The Mozilla Foundation is a valuable contributor to the free software
community; it has, among other things, provided us with a free browser
which has restored the notion of standards to the World Wide Web. The
relationship between the Foundation and Linux distributors has occasionally
been a little bumpy, however. Mozilla's trademark policies have created
stress for distributors, a few of whom have decided to leave the
trademarked names behind altogether. The Foundation's security update and
maintenance policies have also made life harder, sometimes having the
effect of force-upgrading users to newer versions in otherwise stable
distributions. To some, it seems that Mozilla's main interest is now its
Windows users, with Linux support relegated to second-tier status.
At the recent Firefox summit, the Foundation got together with
representatives from Red Hat and Novell and faced the problem directly:
Historically, there has been a great deal of tension between
mozilla.org and the Linux distros, notably over maintenance of
branches, divergence between distros, and lack of sustained
communication between the groups. All seemed in agreement that
closer cooperation and dividing responsibilities appropriately
would benefit everyone involved. A number of changes were proposed
that have general consensus among the stakeholders.
What came out of this meeting was an agreement on a number of changes
which, going forward, should improve the relationship between Mozilla and
the distributors; it should also make life better for Linux-based Mozilla
users.
A new group of maintainers - representing Linux distributors - will be
pulled together "in the Firefox 3 timeline." These maintainers will
have a much bigger say on what goes into the Linux builds of Firefox and
will be able to help ensure that the browser integrates better with Linux.
They will also have the explicit goal of moving many of the patches
currently carried by distributors into the Firefox mainline, decreasing
their divergence from the mainline (and from each other).
Another advantage of pushing the patches up, evidently, is that it will
make compliance with the Firefox trademark rules easier, since there will
be fewer patches to get rubber-stamped.
These maintainers will also have a bigger role in the long-term upkeep of
Firefox releases. Red Hat's Christopher Aillon notes
that this group will be maintaining Firefox 1.5 past the date when the
Mozilla Foundation plans to let it go. This work should help the
distributors keep that version secure into the future, with the result that
they need not push their users to the 2.0 release before they want to go
there.
The Mozilla Foundation has also recognized that most Linux users run
versions of Firefox built by their distributors rather than the official
Mozilla builds. In the future, distributor packages will be available
directly from the Mozilla web pages. That, too, should make life easier
for the user community. Overall, this new cooperation seems like a step
in the right direction; having Mozilla more tightly tied to the free
software community can only be a good thing.
These changes are unlikely to bring Debian back into the Firefox camp,
however, since they will still see the trademark policy as not being
DFSG-free. Debian's policy of shipping "iceweasel" will almost certainly
continue. But there is an interesting
conversation going on about how iceweasel is shipped as well.
The issue is this: on a Debian system, it is still possible to type:
apt-get install firefox
What the packaging system will do, however, is install iceweasel. Given
that the driving force behind the switch in the first place was trademark
usage, it seems unlikely that the Mozilla people will be amused by this
behavior - though they have made no public statements on it as of this
writing. Moving away from Firefox as a result of disagreement with the
rules attached to that name is arguably a reasonable thing to do. But,
once that decision is made, the right thing is almost certainly to move
away from the "firefox" name altogether - before the next round of "cease
and desist" letters shows up.
Comments (17 posted)
Ryzom is a multi-player online game
operated by a company called
Nevrax.
It has a dedicated following, but has
never reached anything close to the level of popularity seen by some of its
competitors. In fact, it has not reached a sufficient level of popularity
![[Ryzom]](/images/ns/ryzom1.jpg)
to keep Nevrax alive; that company has found its way into French bankruptcy
court. The future of this game is currently in doubt.
Interestingly, Ryzom has some free software roots. Just over six years
ago, LWN's Development
Page carried a notice about the release of NeL, Nevrax's GPL-licensed
library for the creation of online games. Richard Stallman once visited
the company's office. It would appear, however, that
Nevrax, once it started accepting venture capital, lost interest in free
software. The GPL releases slowed; instead, Nevrax started
offering closed-source
versions of its code. Whether Nevrax would have
succeeded had it maintained its free software approach will never be known;
the proprietary plan has visibly failed to work, however.
