
Slackware SSA:2006-123-01 2006-05-04
Red Hat RHSA-2006:0451-01 2006-05-04
SuSE SUSE-SA:2006:023 2006-05-03
Mandriva MDKSA-2006:081 2006-05-02
Gentoo 200605-02 2006-05-02

Comments (none posted)

xorg-x11: privilege escalation

Package(s):xorg-x11 xfree86 CVE #(s):CVE-2006-3739 CVE-2006-3740
Created:September 12, 2006 Updated:December 14, 2006
Description: iDefense reported two integer overflow flaws in the way the X.org server processed CID font files. A malicious authorized client could exploit this issue to cause a denial of service (crash) or potentially execute arbitrary code with root privileges on the X.org server.
Alerts:
Mandriva MDKSA-2006:164-2 2006-12-14
Mandriva MDKSA-2006:164-1 2006-11-17
Debian DSA-1193-1 2006-10-09
SuSE SUSE-SR:2006:023 2006-09-27
Slackware SSA:2006-259-01 2006-09-18
Mandriva MDKSA-2006:164 2006-09-14
Gentoo 200609-07 2006-09-13
Ubuntu USN-344-1 2006-09-12
Red Hat RHSA-2006:0666-01 2006-09-12
Red Hat RHSA-2006:0665-01 2006-09-12
rPath rPSA-2006-0167-1 2006-09-12

Comments (none posted)

xpdf: buffer overflow

Package(s):xpdf CVE #(s):CAN-2005-0064
Created:January 19, 2005 Updated:March 15, 2007
Description: iDEFENSE has found yet another xpdf buffer overflow; see this advisory for details.
Alerts:
Fedora FEDORA-2007-1219 2007-03-14
Gentoo 200506-06 2005-06-09
Red Hat RHSA-2005:026-01 2005-03-16
Red Hat RHSA-2005:066-01 2005-02-15
Red Hat RHSA-2005:057-01 2005-02-15
Red Hat RHSA-2005:053-01 2005-02-15
Red Hat RHSA-2005:034-01 2005-02-15
Fedora-Legacy FLSA:2353 2005-02-10
Fedora-Legacy FLSA:2352 2005-02-10
Gentoo 200502-10 2005-02-09
Red Hat RHSA-2005:049-01 2005-02-01
SuSE SUSE-SR:2005:002 2005-01-26
Red Hat RHSA-2005:059-01 2005-01-26
Mandrake MDKSA-2005:020 2005-01-25
Mandrake MDKSA-2005:019 2005-01-25
Mandrake MDKSA-2005:016 2005-01-25
Mandrake MDKSA-2005:021 2005-01-25
Mandrake MDKSA-2005:018 2005-01-25
Mandrake MDKSA-2005:017 2005-01-25
Fedora FEDORA-2005-061 2005-01-25
Fedora FEDORA-2005-062 2005-01-25
Fedora FEDORA-2005-059 2005-01-25
Fedora FEDORA-2005-060 2005-01-25
Conectiva CLA-2005:921 2005-01-25
Fedora FEDORA-2004-049 2005-01-24
Fedora FEDORA-2004-048 2005-01-24
Gentoo 200501-32 2005-01-23
Gentoo 200501-31 2005-01-23
Gentoo 200501-30 2005-01-22
Gentoo 200501-28 2005-01-21
Fedora FEDORA-2005-052 2005-01-20
Fedora FEDORA-2005-051 2005-01-20
Ubuntu USN-64-1 2005-01-19
Debian DSA-645-1 2005-01-19
Debian DSA-648-1 2005-01-19

Comments (1 posted)

xpdf: integer overflows

Package(s):xpdf, poppler, cupsys, tetex-bin CVE #(s):CVE-2005-3624 CVE-2005-3625 CVE-2005-3626 CVE-2005-3627
Created:January 5, 2006 Updated:November 30, 2006
Description: xpdf has a number of integer overflows. A remote attacker can trick a user into opening a maliciously crafted pdf file, allowing the attacker to execute code with the privileges of the local user. This also affects the Poppler library, cupsys and tetex-bin.
Alerts:
Fedora FEDORA-2006-1220 2006-11-30
Debian DSA-932-1 2006-01-09
Debian DSA-931-1 2006-01-09
Ubuntu USN-236-2 2006-01-09
Mandriva MDKSA-2006:008 2006-01-06
Mandriva MDKSA-2006:006 2006-01-05
Mandriva MDKSA-2006:005 2006-01-05
Mandriva MDKSA-2006:004 2006-01-05
Mandriva MDKSA-2006:003 2006-01-05
Ubuntu USN-236-1 2006-01-05

Comments (none posted)

Page editor: Jonathan Corbet

Kernel development

Brief items

Kernel release status

The current 2.6 prepatch remains 2.6.19-rc5; no prepatches have been released in the last week. Enough patches have found their way into the mainline git repository that a 2.6.19-rc6 release will probably happen before this kernel cycle runs its course.

The current -mm tree is 2.6.19-rc5-mm2. Recent changes to -mm include the fault injection capability (see below), file-based capabilities, and a backport of the ext3 reservation code to ext2.

For 2.6.16 users, Adrian Bunk has released 2.6.16.32 with a number of fixes.

Comments (none posted)

Kernel development news

Quote of the week

70% hit a bug
1/7th think it's deteriorating
1/4th think lkml response is inadequate
3/5ths think bugzilla response is inadequate
2/5ths think we have features-vs-stability wrong
2/3rds hit a bug. Of those, 1/3rd remain unfixed
1/5th of users are presently impacted by a kernel bug

Happy with that?

-- Andrew Morton

Comments (11 posted)

Counting on the time stamp counter

The time stamp counter (TSC) is a hardware feature found on a number of contemporary processors. The TSC is a special register which is simply incremented every clock cycle. Since the clock is the fundamental unit of time as seen by the processor, the TSC provides the highest-resolution timing information available for that processor. It can thus be used for a number of applications, such as measuring the exact time cost of specific instructions or operations.

The TSC can also be read quickly (it is just a CPU register, after all), making it of interest for system timekeeping. There are a lot of applications which check the current time frequently, to the point that gettimeofday() is one of the most performance-critical system calls in Linux. By using the TSC to interpolate within the resolution of a coarser clock, the system can give accurate, high-resolution time without taking a lot of time in the process.

That is the idea, anyway. In practice, the TSC turns out to be hard to use in this way. If the CPU frequency changes (as it will on CPUs which can vary their power consumption), the TSC rate will change as well. If the processor is halted (as can happen when it goes idle), the TSC may stop altogether. On multiprocessor systems, the TSCs on different processors may drift away from each other over time - leading to a situation where a process could read a time on one CPU, move to a second processor, and encounter a time earlier than the one it read on the first processor.

These challenges notwithstanding, the Linux kernel tries to make the best use of the TSC possible. The code which deals with the TSC contains a number of checks to try to detect situations where TSC-based time might not be reliable. One of those checks, in particular, compares TSC time against the jiffies count, which is incremented by way of the timer tick. If, after ten seconds' worth of ticks, the number of TSC cycles seen differs from what would have been expected, the kernel concludes that the TSC is not stable and stops using it for time information.

Interesting things happen when the dynamic tick patch is thrown into the mix. With dynamic ticks, the periodic timer interrupt is turned off whenever there's nothing to be done in the near future, allowing the processor to remain idle for longer and consume less power. Once something happens, however, the jiffies count must be updated to reflect the timer ticks which were missed - something which is generally done by obtaining the time from another source. At best, this series of events defeats the test which ensures that the TSC is operating in a stable manner; at worst, it can lead to corrupted system time. Not a good state of affairs.

For this reason, the recently-updated high-resolution timers and dynamic tick patch set includes a change which disables use of the TSC. It seems that the high-resolution timers and dynamic tick features are incompatible with the TSC - and that people configuring kernels must choose between the two. Since the TSC does have real performance benefits, disabling it has predictably made some people unhappy, to the point that some would prefer to see the timer patches remain out of the kernel for now.

In response to the objections, Ingo Molnar has explained things this way:

We just observed that in the past 10 years no generally working TSC-based gettimeofday was written (and i wrote the first version of it for the Pentium, so the blame is on me too), and that we might be better off without it. If someone can pull off a working TSC-based gettimeofday() implementation then there's no objection from us.