Some of the original developers have not lost interest in the code,
however, and they have a number of friends. Together they have founded the
Free Ryzom Campaign. The plan is to raise
enough money to buy Nevrax's assets in bankruptcy court, release the code
under the GPL, and take the game into the future. The inspiration is
clearly the Blender
project, whose code was bought through donations in a very similar
way back in 2002. The Free Blender project surprised everybody by raising
€100,000 in less than two months. If the Blender folks can do it, the
reasoning goes, why not online game supporters? Those people, after all,
are already accustomed to paying for their experience.
The first step is to sell this plan to the bankruptcy court. The Free
Ryzom folks have not yet been able to release their proposal publicly, but
the core
concepts have been posted. There will be a non-profit organization
allied with the for-profit company Mekensleep and Valentin Lacambre. With
this combination, the project hopes to convince the court that it has the
most interesting offer. In this way, they can also put some
significant money on the table before the donations from the community come
in.
If the plan is accepted by the court, Mekensleep will end up owning the
code, along with the artwork, trademarks, and so on. There is some
sentiment in the Free Ryzom community for transferring the copyrights to
the non-profit group, but it seems that this decision has not yet been
made. What is clear is that all of the code would be immediately released
under the GNU General Public License (with the "any later version"
language).
From there, the code would be managed under the terms of the project's social
contract, which is based on the Debian social contract. Among other
things, it says that players own their avatars and other objects, and
should be able to transfer them from one server to another.
The plans call for there to be multiple servers. The current Nevrax
servers would continue to be run - on a paid membership basis - as they
have been until now. But the (Linux-based) server code would be free, so
anybody with an interest could set up their own world and allow access in
whatever way pleases them best. According to the Free Ryzom folks (who
kindly talked with your editor about the project), multiple worlds were a
part of the plan from the very beginning. One of the long-term goals is to
revise that vision, creating the prospect of a community-driven metaverse
of cooperating game servers.
In the near future, however, a number of other problems need to be solved.
There is, for example, no Linux client for Ryzom; one assumes that, once
the source becomes available, that little problem could be taken care of.
Some players are concerned about the
security implications of opening up the source; in particular, they
would hate to see the gameplay ruined by a proliferation of robots. There
is, inevitably, some third-party code in the mix which would have to
be stripped out and replaced. There is even some tension within the
community about whether the primary goal is the preservation of Ryzom or
the freeing of the code.
Before work can begin on any of those issues, however, a more immediate
problem must be overcome: the project must convince the bankruptcy court
that it is the best custodian for the code. The proposal was considered on
December 5, along with proposals from other interested parties. The
current word is that some sort of decision will be announced sometime after
December 12. Should the project prevail in court, it must then
collect enough donations to complete the purchase. To that end, the
project is now asking for
donation pledges; at this time, all that is needed is to promise to give
some money. Should the project go ahead, donors will be expected to follow
through with cash. The list
of pledges is quite long; if all of those people are serious, the
project will be off to a good start.
The free software community has accomplished a great many things in recent
years, but the creation of a high-quality online multiplayer game is not
among them. This is an important area, even for those of us who lack the
time or interest for gaming; the sorts of virtual worlds being created for
gamers can
only become more prevalent and important in coming years. They may be the
only place where we'll be able to find our children. Clearly, we need some
good, free virtual world infrastructure. It would be nice if we could develop it
entirely ourselves, but the fact is that software cast off from corporate
failures has long been an important source of code. Perhaps this
particular corporate disaster could yet yield benefits for the free
software community.
[The images all come from the Ryzom screenshots
gallery, which has many more.]
Comments (11 posted)
The third
Desktop
Architects' Meeting (DAM3) is being held on December 7 and 8 at
OSDL's offices in Portland. Despite some rumors to the contrary, there
will still
be a few people in those offices, and the meeting is
going ahead as planned. LWN, unfortunately, will not be represented
there. Happily, most of the attendees have
posted
their slides ahead of the event, so it is possible to get a sense for
what some of the common themes will be.
Outsiders like to criticize Linux for its proliferation of distributions,
desktops, and more. Within the community, we recognize this diversity as a
form of wealth. The variety of Linux distributions encourages
experimentation with different approaches, with the resulting lessons being
learned by the community as a whole. They also ensure that we will never
be locked into a single source for our software; switching distributions is
an easy thing to do. Similarly, the competition between free desktop
projects has inspired them all to identify their users and give them the
best experience they can. There are few people who would wish for a world
with a single distribution and a single desktop.
Some of those who might wish for that world, however, may well be at
DAM3. Diversity is good for the community, but it does make life harder
for those who would support binary applications on Linux. Having to deal
with a range of desktops, packaging systems, library versions, encoding
choices, etc. creates a lot of work for application vendors. Someday,
maybe, the free software community will be so rich that nobody will ever
wish for a proprietary application for their Linux systems. Until that
time, we will either have to make life easier for those vendors or simply
write off a large subset of potential desktop Linux users.
Some other old complaints have been raised: lack of support for proprietary
codecs and DVD playback, for example. Most of the people involved seem to
understand why Linux has these limitations. But they can still wish for a
world where more things just worked.
Hardware support also shows up in a few sets of slides. This is an area
where things are getting better quickly - most wireless network adapters
should be supported before too long, for example. But video adapters
are still a problem.
A certain amount of slide space was reserved for complaints about sound
support under Linux. At the driver level, things seem to work, but not
everybody likes the ALSA API. Above that, there seems to be no consensus
on which sound server should be used. Without a consistent and reliable
way to make noise, many desktop applications will remain hard to support.
Printing also, apparently, remains a sore point, despite the great progress
that has been made in recent years. One initiative which may go forward
soon is the certification of printers which are well supported under
Linux. Beyond that, it appears that the Portland Project is going to try
to create a unified structure for print dialogs. This mechanism would try
to present a consistent interface to printing which would make it easier to
export - and use - printer-specific features. Desktop-specific dialogs
would still do the actual user interaction, but they would be using the
Portland mechanism underneath.
Perhaps the most interesting thing to be seen from the slides, however, is
the expanded view of the "desktop" being taken by the group. Mobile and
embedded systems - from the OLPC to the Nokia 770 and telephones - are
clearly seen as a sort of desktop system. Many of the issues are the same,
but the incorporation of mobile applications brings new pressures. One
can, with little effort, find plenty of evidence that the desktop projects
have not, so far, been overly concerned with memory use and overall bloat.
Small systems are forcing people to reconsider their priorities, however,
and there is likely to be an increase in the amount of development time
which goes into making things smaller. A few of the participants note that
better tools for memory profiling would be most helpful in this task.
Overall, there appears to be nobody who is willing to predict total World
Desktop Domination anytime in the near future. There is, however, a clear
level of interest in the Linux desktop, especially when one considers
desktops which fit in a shirt pocket. Interesting things are going
to happen in this area.
Comments (10 posted)
Page editor: Jonathan Corbet
Security
December 6, 2006
This article was contributed by Jake Edge.
Anyone who pays attention to their spam knows that its character changes
frequently; spammers are always adding new tricks to try and evade spam
filters. There is an arms race of sorts going on; the filters get better
at recognizing the latest evasion attempts and so the spammers come up
with new ones and the cycle repeats. To reduce the effectiveness of this
spam evolution, frequent updates of the filter rulesets are needed. For
users of SpamAssassin (SA), the
sa-update tool makes it very easy to pick up the latest ruleset and
keep that unwanted spam out of the inbox.
Before sa-update, official SA rulesets updates were only available
by installing an updated version of SA. Because the release cycle was often
lengthy (measured in months), the developers added the ability to easily
update the rulesets over the internet. At its core, sa-update
communicates with a server or servers picking up rule and score files
and installs them in a directory that SA uses for its updates. SA will
immediately start using the new rules, though restarting spamd
will be required if SA is configured that way.
sa-update is configured by default to use the official 'channel'
(updates.spamassassin.org), but that can be altered to tune into other
SA rules repositories. The
SpamAssassin Rules
Emporium (SARE) is one collection of rules and scores that
sa-update can use. There are multiple channels
available each of which handles a different type of spam and one can
mix and match the rulesets to tune the filter for the kinds of spam
being seen.
There are some security implications to consider: injecting bad rules or scores
could lead to worse spam filtering, for example. More worrisome, however,
is the fact that the update mechanism allows for
plugins to be distributed, leading to potential arbitrary code execution.