Ingo has also posted a test program which demonstrates that time inconsistencies on TSC-based systems are common - at least, when multiple processors are in use.

Arjan van de Ven has suggested a "duct tape" solution which might work well enough "to keep the illusion alive." It involves setting up offsets and multipliers for each processor's TSC. Between the offsets (which could compensate for TSC drift between processors) and the multipliers (which adjust for frequency changes), some semblance of synchronized and accurate TSC-based time could be maintained - as long as the kernel is able to detect TSC-related events and adjust those values accordingly. No code which implements this idea has yet been posted, however.

The conversation faded out with no real conclusion, though, near the end, Thomas Gleixner did note that the complete disabling of the TSC was "overkill." The preferred solution, which he is working on, is to keep the system from going into the dynamic tick mode if there is no other reliable timer available. Once that code has been posted, it may be possible to have the full set: high-resolution timers, dynamic ticks, and fast clocks using the TSC.

Comments (10 posted)

Injecting faults into the kernel

Some kernel developers, doubtless, feel that their systems fail too often as it is; they certainly would not go out looking for ways to make more trouble. Others, however, are most interested in how their code behaves when things go wrong. As your editor recently discovered to his chagrin, error paths tend to be debugged rather less well than the "normal" code. One can try to anticipate possible failures and try to code the right response, but it can be hard to actually test that code. So error-handling paths can be incorrect (or missing) but the code will appear to work - until something blows up.

In an attempt to help test kernel error handling, Akinobu Mita has been working for some time on a framework for injecting faults into a running kernel. By causing things to go wrong occasionally, the fault injection code should help to ensure that error situations are handled - and handled correctly. This mechanism has found its way into 2.6.19-rc5-mm2 where, hopefully, it will be employed by developers to make sure that their code is bulletproof. Hopefully.

The framework can cause memory allocation failures at two levels: in the slab allocator (where it affects kmalloc() and most other small-object allocations) and at the page allocator level (where it affects everything, eventually). There are also hooks to cause occasional disk I/O operations to fail, which should be useful for filesystem developers. In both cases, there is a flexible runtime configuration infrastructure, based on debugfs, which will let developers focus fault injections into a specific part of the kernel.

Your editor built a version of 2.6.19-rc5-mm2 with the fault injection capability turned on. For whatever reason, the configuration system insisted that the locking validator be enabled too; perhaps somebody injected a fault into the config scripts. In any case, the resulting kernel exports a directory (in debugfs) for each of the available fault injection capabilities.

So, for example, the slab allocation capability has a directory failslab. At system boot, failure injection is turned off; slab failures can be enabled by writing an integer value to the failslab/probability file. The value written there will be interpreted as the percent probability that any given allocation will fail; so writing "5" will cause a 5% failure rate. For situations where a failure rate of less than 1% (but greater than zero) is needed, there is a separate interval value which further filters the result. So a 0.1% failure rate could be had by setting interval to 1000 and probability to 100 - preferably in that order. There is also a times variable which puts an upper limit on the number of failures which will be simulated.

As it happens, randomly injecting failures into the kernel as a whole does not necessarily lead to a lot of useful information for a developer, who is probably interested in the behavior of a specific subsystem. There is only so long that one can put up with basic shell commands failing while trying to make something happen in one particular driver. So there are a number of options which can be used to focus the faults on a particular part of the kernel. These include:

  • task-filter: if this variable is set to a positive value, faults will only be injected when a specially-marked processes are running. To enable this marking, each process has a new flag (make-it-fail) in its /proc directory; setting that value to one will cause faults to be injected into that process.

  • address-start and address-stop: if these values are set, fault injection will be concentrated on the code found within the address range specified. As long as any entry within the call chain is inside that address range, the fault injection code will consider causing a failure.

  • ignore-gfp-wait: if this value is set to one, only non-waiting (GFP_ATOMIC) allocations will potentially fail. There is also a ignore-gfp-highmem option which will cause failures not to be injected into high-memory allocations.

Various other options exist; there is also a set of boot options for turning on injection which might be useful for debugging early system initialization. The documentation file has the details. Also found in the documentation directory are a couple of scripts for concentrating faults on a specific command or module.

The end result of all this is a useful tool. One need not just hope that the error recovery paths in a piece of kernel code will just work properly; it is now possible to actually run them and see what happens. This should lead to a better tested, more robust kernel in the near future, and that can only be a good thing.

Comments (6 posted)

Toward a free Atheros driver

The Atheros family of wireless chipsets finds its way into a number of network adapters and laptop systems. It is a flexible and capable device, with one little limitation: there is no free Linux driver available. Linux support can be had via the freely-downloadable MadWifi driver, but, at the core of that driver, there is a binary-only "hardware access layer" (HAL) module which does much of the real work. This module has all of the problems associated with proprietary drivers: it cannot be audited or fixed, it cannot be improved, it is only available for the kernel versions and architectures supported by the manufacturer, etc. But, for Linux users, the choices are MadWifi or nothing.

A free Atheros HAL module called "ar5k," written by Reyk Floeter, has been in circulation for a couple of years; OpenBSD uses it. But this code has long been followed by allegations that it was improperly developed and potentially subject to copyright claims by Atheros. In the current climate, nobody wants to risk bringing possibly tainted code into the kernel; the potential consequences are just too severe. So, while the desire to support Atheros devices in Linux remains strong, the existing HAL has not been considered and little work has been done to bring that about.

Except that, as it turns out, work has been quietly happening in an unexpected place. The Software Freedom Law Center was asked by the ar5k developers to look at the development history of the code and come up with a pronouncement on whether it was legitimate (from a copyright law perspective) or not. On November 14, the SFLC produced its answer:

SFLC has made independent inquiries with the OpenBSD team regarding the development history of ar5k source. The responses received provide a reasonable basis for SFLC to believe that the OpenBSD developers who worked on ar5k did not misappropriate code, and that the ar5k implementation is OpenBSD's original copyrighted work.

This finding should clear the way for the entry of the free Atheros HAL into the Linux kernel - eventually. But there are a couple of problems which need to be overcome first.

One of those is the general level of upheaval in the Linux wireless subsystem. The developers still intend to move over to the Devicescape stack and to get that code into the mainline, but there is still work to be done in that area. But a new wireless driver which does not work with Devicescape will have a harder path into the kernel. There is an effort to move MadWifi over to Devicescape (it's called "DadWifi"), so that might be the quickest path for Atheros support to get into the kernel.

The other problem, however, is that code based on the HAL concept tends to be unpopular at best. A HAL is typically seen as an unnecessary abstraction layer between the driver and the hardware which serves to obscure what's really going on while adding no real value of its own. So developers who propose HAL-based drivers are usually told to go away and come back once the HAL is gone. There is no real reason to expect things to happen differently this time around.

But, even if it can't be used directly, the ar5k code is now fair game for reference and eventual adaptation into a Linux driver. There are enough developers out there with an interest in making Atheros adapters work that the chances of this work getting done in the (relatively) near future are relatively good. The list of devices which are not supported by Linux is about to get shorter.

Comments (8 posted)

Patches and updates

Kernel trees

Core kernel code

Development tools

  • Junio C Hamano: GIT 1.4.4. (November 15, 2006)

Device drivers

Documentation

Filesystems and block I/O

Janitorial

Memory management

Networking

Architecture-specific

Security-related

Virtualization and containers

Miscellaneous

Page editor: Jonathan Corbet

Distributions

News and Editorials

Fedora Summit

There was a Fedora Summit this week to discuss a public roadmap for Fedora 7 and other Fedora-centric topics. The summit was still in progress at press time. The meeting was partly face-to-face, with additional people chiming in via IRC and telephone.

Your editor was not able to attend the summit, so this is based on wiki pages and IRC logs. First and foremost though, it seems that Fedora Core packages will move into the community infrastructure currently used for Fedora Extras. Opening Core will make it easier for outside contributors and encourage more community participation. One side effect of that might be a smaller Fedora base platform. Dare we hope for a single install CD? A new build system was proposed to support the more open infrastructure.

There was considerable discussion about the role of Fedora Legacy and the possibility of extending Fedora support from the current ~9 months to about 13 months, so that users could reasonably move from FCn to FCn+2. Fedora Legacy would disappear, or be reabsorbed into the main Fedora project. Jesse Keating has some details about this proposal in this blog post. Suffice to say that this sparked some discussion on the Fedora Legacy mailing list.