SA plugins are arbitrary Perl code that will be run by the filter; because
it generally runs as root or another privileged user, that can be quite
dangerous. sa-update uses
GPG signatures on the updates to reduce
this hazard, as long as the signer is really trustworthy (and the recent GPG security problem has been patched). The official
channel will not distribute plugins, thereby eliminating that problem.
The rulesets available change frequently and automating the sa-update process
via cron can bring the system up to date on a daily or weekly basis. Another
tool,
rule-get
is available which uses the update mechanism and provides a command line
syntax based on apt-get.
This is an excellent tool for helping to reduce the ever-evolving
spam problem. As long
as one is careful about which GPG keys to trust, it should be secure as
well. Spammers are, no doubt, taking advantage of this tool to tune their
spam to avoid the new rules, but using it can reduce the false negatives
from the older evasion schemes or from those who have yet to test their
stock scam email with the latest rules.
More information and additional channels are available from the SA wiki, a
good starting point is
here.
Comments (7 posted)
Brief items
The GnuPG developers have sent out an advisory regarding a rather
unpleasant vulnerability which has surfaced: "
Using malformed OpenPGP
packets an attacker is able to modify and
dereference a function pointer in GnuPG. This is a remotely
exploitable bug and affects any use of GnuPG where an attacker can
control the data processed by GnuPG. It is not necessary limited to
encrypted data, also signed data may be affected." It would be
prudent to be very careful about feeding messages to gpg until you have a
fix installed.
Full Story (comments: 4)
New vulnerabilities
gnupg: buffer overflow
| Package(s): | gnupg |
CVE #(s): | CVE-2006-6169
|
| Created: | November 30, 2006 |
Updated: | December 11, 2006 |
| Description: |
GnuPG has a buffer overflow vulnerability. If a user can be tricked
into running gpg interactively on a specially crafted message,
arbitrary code can be executed with the user's privileges. |
| Alerts: |
|
Comments (none posted)
kernel: bridging code buffer overflow
| Package(s): | kernel |
CVE #(s): | CVE-2006-5751
|
| Created: | December 6, 2006 |
Updated: | January 3, 2007 |
| Description: |
A buffer overflow in the bridging code in kernels through 2.6.18.3 can lead to a denial of service or potential code execution. The 2.6.18.4 kernel contains the fix. |
| Alerts: |
|
Comments (none posted)
koffice: integer overflow
| Package(s): | koffice |
CVE #(s): | CVE-2006-6120
|
| Created: | November 30, 2006 |
Updated: | February 20, 2007 |
| Description: |
The KOffice office suite has an integer overflow
vulnerability. If an attacker can trick a user into opening a
specially crafted PowerPoint (PPT) file, KOffice can be caused to crash or
possibly execute arbitrary code with the user's privileges. |
| Alerts: |
|
Comments (none posted)
libgsf: heap buffer overflow
| Package(s): | libgsf |
CVE #(s): | CVE-2006-4514
|
| Created: | November 30, 2006 |
Updated: | January 11, 2007 |
| Description: |
The GNOME library libgsf, which is used for writing structured file
formats, has a heap buffer overflow that can be exploited for the
purpose of executing arbitrary code. |
| Alerts: |
|
Comments (none posted)
xine-lib: buffer overflow
| Package(s): | xine-lib |
CVE #(s): | CVE-2006-6172
|
| Created: | December 5, 2006 |
Updated: | June 5, 2007 |
| Description: |
A buffer overflow was discovered in the Real Media input plugin in
xine-lib. If a user were tricked into loading a specially crafted stream
from a malicious server, the attacker could execute arbitrary code with the
user's privileges. |
| Alerts: |
|
Comments (none posted)
Updated vulnerabilities
apache: cross-site scripting
| Package(s): | apache |
CVE #(s): | CVE-2006-3918
|
| Created: | August 9, 2006 |
Updated: | April 4, 2008 |
| Description: |
From the Red Hat advisory: "A bug was found in Apache where an invalid Expect header sent to the server
was returned to the user in an unescaped error message. This could
allow an attacker to perform a cross-site scripting attack if a victim was
tricked into connecting to a site and sending a carefully crafted Expect
header." |
| Alerts: |
|
Comments (none posted)
apache-mod_auth_kerb: off-by-one error
| Package(s): | apache-mod_auth_kerb |
CVE #(s): | CVE-2006-5989
|
| Created: | November 24, 2006 |
Updated: | January 23, 2007 |
| Description: |
An off-by-one error in the der_get_oid function in mod_auth_kerb 5.0 allows
remote attackers to cause a denial of service (crash) via a crafted
Kerberos message that triggers a heap-based buffer overflow in the
component array. |
| Alerts: |
|
Comments (none posted)
asterisk: arbitrary code execution
| Package(s): | asterisk |
CVE #(s): | CVE-2006-5444
|
| Created: | October 19, 2006 |
Updated: | December 6, 2006 |
| Description: |
The Asterisk telephony PBX application has a heap overflow vulnerability
in the skinny channel driver. A remote attacker can use this to
arbitrarily execute code with the privileges of the Asterisk user.