A policy for secondary architectures was proposed. Fedora currently focuses on x86 and x86_64, but this proposal would support other architectures such as PPC or Sparc. The proposal comes from Tom Callaway from the Aurora Sparc Project.

Overall, Fedora 7 will likely be a different beast than previous releases. More like the community oriented distribution that Red Hat promised.

Comments (12 posted)

New Releases

EnGarde Secure Linux 3.0.10

EnGarde Secure Linux 3.0.10 is now available. The most significant new feature, perhaps, is the "SELinux Control Console," which provides a graphical interface for some SELinux management tasks.

Comments (none posted)

Debian Installer etch RC1 released

The Debian Installer team has announced the first release candidate (RC1) of the installer for Debian GNU/Linux Etch. Click below for a look at the many improvements and known problems.

Full Story (comments: none)

NetBSD Live! 2007

The NetBSD project has released a live CD based on 4.4BSD-Lite. See the release notes for more information.

Comments (3 posted)

openSUSE 10.2 Beta2 is available

The second beta of openSUSE 10.2 (codename Basilisk Lizard) is out. It contains a large number of enhancements and updates done by the open source community and Novell's development teams. There was a problem with openSUSE-10.2-Beta2-Addon-Lang-i386.iso and openSUSE-10.2-Beta2-Addon-Lang-i386.torrent, although corrected versions should have hit the mirrors by now. You'll find the MD5SUMS of the new files here.

Full Story (comments: none)

Pardus Linux 2007 beta

Pardus has announced the release of Pardus Linux 2007 beta. "Pardus operating system's latest beta version, codenamed "ATA", is out for download and testing. This beta version will be followed by the stable version Pardus 2007, to be released on December 18th, 2006. Pardus is a Linux based operating system, developed under the auspices of TUBITAK (The Scientific and Technological Research Council of Turkey) UEKAE (National Electronic and Cryptography Research Institute)." Pardus "ATA" comes as a single CD with Dutch, English, German and Turkish support on the desktop.

Comments (none posted)

Ubuntu Customization Kit 1.3 released

The Ubuntu Customization Kit (UCK) 1.3 is out with many fixes and improvements, including built-in support for Edgy. UCK is a tool that helps you customizing official Ubuntu Live CDs (including Kubuntu/Xubuntu and Edubuntu) to your needs. You can add any package to the live system, for example language packs, or applications.

Full Story (comments: none)

Distribution News

Gentoo Anonymous CVS and SVN now available

Anonymous read-only CVS and SVN services for Gentoo repositories are now available for use. "The anonymous services are primarily intended help our non-dev contributors easily produce patches and modifications (cvs diff/svn diff), and provide easier access to the source for gentoo-hosted projects."

Full Story (comments: none)

New openSUSE Mailinglists

Mailing lists at suse.com have migrated to lists with new names at opensuse.org. Click below to find the new lists.

Full Story (comments: none)

Slackware -current

Slackware -current is undergoing renovations to the toolchain (gcc, glibc, binutils, etc.). "In addition, these things aren't going as smoothly as anticipated. I'd like to put the NPTL version of glibc into /lib and the LinuxThreads version into /lib/obsolete/linuxthreads (since some old binaries are going to need them), but doing this prevents the use of a 2.4 kernel. Perhaps it's finally time to drop support for Linux 2.4? Personally, I'd rather not as 2.4 is more forgiving of flaky hardware and thus tends to get better uptimes (at least on the servers I run ;-). Comments about this issue are welcomed."

Full Story (comments: none)

Release Schedule, Herd 1 and "later" bugs

Ubuntu has announced a release schedule for the Feisty Fawn. According to the schedule we can expect the first Herd CD on November 30. The final Feisty release is currently set for April 19, 2007.

Full Story (comments: none)

YDL v5.0 for PLAYSTATION3

Terrasoft Solutions has announced that Yellow Dog Linux (YDL) 5.0 for the Sony Computer Entertainment, Inc. PLAYSTATION(R)3 will be made available via YDL.net Enhanced accounts on Monday, November 27, 2006.

Full Story (comments: none)

Distribution Newsletters

Fedora Weekly News Issue 66

The Fedora Weekly News covers Fedora Summit Preparations, Fedora Ambassadors Day, Fedora Directory Server 1.0.4 is released, Announcing pungi-0.1.0, Why every child deserves a laptop, OLPC taps 2.6.19 kernel, plus Fedora reviews and more.

Comments (none posted)

Gentoo Weekly Newsletter

The Gentoo Weekly Newsletter for November 6, 2006 covers things heard in the community, Linux Day in Italy, tips on searching overlays and running 32-bit mplayer with 64-bit kmplayer and several other topics.

The Gentoo Weekly Newsletter for November 13, 2006 is also available. This edition covers anonymous CVS and SVN services, Gentoo-based Ruby on Rails service, summaries from gentoo-user and more.

Comments (none posted)

DistroWatch Weekly, Issue 177

The DistroWatch Weekly for November 13, 2006 is out. "As Novell continues to endure the wrath of the open source developer and user community, many people are wondering whether they should boycott Novell's products. In the meantime, openSUSE continues its 10.2 development process unabated and on target for the early December release. Also in the news: a war of words erupts between Fedora and Ubuntu, Feisty Fawn's new features attract fresh controversy, Debian prepares a new set of kernels for "etch", and Slackware introduces modern features into its "current" tree. We'll bring you the results of our Mandriva Linux 2007 PowerPack competition and continue our discussion on DistroWatch's Page Hit Ranking statistics."

Comments (none posted)

Package updates

Fedora updates

Updates for Fedora Core 6: librsvg2 (update to 2.16.1), gcalctool (update to 5.8.25), libxklavier (bug fix), speex (update to 1.2beta1), cairo (update to 1.2.6), libX11 (bug fixes), gnome-panel (update to 2.16.1), jwhois (use the new upstream config), system-config-printer (bug fix update to 0.7.35), redhat-menus (pick up missing translations), mikmod (bug fix), policycoreutils (bump for FC6), selinux-policy (bump for FC6), perl-DateManip (bug fixes), gaim (bug fixes), gnome-vfs2 (update to 2.16.2), eel2 (update to 2.16.1), nautilus (bug fixes), nautilus-cd-burner (pass joliet flag when using growisofs), gnome-python2-extras (rebuild against Firefox), xorg-x11-xinit (bug fixes), gnome-pilot-conduits ($libdir change), pygobject2 (multilib bug fixes), system-config-kickstart (bug fix), gnome-python2 (update to 2.16.2), man-pages-fr (change in spec file), nautilus (bug fixes), nfs-utils (upgrade to 1.0.10), sysstat (add NFS mount statistics), libsoup (update to 2.2.97), hal-cups-utils (fix the 'select printer model' dialog), openoffice.org (bug fixes), foomatic (database update), oprofile (add Intel Core 2 support, AMD64 event names), nfs-utils (upgrade to 1.0.10), iscsi-initiator-utils (rebase to upstream open-iscsi-2.0-730).

Updates for Fedora Core 5: jwhois (use the new upstream config), mikmod (bug fix), arts (KDE 3.5.5 release), kdelibs (KDE 3.5.5 release), kdeaccessibility (KDE 3.5.5 release), kdeaddons (KDE 3.5.5 release), kdeadmin (KDE 3.5.5 release), kdeartwork (KDE 3.5.5 release), kdebase (KDE 3.5.5 release), kdebindings (KDE 3.5.5 release), kdeedu (KDE 3.5.5 release), tcpdump (bug fixes), kdegames (KDE 3.5.5 release), kdegraphics (KDE 3.5.5 release), kdemultimedia (KDE 3.5.5 release), kdenetwork (KDE 3.5.5 release), kdepim (KDE 3.5.5 release), kdesdk (KDE 3.5.5 release), kdeutils (KDE 3.5.5 release), kdevelop (KDE 3.5.5 release), kdewebdev (KDE 3.5.5 release), kde-i18n (KDE 3.5.5 release), iscsi-initiator-utils (rebase to upstream open-iscsi-2.0-730).

Comments (none posted)

Mandriva updates

Updates for Mandriva Linux 2007.0: gnuplot (fix a segmentation fault), desktop-common-data (fix menu problems), ical (bug fixes), webmin (bug fix), opensc (smart card bug fix).

Comments (none posted)

rPath updates

Updates for rPath Linux 1: conary (Conary 1.0.38 maintenance release), rmake (function correctly with Conary 1.0.38).

Comments (none posted)

Trustix updates

Updates for Trustix Secure Linux 2.2 & 3.0: clamav, freetds, gettext (various bug fixes).

Comments (none posted)

Ubuntu updates

Updates for Ubuntu 6.10: debootstrap_0.3.3.0ubuntu8~edgy1, brasero_0.5.0-0ubuntu1~edgy1.

Updates for Ubuntu 6.06: gnome-commander_1.2.0-3.1~dapper1, debootstrap_0.3.3.0ubuntu8~dapper1, mpd_0.12.1-1ubuntu1~dapper1, eagle_4.16-2~dapper1, scorched3d_40-1ubuntu1~dapper1.

Comments (none posted)

Newsletters and articles of interest

Ubuntu Developer Summit report: X.org improvements, driver controversy, and bling (Linux.com)

Linux.com has this report from the latest Ubuntu Developers Summit. "The announcement that Ubuntu will ship binary drivers by default in Feisty is getting a lot of negative commentary from users and Ubuntu members alike. Of course, there's also a vocal contingent that complains that Ubuntu and other distros are unsuitable for general users because they don't ship with Nvidia or other binary drivers enabled. There's no position here that will satisfy all users."

Comments (43 posted)

The Perfect Setup - OpenVZ with CentOS 4.4 (HowtoForge)

HowtoForge sets up OpenVZ on CentOS. "In this HowTo I will describe how to prepare a CentOS 4.4 server for OpenVZ virtual machines. With OpenVZ you can create multiple Virtual Private Servers (VPS) on the same hardware, similar to Xen and the Linux Vserver project. OpenVZ is the open-source branch of Virtuozzo, a commercial virtualization solution used by many providers that offer virtual servers."

Comments (none posted)

Ubuntu 6.10 (Edgy Eft) LAMP Server Installation with Screenshots (Debian Admin)

Debian Admin has a howto article on setting up a server on Ubuntu 6.10. "Automatic LAMP (Linux, Apache, MySQL and PHP) In about 15 minutes, the time it takes to install Ubuntu Edgy Server Edition, you can have a LAMP server up and ready to go. This feature, exclusive to Ubuntu Server Edition, is available at the time of installation."

Comments (none posted)

How To Compile A Kernel - The Fedora Way (HowtoForge)

HowtoForge builds a custom kernel on Fedora. "Each distribution has some specific tools to build a custom kernel from the sources. This article is about compiling a kernel on Fedora systems. It describes how to build a custom kernel using the latest unmodified kernel sources from www.kernel.org (vanilla kernel) so that you are independent from the kernels supplied by your distribution. It also shows how to patch the kernel sources if you need features that are not in there. I have tested this on Fedora Core 6."

Comments (none posted)

Distribution reviews

Fedora Core 6: Kneel before Zod! (Linux.com)

Linux.com reviews Fedora Core 6. "The FC6 schedule slipped a bit at the last minute due to a handful of serious issues, such as an Ext3 data corruption bug, but the Fedora team managed to get the final release out pretty close to schedule. Unfortunately, it's still a bit buggy in some scenarios. It might have been better to hold off releasing FC6 for another week or two to fix the problems, but it is a good release if you're willing to be careful during the install."

Comments (none posted)

Review: 3 Linux Desktops Put To The Test (CRN)

CRN reviews and compares Linspire, Xandros and SLED. "System builders considering a Linux desktop are faced with a dizzying array of choices. There are dozens, if not hundreds, of Linux distributions to choose from. Narrowing the field of contenders basically comes down to what works best for both the system builder and its customers. Finding that fit often leads system builders to pursue a commercial distribution over an open-source one. Today's commercial desktop Linux distributions make a lot of sense for system builders, mostly because of three factors: recurring revenue, licensing and support. With that in mind, the CRN Test Center set out to compare commercial versions of Linux that are aimed at the channel, specifically the custom-system channel."

Comments (none posted)

Userfriendly Linux Shoot-out (openaddict.com)

openaddict.com compares Xandros Home Edition Premium and Linspire Five-O. "Today I'm taking a look at two ultra-userfriendly Linux distributions: Xandros Home Edition Premium and Linspire Five-O. I'm comparing these two against each other for their technical merits, ease of installation, look/feel, available software and ease of use. Are these two commercial Linux distros easy enough for your Grandmother? Read on to find out."

Comments (none posted)

Page editor: Rebecca Sobol

Development

The release of GNU Privacy Guard version 2.0.0

GNU Privacy Guard (GnuPG) is an open-source encryption utility that was started in 1997 as a replacement for the commercial application PGP. GnuPG runs on a wide variety of operating system platforms.

GnuPG is the GNU project's complete and free implementation of the OpenPGP standard as defined by RFC2440. GnuPG allows to encrypt and sign your data and communication, features a versatile key manag[e]ment system as well as access modules for all kind of public key directories. GnuPG, also known as GPG, is a command line tool with features for easy integration with other applications. A wealth of frontend applications and libraries are available.

[GnuPG] Stable version 2.0.0 of GnuPG has been announced, it represents an architectural design fork for the project.

GnuPG-2 has a different architecture than GnuPG-1 (e.g. 1.4.5) in that it splits up functionality into several modules. However, both versions may be installed alongside without any conflict. In fact, the gpg version from GnuPG-1 is able to make use of the gpg-agent as included in GnuPG-2 and allows for seamless passphrase caching. The advantage of GnuPG-1 is its smaller size and the lack of dependency on other modules at run and build time. We will keep maintaining GnuPG-1 versions because they are very useful for small systems and for server based applications requiring only OpenPGP support.

New features in GnuPG version 2 include:

  • A gpg-agent daemon for maintaining private keys and a passphrase cache.
  • A new implementation of the S/MIME protocol via the gpgsm command line tool.
  • The scdaemon daemon for accessing smart cards.
  • The gpg-connect-agent tool, which allows scripts to access gpg-agent and scdaemon services.
  • The gpgconf tool for maintaining configuration files.
  • Support for the Dirmngr server, which manages certificate revocation lists and more.
  • Secure Shell Agent protocol support and built-in ssh-agent capabilities.
  • The addition of smart card support to the Secure Shell.
  • Improved documentation.

The GnuPG project has succeeded in filling an important space in the open-source tool collection. The release of version 2 shows that the project is moving forward with the addition of a lot of new functionality.

Comments (2 posted)

System Applications

Database Software

Firebird 2.0 released

Version 2.0 of the Firebird relational DBMS has been announced. "This new version offers many new enhancements: support for 64 bit Linux (64 bit support for other platforms to follow shortly), table sizes above 30Gb, enhanced Unicode support, improved optimizer, improved security, execution of dynamic SQL inside stored procedures, greater index key length, and a new incremental backup facility."

Full Story (comments: 2)

PostgreSQL 8.2 beta 3 is ready for testing

Version 8.2 beta 3 of the PostgreSQL DBMS has been announced. "This beta includes a substantial fix to a WAL issue, so users are urged to test Beta3 using PITR and to try power-failure tests."

Comments (none posted)

Interoperability

Samba 3.0.23d released

Version 3.0.23d of Samba has been announced, it adds stability fixes for winbindd and portability fixes for the FreeBSD and Solaris platforms. "This is the latest stable release of Samba. This is the version that production Samba servers should be running for all current bug-fixes."

Full Story (comments: none)

Libraries

Cairo 1.2.6 released

Version 1.2.6 of Cairo, a 2D graphics library with support for multiple output devices, is available. The change log states: "This is the third bug fix release in the 1.2 series, coming less than two months after the 1.2.4 release made on August 18. The 1.2.4 release turned out to be a pretty solid one, except for a crasher bug when forwarding an X connection where the client and the server have varying byte orders, eg. from a PPC to an i686. Other than that, various other small bugs have been fixed."

Comments (none posted)

Mail Software

SIEVE Language for Mail Filtering Quick Guide

Alina Popescu has released a quick guide on SIEVE, a mail filtering language. "SIEVE is a language created and used for mail filtering that broadens the filtering options generally provided by mail servers or Antispam/Antivirus applications. They work basically by comparing different keys using different comparators and comparison methods, against headers of a mail message. Based on the result of the comparison, you can apply different actions to the corresponding mail message, i.e. reject, discard, redirect, etc."