See this
vulnerability report
for more information. |
| Alerts: |
|
Comments (none posted)
avahi: sender id check
| Package(s): | avahi |
CVE #(s): | CVE-2006-5461
|
| Created: | November 13, 2006 |
Updated: | December 20, 2006 |
| Description: |
Steve Grubb discovered that netlink messages were not being checked for
their sender identity. This could lead to local users manipulating the
Avahi service. |
| Alerts: |
|
Comments (1 posted)
bind: denial of service
| Package(s): | bind |
CVE #(s): | CVE-2006-4095
CVE-2006-4096
|
| Created: | September 7, 2006 |
Updated: | February 1, 2007 |
| Description: |
Bind has two denial of service vulnerabilities.
Recursive servers queries for SIG records will trigger an assertion
failure if more than one RR set is returned.
An INSIST failure can be triggered by sending a large number of
recursive queries. |
| Alerts: |
|
Comments (none posted)
bugzilla: multiple vulnerabilities
| Package(s): | bugzilla |
CVE #(s): | CVE-2006-5453
CVE-2006-5454
CVE-2006-5455
|
| Created: | November 10, 2006 |
Updated: | August 28, 2007 |
| Description: |
Bugzilla has the following vulnerabilities:
Input data passed to various fields is not properly sanitized before
being passed back to users.
Users can gain unauthorized access to read attachment
descriptions while using diff mode.
HTTP GET and HTTP POST requests can be used to perform unauthorized
actions due to improper verification.
Input that is passed to showdependencygraph.cgi is not properly
sanitized before being returned to users. |
| Alerts: |
|
Comments (none posted)
busybox: insecure password generation
| Package(s): | busybox |
CVE #(s): | CVE-2006-1058
|
| Created: | May 5, 2006 |
Updated: | May 2, 2007 |
| Description: |
The BusyBox 1.1.1 passwd command does not use a proper salt when generating
passwords. This would create an instance where a brute force attack could
take very little time. |
| Alerts: |
|
Comments (2 posted)
bzip2: race condition and infinite loop
| Package(s): | bzip2 |
CVE #(s): | CAN-2005-0953
CAN-2005-1260
|
| Created: | May 17, 2005 |
Updated: | January 10, 2007 |
| Description: |
A race condition in bzip2 1.0.2 and earlier allows local users to modify
permissions of arbitrary files via a hard link attack on a file while it is
being decompressed, whose permissions are changed by bzip2 after the
decompression is complete. Also specially crafted bzip2 archives may cause
an infinite loop in the decompressor. |
| Alerts: |
|
Comments (2 posted)
cpio: arbitrary code execution
| Package(s): | cpio |
CVE #(s): | CVE-2005-4268
|
| Created: | January 2, 2006 |
Updated: | March 17, 2010 |
| Description: |
Richard Harms discovered that cpio did not sufficiently validate file
properties when creating archives. Files with e. g. a very large size
caused a buffer overflow. By tricking a user or an automatic backup
system into putting a specially crafted file into a cpio archive, a
local attacker could probably exploit this to execute arbitrary code
with the privileges of the target user (which is likely root in an
automatic backup system). |
| Alerts: |
|
Comments (none posted)
vixie-cron: privilege escalation
| Package(s): | cron |
CVE #(s): | CVE-2006-2607
|
| Created: | May 31, 2006 |
Updated: | June 1, 2009 |
| Description: |
The Vixie cron daemon does not check the return code from setuid(); if that call can be made to fail, a local attacker may be able to execute commands as root. |