Full Story (comments: none)

Networking Tools

Bigboos 1.3 released

Version 1.3 of Bigboos is out. "BigBoos is one of the fully open source network monitoring System from YinuxPRO (SuYash LinuxPROjects).It uses standard unix ping command to check the status of hosts as well as the snmp if the ping returns 100% loss."

Comments (1 posted)

Web Site Development

mnoGoSearch 3.2.40 released

Version 3.2.40 of mnoGoSearch, a web site search engine, is out with numerous bug fixes. See the changelog for more information.

Comments (none posted)

Desktop Applications

Audio Applications

Ardour 2.0 beta 8 released

Version 2.0 beta 8 of Ardour, a multi-track audio workstation package, is out: "Another solid week of bug fixing leads us to 2.0 beta 8." See the release announcement for more details.

Comments (none posted)

Snd-ls V0.9.7.12 and jack_capture V0.3.9 released

Version 0.9.7.7 of the sound editor Snd-ls, and version 0.3.9 of the JACK recording application jack_capture, have been announced.

Full Story (comments: none)

Desktop Environments

GNOME 2.17.2 released

Version 2.17.2 of the GNOME desktop environment is available. "This is our second development release on our road towards GNOME 2.18.0, which will be released in March 2007. New features are coming in at a nice rate, and that's great. A lot of bug fixes too. And some crashers are appearing here and there: that's the fun of unstable releases!"

Full Story (comments: none)

GARNOME 2.17.2 released

Version 2.17.2 of GARNOME, the bleeding edge GNOME distribution, is out. "This release includes all of GNOME 2.17.2 plus a whole bunch of updates that were released after the GNOME freeze date. This is the second release in the unstable cycle, with more features, more fixes and yet more madness added."

Full Story (comments: none)

GNOME Software Announcements

The following new GNOME software has been announced this week: You can find more new GNOME software releases at gnomefiles.org.

Comments (2 posted)

D-Bus 1.0 'Blue Bird' Released (KDE.News)

KDE.News takes a look at D-Bus version 1.0. "D-Bus 1.0 ("Blue Bird"), the Freedesktop.org inter-process messaging system has just been released. A collaborative effort between industry and open source developers, D-Bus was created to allow arbitrary applications to easily communicate with each other and exchange data. An additional system daemon allows for communication with system services. D-Bus is known to work on all Unix platforms and has also been ported to Mac OS X, while a Windows port is in progress. This makes D-Bus the ideal messaging system for KDE 4."

Comments (1 posted)

KDE Software Announcements

The following new KDE software has been announced this week: You can find more new KDE software releases at kde-apps.org.

Comments (none posted)

KDE Commit-Digest (KDE.News)

The November 12, 2006 edition of the KDE Commit-Digest has been announced. The content summary says: "KViewShell is renamed Ligature. Okular gets support for Text and Line annotations. KSame and Konquest start their conversion to SVG graphics. Marble gets enhanced support for presenting and displaying geographical data interactively, and showing national flags. Mailody, the alternative email client, continues to develop at a rapid pace. Telepathy support in Kopete starts to emerge from experiment towards a usable implementation. Kile gets scripting support, with improvements to scripting across KOffice. KPresenter receives export to text document (OpenDocument) functionality. Improvements in the Magnatune music store facility in Amarok."

Comments (none posted)

Xfce 4.4 Release Candidate 2 (4.3.99.2) released

Release Candidate 2 of Xfce 4.4, a light weight desktop environment, is out. "The second and hopefully last release candidate of the Xfce 4.4 desktop is now available for download. This release focuses primarily on bug fixes and optimizations. Please refer to the changelog for a list of fixes and changes. Please help us making Xfce 4.4 the best Xfce release ever, download it, try it, help us fixing it!"

Comments (none posted)

Electronics

Covered 0.4.8 released

Stable version 0.4.8 of Covered, a Verilog code coverage analysis tool, is out "This is a bug fix release only."

Comments (none posted)

gSpiceUI 0.8.90 announced

Version 0.8.90 of gSpiceUI, a GUI for two electronic circuit simulation engines, has been announced. It adds several new features and fixes some bugs.

Comments (none posted)

OpenTech CDROM 1.6.1 released

Version 1.6.1 of the OpenTech CDROM project is available. "OpenTech 1.6.1. is ready with 10 CDs full of new designs, tools and even some books and tutorials in topics like, wireless, VLSI, VHDL, and basic electronics." The CDROM set costs 77 Euros.

Comments (none posted)

Games

Welcome Castlegard (WorldForge)

The WorldForge virtual world project has added a new castle. "Kai finally got around to place jayr’s fantastic castle on the mason map. Now people can start exploring the castle, and we can get started adding some gameplay. Castle defence anyone?"

Comments (none posted)

GUI Packages

wxWidgets 2.8.0 RC 1 released

Version 2.8.0 RC 1 of wxWidgets, a cross-platform GUI toolkit, is out, the announcement states: "A few minor bugs have been fixed since 2.7.2; we will release 2.8.0 in a couple of weeks, and as ever, testing of this release candidate will be appreciated. "

Comments (none posted)

wxPython 2.7.2.0 is out

Version 2.7.2.0 of wxPython, a blending of the wxWidgets C++ class library with the Python programming language, has been announced. "This is expected to be the last stepping stone in the path to the next stable release series, 2.8.x. We're driving full speed ahead in order to get 2.8.0 included with OSX 10.5, and so far we are very close to being on schedule. This release has some house-keeping style changes, as well as some user-contributed patches and also the usual crop of bug fixes."

Comments (none posted)

xorg-server 1.1.99.902 announced

Version 1.1.99.902 of xorg-server is out with a long list of bug fixes and new features.

Full Story (comments: none)

Interoperability

Wine 0.9.25 released

Version 0.9.25 of Wine has been announced. Changes include: Many more fixes for installer support, many MSHTML improvements, support for NTLMv2, RPC over TCP improvements and lots of bug fixes.

Comments (none posted)

Mail Clients

Claws Mail 2.6.0 released

Claws Mail, the mail client formerly known as Sylpheed-claws, has released version 2.6.0. There's a number of new features, as well as the new name, which, according to the web site, is "...mainly due to different goals and the fact that syncing both codebases doesn't happen anymore." So it seems that the separation from Sylpheed is complete.

Comments (1 posted)

Medical Applications

Release of OpenClinica 2.0 (LinuxMedNews)

LinuxMedNews has an announcement for OpenClinica 2.0, an open-source clinical research software platform. "OpenClinica is an open source web-based software platform that enables sponsors and investigators to manage clinical research data in multi-site studies. It facilitates protocol configuration, design of case report forms, electronic data capture, and study/data management. OpenClinica supports HIPAA and 21 CFR Part 11 guidelines and is designed as a strictly standards-based, extensible, and modular platform."

Comments (none posted)

Office Suites

New OpenOffice.org charting features

Some new OpenOffice.org charting capabilities have been announced, new features include: a new chart wizard, flexible source ranges, easier settings for 3D charts, enhanced logarithmic scales, pie segment offset for 3D charts, enhanced automatic scaling, improved automatic axis label layout, improved selection handling, regression curves are available for 2D line charts, 2D bar and column charts and 2D area charts, and several new sub chart types.

Full Story (comments: none)

Video Applications

Announcing KungFu 0.1.0

KungFu 0.1.0 has been announced. "KungFu is a GStreamer-based DVD ripper written in Python. It transcodes DVD tiles to Theora/Vorbis. It is more or less complete, but still lacks audio track language selection, subtitle support, and meta data writing. The GUI is done with GTK."

Full Story (comments: none)

Web Browsers

Mozilla Firefox and Thunderbird 1.5.0.8 released (MozillaZine)

Version 1.5.0.8 of both the Mozilla Firefox browser and Mozilla Thunderbird email client have been announced. "Security and Stability updates for Mozilla products based on the Gecko 1.8 branch have been released. Firefox 1.5.0.x will be maintained with security and stability updates until April 2007. All users are strongly encouraged to upgrade to Firefox 2."

Comments (none posted)

SeaMonkey 1.0.6 and SeaMonkey 1.1 Beta Released (MozillaZine)

Two new versions of Seamonkey have been announced. "Seamonkey 1.0.6, a security and stability update for the all-in-one Internet Suite has been released. The Seamonkey 1.0.6 Release Notes have more information. SeaMonkey 1.1 Beta, a version aimed at developers and testers has also been released. New features include tab previews, spell check, an e-mail tagging system, an improved Linux startup script, better new mail notifications and an updated Chatzilla IRC client."