| Alerts: |
|
Comments (1 posted)
cscope: buffer overflows
| Package(s): | cscope |
CVE #(s): | CVE-2006-4262
|
| Created: | October 2, 2006 |
Updated: | June 16, 2009 |
| Description: |
Will Drewry of the Google Security Team discovered several buffer overflows
in cscope, a source browsing tool, which might lead to the execution of
arbitrary code. |
| Alerts: |
|
Comments (none posted)
cscope: buffer overflows
| Package(s): | cscope |
CVE #(s): | CVE-2004-2541
|
| Created: | May 22, 2006 |
Updated: | June 19, 2009 |
| Description: |
A buffer overflow in Cscope 15.5, and possibly multiple overflows, allows
remote attackers to execute arbitrary code via a C file with a long
#include line that is later browsed by the target. |
| Alerts: |
|
Comments (1 posted)
Cyrus-SASL: DIGEST-MD5 Pre-Authentication Denial of Service
| Package(s): | cyrus-sasl |
CVE #(s): | CVE-2006-1721
|
| Created: | April 21, 2006 |
Updated: | September 4, 2007 |
| Description: |
Cyrus-SASL contains an unspecified vulnerability in the DIGEST-MD5
process that could lead to a Denial of Service. An attacker could possibly
exploit this vulnerability by sending specially crafted data stream to the
Cyrus-SASL server, resulting in a Denial of Service even if the attacker is
not able to authenticate. |
| Alerts: |
|
Comments (none posted)
dovecot: index cache file handling error
| Package(s): | dovecot |
CVE #(s): | CVE-2006-5973
|
| Created: | November 29, 2006 |
Updated: | May 8, 2007 |
| Description: |
The dovecot IMAP server has an error in its index cache file handling code which could be exploited by an authenticated user to execute arbitrary code. Only servers with the (non-default) mmap_disable=yes option setting are vulnerable. |
| Alerts: |
|
Comments (none posted)
elinks: arbitrary file access
| Package(s): | elinks |
CVE #(s): | CVE-2006-5925
|
| Created: | November 16, 2006 |
Updated: | October 22, 2009 |
| Description: |
The elinks text-mode browser has an arbitrary file access vulnerability
in the Elinks SMB protocol handler. If a user can be tricked into
visiting a specially crafted web page, arbitrary files may be read or
written with the user's permissions. |
| Alerts: |
|
Comments (none posted)
ffmpeg: buffer overflows
| Package(s): | ffmpeg |
CVE #(s): | CVE-2006-4799
CVE-2006-4800
|
| Created: | September 14, 2006 |
Updated: | May 28, 2007 |
| Description: |
the AVI processing code in FFmpeg has a number of buffer overflow
vulnerabilities.
If an attacker can trick a user into loading a specially crafted
crafted AVI, arbitrary code can be executed with the user's privileges. |
| Alerts: |
|
Comments (2 posted)
freeradius: several vulnerabilities
| Package(s): | freeradius |
CVE #(s): | CVE-2005-4745
CVE-2005-4746
|
| Created: | August 8, 2006 |
Updated: | April 24, 2007 |
| Description: |
Several remote vulnerabilities have been discovered in freeradius, a
high-performance RADIUS server, which may lead to SQL injection or denial
of service. |
| Alerts: |
|
Comments (none posted)
freetype: integer overflows
| Package(s): | freetype |
CVE #(s): | CVE-2006-0747
CVE-2006-1861
CVE-2006-2493
CVE-2006-2661
CVE-2006-3467
|
| Created: | June 8, 2006 |
Updated: | June 1, 2010 |
| Description: |
The FreeType library has several integer overflow vulnerabilities.