Comments (none posted)

Languages and Tools

Caml

Caml Weekly News

The November 14, 2006 edition of the Caml Weekly News is out with new Caml language articles.

Full Story (comments: none)

Haskell

Haskell Weekly News

The November 14, 2006 edition of the Haskell Weekly News is online. This week we see the announcement of a Haskell to Javascript compiler project, and the overhaul of GHC's typeclass machinery is complete.

Comments (none posted)

Perl

Weekly Perl 6 mailing list summary (O'Reilly)

The November 5-11, 2006 edition of the Weekly Perl 6 mailing list summary is out with coverage of the latest Perl 6 discussions.

Comments (none posted)

Python

Python FAQ heading toward 1.0 release

A call for review has gone out for the semi-official Python FAQ, questions and answers are being reviewed in preparation for the upcoming 1.0 release.

Comments (none posted)

Dr. Dobb's Python-URL!

The November 13, 2006 edition of Dr. Dobb's Python-URL! is online with a new collection of Python article links.

Full Story (comments: none)

Tcl/Tk

Dr. Dobb's Tcl-URL!

The November 14, 2006 edition of Dr. Dobb's Tcl-URL! is online with new Tcl/Tk articles and resources.

Full Story (comments: none)

XML

Cracks in the Foundation (XML.com)

Micah Dubinko reports on some controversy surrounding XML namespaces. "The last week in October wasn't the smoothest for the W3C HTML Working Group. First, a notable blog entry criticized their handling of XML namespaces, leading to a formal objection. On top of that, Tim Berners-Lee blogged that new and separate HTML and forms Working Groups would be chartered to "incrementally" update HTML, in contrast with the groups' present approach. More on that later. As has always been the case, XML Annoyances aims to stimulate discussion on XML topics by challenging entrenched views. This article digs beneath the surface issues and encourages others to do the same."

Comments (none posted)

Page editor: Forrest Cook

Linux in the news

Recommended Reading

Degrees of Openness (O'ReillyNet)

Adrien Lamothe explores some aspects of openness in an O'Reilly article. "The open source software movement has received a lot of press coverage in recent years. A result of this is many people associating the term "open" with open source software. This popular definition of "openness" is incomplete. Openness affects many aspects of computing besides freedom to view and modify source code. Shrewd proprietary computer companies have been able to take advantage of popular misconceptions about openness, masking their products in partial degrees of openness, then applying the "open" label. We should understand the different forms of openness and how they apply to the many facets of computers, software, systems, and even warranties and service agreements."

Comments (9 posted)

How GPLv3 tackles license proliferation (LinuxDevices.com)

Ciaran O'Riordan discusses license proliferation issues with regards to the GPLv3 on LinuxDevices.com. "The most obvious way to limit license proliferation is to write new licenses as rarely as possible. So while updating the GPL, it's good to be thorough so that it doesn't have to be done too often. What any one license can do to lessen the problem is less obvious, and this is an area where GPLv3 is breaking new ground. In case the more controversial provisions of GPLv3 have overshadowed the provisions that tackle license proliferation, I've put together this summary as a discussion primer."

Comments (19 posted)

Trade Shows and Conferences

Report from the Ubuntu Developer Summit (Linux.com)

Joe 'Zonker' Brockmeier covers the Ubuntu Developer Summit on Linux.com. "Ubuntu developers and other interested parties from all over the world have swarmed to Google's offices in Mountain View this week for the Ubuntu Developer Summit (UDS) to plan out the next release of Ubuntu. In total, about 140 people have registered for the summit. According to Jane Silber, head of marketing with Canonical, only 30 of the attendees are actually employed by Canonical, the company that sponsors Ubuntu. The remainder of the participants include members of the Ubuntu community, representatives of upstream projects, and other parties who have an interest in how Ubuntu is developed."

Comments (none posted)

Companies

Microsoft open to more deals like Novell Linux one (TechSpot.com)

TechSpot.com suggests that Microsoft may be willing to get involved in more Linux support deals. "What is all of this about? Well, Steve Ballmer (Chief Executive Officer of Microsoft since January 2000) believes that Microsoft will have to change its business model in order to continue to prosper. "The next frontier for us is to embrace a new business model. And if we embrace it well and that business model is subscription and advertising, where we will be a market leader. If we do not embrace it well there will be issues.""

Comments (8 posted)

Microsoft starts a group for software harmony (ZDNet)

ZDNet reports that Microsoft is creating a council with other technology vendors in an effort to sort out product interoperability problems. "The list of vendors participating in the initiative include Sun Microsystems, Novell and SugarCRM. Microsoft already has a formal partnership with these companies to ensure their respective products work well together. Other members include open-source virtualization company XenSource, Xcalia, Software AG, Siemens, Citrix, BEA Systems, CA and Advanced Micro Devices."

Comments (3 posted)

Sun Set To Move On GPL License For Open-Source Java (Dr. Dobb's Portal)

Dr. Dobb's Portal claims that Sun Microsystems is very close to announcing that it will put the mobile (ME) and standard (SE) editions of the Java platform into the GNU General Public License (GPL). "Offering Java only under the GPL would have a cataclysmic effect on the software industry, forcing Java platform developers to freely release their contributions if they continue developing around the platform's GPL code. IBM, for example, licenses Java from Sun and has its own version of the Java Virtual Machine." (Thanks to Francesco P. Lovergine)

Comments (54 posted)

Linux Adoption

The war is over and Linux won (ZDNet)

This ZDNet blog post looks at an IBM sponsored study. "Web servers and database servers remain the dominant applications, but development environments are now among the most popular systems in production, meaning the trend toward Linux and open source applications should accelerate."

Comments (4 posted)

Large public-sector Linux project flops (ZDNet)

ZDNet UK reports on the Birmingham Linux project, which has been mothballed. "[City council manager Les] Timms said the council had compared the cost of the Linux desktop migration with an upgrade to Windows XP, and had found that a Microsoft upgrade would be cheaper. Most of the difference was made up of costs attributed to 'decision making' and 'project management', largely brought about because of a shortage of skills in open-source networking and the changes to IT processes that would result."

Comments (20 posted)

Legal

'Second Life' faces threat to its virtual economy (ZDNet)

ZDNet writes about the open source "CopyBot" tool which, by being able to make copies of objects, is stirring up the Second Life community. "Problem is, it's not clear yet if there's anything Linden Lab can do to stop people from using the bot. Linden Lab said Second Life content creators who had their wares stolen had few immediate options for stopping the thefts and that the best recourse for them could be to file a Digital Millennium Copyright Act complaint--in the real world--against offenders."

Comments (6 posted)

SFLC's Bradley M. Kuhn's Letter to the FOSS Development Community (Groklaw)

Groklaw covers a statement from Bradley Kuhn, CTO of the Software Freedom Law Center, regarding the Novell/Microsoft deal. "The Software Freedom Law Center's CTO Bradley Kuhn has issued a statement regarding the Novell-Microsoft agreements and how they will impact FOSS developers. They have analyzed in particular Microsoft's Patent Pledge for Non-Compensated Developers and see little value and in fact say it's worse than useless, because it creates an illusion of safety and because it limits severely what that developer is allowed to do with his work."

Comments (1 posted)

Interviews

Red Hat Speaks: Microsoft And Oracle Are Following The Linux Leader (IW)

Information Week interviews Paul Cormier, Red Hat's executive VP of engineering Paul Cormier. "Everyone wants a piece of Red Hat lately, in particular software giants Microsoft and Oracle. If competition is the sincerest form of flattery, then Red Hat should feel flattered several times over. What Red Hat doesn't feel is worried. InformationWeek editor-at-large Larry Greenemeier spoke Friday with Red Hat executive VP of engineering Paul Cormier about Red Hat's response to the newly invigorated competition in the Linux market."

Comments (none posted)

Resources

Demystifying LDAP Data (O'ReillyNet)

Brian K. Jones explains LDAP in an O'Reilly article. "Is LDAP a database or a protocol? Is it understandable and deployable without reading a thousand pages of explanation and documentation? Brian Jones explains LDAP schemas and the layout of data to help you understand what you can store and how you can retrieve it."