If a user can be tricked into installing a specially
crafted font file, arbitrary code can be executed with the privilege
of the user. |
| Alerts: |
|
Comments (none posted)
ftpd: privilege escalation
| Package(s): | ftpd |
CVE #(s): | CVE-2006-5778
|
| Created: | November 10, 2006 |
Updated: | February 14, 2007 |
| Description: |
Ftpd is vulnerable to a privilege escalation attack,
an incorrect seteuid() call can be used by an FTP user to gain
unauthorized access to files or directories. |
| Alerts: |
|
Comments (none posted)
fvwm: fvwm-menu-directory command injection
| Package(s): | fvwm |
CVE #(s): | CVE-2006-5969
|
| Created: | November 24, 2006 |
Updated: | November 29, 2006 |
| Description: |
Tavis Ormandy of the Gentoo Linux Security Audit Team discovered that
fvwm-menu-directory does not sufficiently sanitize directory names prior to
generating menus. A local attacker who can convince an fvwm-menu-directory
user to browse a directory they control could cause fvwm commands to be
executed with the privileges of the fvwm user. Fvwm commands can be used to
execute arbitrary shell commands. |
| Alerts: |
|
Comments (none posted)
gcc: file overwrite vulnerability
| Package(s): | gcc |
CVE #(s): | CVE-2006-3619
|
| Created: | September 6, 2006 |
Updated: | March 14, 2008 |
| Description: |
The fastjar utility found in the GNU compiler collection does not perform adequate file path checking, allowing the creation or overwriting of files outside of the current directory tree. |
| Alerts: |
|
Comments (none posted)
gdb: buffer overflow
| Package(s): | gdb |
CVE #(s): | CVE-2006-4146
|
| Created: | September 15, 2006 |
Updated: | June 12, 2007 |
| Description: |
A buffer overflow in dwarfread.c and dwarf2read.c debugging code in GNU
Debugger (GDB) 6.5 allows user-assisted attackers, or restricted users, to
execute arbitrary code via a crafted file with a location block
(DW_FORM_block) that contains a large number of operations. |
| Alerts: |
|
Comments (none posted)
gdm: improper file permissions
| Package(s): | gdm |
CVE #(s): | CVE-2006-1057
|
| Created: | April 19, 2006 |
Updated: | May 2, 2007 |
| Description: |
The .ICEauthority file may be created with the wrong ownership and permissions; gdm 2.14.2 fixes the problem. |
| Alerts: |
|
Comments (none posted)
gedit: format string vulnerability
| Package(s): | gedit |
CVE #(s): | CAN-2005-1686
|
| Created: | June 9, 2005 |
Updated: | February 5, 2009 |
| Description: |
A format string vulnerability has been discovered in gedit. Calling
the program with specially crafted file names caused a buffer
overflow, which could be exploited to execute arbitrary code with the
privileges of the gedit user. |
| Alerts: |
|
Comments (1 posted)
grip: buffer overflow
| Package(s): | grip |
CVE #(s): | CAN-2005-0706
|
| Created: | March 10, 2005 |
Updated: | November 19, 2008 |
| Description: |
Grip, a CD ripper, has a buffer overflow vulnerability that can
occur when the CDDB server returns more than 16 matches. |
| Alerts: |
|
Comments (none posted)
gv: stack-based buffer overflow
| Package(s): | gv |
CVE #(s): | CVE-2006-5864
|
| Created: | November 20, 2006 |
Updated: | April 9, 2007 |
| Description: |
Stack-based buffer overflow in the ps_gettext function in ps.c for GNU gv
3.6.2, and possibly earlier versions, allows user-assisted attackers to
execute arbitrary code via a PostScript (PS) file with certain headers that
contain long comments, as demonstrated using the DocumentMedia header. |
| Alerts: |
|
Comments (none posted)
gzip: multiple vulnerabilities
| Package(s): | gzip |
CVE #(s): | CVE-2006-4334
CVE-2006-4335
CVE-2006-4336
CVE-2006-4337
CVE-2006-4338
|
| Created: | September 19, 2006 |
Updated: | January 20, 2010 |
| Description: |
Tavis Ormandy of the Google Security Team discovered two denial of service
flaws in the way gzip expanded archive files. If a victim expanded a
specially crafted archive, it could cause the gzip executable to hang or
crash.
Tavis Ormandy of the Google Security Team discovered several code execution
flaws in the way gzip expanded archive files. If a victim