Comments (none posted)

Give the Gift of Pre-Installed Linux This Year (LXer)

LXer has been compiling a database of vendors that will ship pre-installed Linux computers. "A few months back, LXer reader, cyber_rigger, began compiling a list of vendors who offer GNU/Linux pre-installed. The list quickly grew, even drawing attention from other news outlets. Meanwhile, the LXer team went to work to produce a usable database that anyone can browse and search. We still have one or two features to implement, but users can quickly and easily browse the Pre-Installed Linux Vendor Database of 106 vendors. All vendors in the list offer reasonably-priced desktops and/or notebooks for home and office users, and either offer Linux only, or as an installation option on the system configuration page of their sites."

Comments (none posted)

An Introduction to Salesforce.com's AppExchange (O'ReillyNet)

O'ReillyNet looks at building and distributing applications on Salesforce's AppExchange. "I attended Salesforce's Dreamforce conference last month because I'd heard that Salesforce has been making a big effort to build a platform that was friendly to developers. I expected to be confronted with a pile of corporate-speak and a lot of vaporware, but what I found was much more surprising. Six different keynote presenters talked about mashups, and one-third of customers in attendance talked about wanting to build or purchase mashups. There was some corporate-speak, which these articles should cut through. The technology, however, was powerful and easy."

Comments (none posted)

Getting Started with WSGI (O'ReillyNet)

Jason R. Briggs introduces WSGI on O'Reilly. "Python 2.5 added support for the WSGI standard. This is a specification for web programming that allows interoperability between frameworks and components. It's also terribly easy to use. Jason Briggs introduces WSGI and gives the background you need to use it productively."

Comments (none posted)

Reviews

Apache project keeps pace with Java changes (ZDNet)

ZDNet looks at the Apache Harmony project. "Apache Harmony, started last year, is creating an open-source version of Java Platform Standard Edition (Java SE), software for making Java programs on PCs. About two weeks ago, the board of the Apache Software Foundation approved a change in status from incubator to top-level project, Geir Magnusson, who is the chair of the Harmony Project Management Committee, said Tuesday."

Comments (15 posted)

Reviews of financial software (Linux.com)

Linux.com has reviewed two more financial software packages, Ledger and KMyMoney. From the Ledger review: "Ledger is a command-line accounting application for the hardcore financial professional. If you're an MBA who groks Emacs and regular expressions, or a kernel hacker who appreciates tax deferred accruals, you'll love this application."

From the KMyMoney review: "KMyMoney is KDE's personal financial management program. If you don't have complex needs and a lot of history to import, KMyMoney lets you set up accounts, enter transactions, and generate reports easily, and other features are doable with some help from the generous amounts of documentation. However, KMyMoney is not a good choice for small business owners, who need more functionality than it can provide."

Comments (none posted)

SQL-Ledger: Impressive capabilities, but needs polish (Linux.com)

Linux.com reviews SQL-Ledger, a web-based accounting system. "SQL-Ledger is a popular free accounting application with a rich set of features. It's written in Perl and stores your accounting information in a PostgreSQL database, which makes deployment much easier when you have users who work on different machines. Like GnuCash, supports double-entry accounting. Unlike GnuCash, however, it appears to be squarely aimed at the small business community, boasting multiple user support, multiple company support, point-of-sale entry, accounts receivable and payable, and stock tracking. It has a good list of supported languages (29, according to the Web site), and by virtue of its HTML interface is usable on practically any modern operating system -- or indeed a whole range of different operating systems simultaneously."

Comments (8 posted)

Linux printing: much done and more to do (Linux.com)

Bruce Byfield summarizes the state of Linux printing on Linux.com. "In the last seven years, printing on Linux has undergone a metamorphosis. Barely adequate printing support, provided on a program by program basis, has been transmuted by a half dozen projects into a wealth of options comparable to those available on Windows or the Mac OS. Where printer manufacturers once ignored Linux, a growing number support it and the rest are watching closely. Standardization and support for multiple distributions remain major problems, but community and corporate interests have recently started working together to address these last remaining problems."

Comments (19 posted)

Page editor: Forrest Cook

Announcements

Non-Commercial announcements

FSFE Launching Freedom Task Force, Co-operating with gpl-violations.org

The Free Software Foundation Europe (FSFE) has announced the launch of the Freedom Task Force. The Task Force is working closely with Harald Welte of gpl-violations.org and seeks to help programmers properly set up and organize projects legally, as well as educate companies to understand how the GPL works. As needed, the purpose of the group will also include enforcement in the case of license violations.

Full Story (comments: none)

Microsoft seeks input on promise not to sue individuals

Microsoft's Jason Matusow has posted a request for input from the community on how to improve its promise not to sue individual developers. He acknowledges that it "missed the mark," but don't expect things to change too much. "Our design goal is to get language in place that allows individual developers to keep developing. We are not interested in providing carte blanche clearance on patents to any commercial activity - that is a separate discussion to be had on a per-instance basis. As you comment, please keep in mind that we are talking about individuals, not .orgs, not .com, not non-profits, not...well, not anyone other than individual non-commercial coders."

Comments (26 posted)

The first OLPC test system arrives in Cambridge

The OLPC team has posted a set of pictures of the first "B1 test" version of the laptop on its arrival at their office. The holiday season, it seems, has arrived early in Cambridge.

Comments (49 posted)

Samba Team Asks Novell to Reconsider

The Samba Team has sent out a release asking Novell to reconsider its deal with Microsoft. "The patent agreement struck between Novell and Microsoft is a divisive agreement. It deals with users and creators of free software differently depending on their 'commercial' versus 'non-commercial' status, and deals with them differently depending on whether they obtained their free software directly from Novell or from someone else. The goals of the Free Software community and the GNU GPL allow for no such distinctions."

Full Story (comments: 9)

Commercial announcements

Announcing beta 3 of CrossOver 6.0

The beta 3 release of CrossOver 6.0 is available for the Linux and Mac platforms. "This new version fixes a lot of bugs and begins to bring us to a close on the beta process. This includes support for Office 2003 service packs, improved support for Outlook 2003, many Quicken bug fixes, and many other improvements as well."

Full Story (comments: none)

MySQL to get a new storage engine from NitroSecurity

MySQL and NitroSecurity have announced a deal to work the "NitroEDB" database engine into MySQL. "NitroSecurity originally developed its database technology to address the growing demand for real-time analysis within the network security event management market. Utilizing unique indexing techniques, data management methods and query processing algorithms, the technology enables 'multiple order of magnitude' increases in relational data management and query performance with multi-billion record volumes – running on commodity hardware."

Comments (none posted)

Novell Releases Mono 1.2 With Enhanced Support for .NET on Linux

Novell, Inc. has announced the release of Mono 1.2.. "Mono 1.2 adds support for the Microsoft* Windows* Forms API to more easily port .NET client-side applications to Linux*. Other enhancements in this release include virtual machine upgrades and enhanced Java* support, significant performance, memory consumption and stability improvements, and support for many .NET 2.0 features."

Comments (22 posted)

OpenVZ adds live migration capability

The OpenVZ project adds a live migration capability to its latest version of the OpenVZ open-source virtualization software. "The OpenVZ project today announced availability of its operating system-level server virtualization software in the form of a kernel based on Linux 2.6.9, including for the first-time in a stable branch, fully-tested and performance-tuned live migration and Virtual Ethernet device features. Previously, those features were only available in the development branch of OpenVZ software."

Full Story (comments: none)

SWsoft announces Virtuozzo Linux update

SWsoft has announced the availability of an update for its Virtuozzo operating system-level virtualization software. "The Virtuozzo 3.0 for Linux Service Pack 1 delivers advanced networking features including: Ethernet layer network adapter support - enables a virtual environment (VE) to run any Ethernet dependent application or service; VLAN support - allows set up of a virtual networking infrastructure that meets strict security requirements with complete network traffic isolation via support for virtual environment network adapters; Improved CPU management - enables system administrators to assign any number of virtual CPUs, up to the number of physical CPUs available."

Full Story (comments: none)

Zenoss Launches Core 1.0 Product

Zenoss has announced the launch of their Zenoss Core 1.0 product. "Zenoss Core is an integrated IT monitoring product that allows IT administrators to manage the status and health of their entire infrastructures through a single web-based console. As a free, open source software product, Zenoss provides organizations world-wide with a new alternative for enterprise-grade IT monitoring that is substantially less expensive and easier to deploy than traditional solutions."

Full Story (comments: none)

New Books

Learning MySQL - O'Reilly's Latest Release

O'Reilly has published the book Learning MySQL by Seyed M.M. "Saied" Tahaghoghi and Hugh E. Williams.

Full Story (comments: none)

New O'Reilly Book - Network Monitoring with Nagios

O'Reilly has published the book Network Monitoring with Nagios by Taylor Dondich.

Full Story (comments: none)

Resources

Best Practices in Embedded Linux

James Chapman has announced a new white paper entitled Best Practices in Embedded Linux [PDF] that is available from katalix systems for download. A discussion forum is also available for discussion of the paper.

Comments (none posted)

FSFE Newsletter

The November 13, 2006 edition of the Free Software Foundation Europe newsletter is online. Topics include: DRM.info platform launched, Introducing Shane M. Coughlan and Maria Luisa Carli, FSFE helped liberating Italian ZIP code database, FSFE at LWE fairs in Utrecht (Netherlands) and London (UK) and FSFE Swedish Team at the Internet Days in Stockholm (Sweden).

Full Story (comments: none)

Contests and Awards

IMIA OSWG Award - winner Ignacio Valdes (LinuxMedNews)

Ignacio Valdes has won the inaugural annual award of the IMIA Open Source Working Group. "The award is made in recognition of long-standing significant achievment in the promotion of free/libre and open source software in health informatics. The award was presented at the annual business meeting of the AMIA OSWG in Washington DC on 13 November, 2006 by Peter Murray, IMIA Vice President for Working Groups and Special Interest Groups."

Comments (none posted)

The 2006 LMN Freedom Award winners (LinuxMedNews)

LinuxMedNews reports on the winners of the 2006 LMN Freedom Award. "It was a split decision this year. Both Nancy Anthracite and Will Ross are recipients of the 2006 Linux Medical News Freeodm award, co-sponsored with the International Medical Informatics Association. Ross and Anthracite have worked tirelessly to advance the cause of software freedoms in medicine".

Comments (none posted)

Qt Jambi Developer Contest Announced (KDE.News)

KDE.News covers the Qt Jambi Developer Contest. "Trolltech has announced the Qt Jambi Developer Contest, which is now open to all developers following the release of the third Technology Preview (TP) of Qt Jambi. The contest is aimed at encouraging both Java and Qt programmers to try out the new features available in the Qt Jambi TP3. This third and final technology preview is built on the newly-released Qt 4.2, giving Java programmers access to powerful new Qt features like the powerful 2D graphics canvas (Qt Graphics View) and simplified application styling through Widget Stylesheets." The winner will receive a 2.0GHz Apple MacBook.

Comments (none posted)

Education and Certification

Big Nerd Ranch Announces Fast-track LPI Linux Admin Bootcamp

The Big Nerd Ranch will hold the next Fast-track LPI Linux Admin Bootcamp on February 19-23, 2007 outside of Atlanta, GA.

Full Story (comments: none)

Calls for Presentations

GNOME Journal submission deadline: December 1

The submission deadline for the next edition of the GNOME Journal is December 1, the Journal will be published on December 15.

Full Story (comments: none)

Upcoming Events

FAVE 2006 final line-up announced

The final line-up for FAVE 2006 has been announced. "FAVE is an event for people who are interested in free and open source creative software on Linux and other computer platforms. It features workshops, talks and performances from free software developers and artists. The 2006 event is taking place at Limehouse Town Hall in London, England on Saturday the 25th of November."

Full Story (comments: none)

IEEE International Workshop on Open Source Test Technology Tools

The 2007 IEEE International Workshop on Open Source Test Technology Tools (IOST3) will take place in Berkeley, CA on May 10-11, 2007. "The IOST3 workshop establishes and supports a community of practice focused on open source tools, and tools with open interfaces, for the test, quality assurance, and reliability estimation of electronic devices, assemblies, and systems."

Comments (none posted)

Third International Conference on Open Source Systems (LinuxMedNews)

LinuxMedNews has announced the Third International Conference on Open Source Systems. "The Third International Conference on Open Source Systems will be held in Limerick, Ireland 11-14 June 2007. The goal of the conference is intended to "provide an international forum where a diverse community of professionals from academia, industry and public administration can come together to share research findings and practical experiences. The conference is also meant to provide information and education to practitioners, identify directions for further research, and to be an ongoing platform for technology transfer.""

Comments (none posted)

FFII announces the European Patent Conference

The FFII has sent out an announcement for a series of conferences on patents in Europe; the first two events are in Munich (November 25) and Brussels (January 24). "[P]roblems in the patent system affect all industries and all consumers. The European Patent Conference is the ideal opportunity for those who want to fix these problems."

Full Story (comments: none)

foss.in partial speaker list available

A partial list of speakers for the upcoming foss.in event has been published. The event will take place on November 24-26, 2006 in Bangalore, India. "This year, we have tried to stay away from overpowering people with glitz. We therefore decided that despite my better judgement, we wouldn't be inviting Pamela Anderson, but we do hope that Christoph Hellwig's unique hairstyle will make up for that."

Full Story (comments: none)

London Perl Workshop 2006

The 2006 London Perl Workshop has been announced, the event will take place on Saturday December 9, 2006 at Westminster University. "The LPW is (like all of the other local Perl workshops) a grass-roots, one day, free Perl conference. The talks are of a very high standard and it’s a great way to meet people from the Perl community (who come from all over the world to be at the workshop)."

Comments (none posted)

Registrations are open for tutorials at OSDC 2006

Registration is open for the Open Source Developers' Conference 2006 tutorial program. "The tutorials run on the 5th December, followed by the technical program on the 6th - 8th December. Most tutorials include printed reference material." The event takes place in Melbourne, Australia.

Full Story (comments: none)

Last chance to join the Summer of PyPy

A European PyPy sprint event has been announced. "Hopefully by now you have heard of the "Summer of PyPy", our program for funding the expenses of attending a sprint for students. If not, you've just read the essence of the idea :-) However, the PyPy EU funding period is drawing to an end and there is now only one sprint left where we can sponsor the travel costs of interested students within our program. This sprint will probably take place in Leysin, Switzerland from 8th-14th of January 2007."

Comments (none posted)

Events: November 23, 2006 to January 22, 2007

The following event listing is taken from the LWN.net Calendar.

Date(s)EventLocation
November 21
November 24
15th International Conference on Computing Mexico City, Mexico,
November 24
November 26
FOSS.IN 2006 Bangalore, India
November 25 FAVE 2006 - free software multimedia event in London London, UK
November 27
November 30
PacSec Applied Security Conference 2006 Tokyo, Japan
December 1
December 2
PHP Conference Brasil Sao Paolo, Brazil
December 2
December 3
Technical Dutch Open Source Event Eindhoven, the Netherlands
December 3
December 8
Large Installation System Administration Conference Washington, D.C.,
December 5
December 8
Open Source Developers' Conference 2006 Melbourne, Australia,
December 7
December 8
Desktop Architects Meeting Portland, OR, USA
December 9 London Perl Workshop London, England
December 12
December 19
Virtual Congress UnInet Meeting UMeet'2006 irc.uninet.edu, #linux
December 27
December 30
23rd Chaos Communication Congress 2006 Berlin, Germany,
January 11
January 12
Foundations of Open Media Software Sydney, Australia
January 15
January 20
linux.conf.au 2007 Sydney, Australia,
January 20
January 26
Cell Hack-a-thon Loveland, CO, USA

If your event does not appear here, please tell us about it.

Web sites

FSF Compliance Lab announces new web site

The Free Software Foundation has announced a new Free Software Licensing web site. "The site aims to help people find the information they need about licenses published by the FSF, such as the GNU General Public License (GPL), and to provide more information about the Lab's work."

Full Story (comments: none)

Audio and Video programs

Web 2.0 Podcast - a look ahead (O'ReillyNet)

O'Reilly presents podcast coverage of the Web 2.0 Summit 2006. "Two and one half days jam packed with sessions. You'll get to hear and see most of them in this Web 2.0 podcast stream. Next week Tim O'Reilly and John Battelle kick our podcast off with their look at Web 2.0."

Comments (none posted)

Page editor: Forrest Cook

Copyright © 2006, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds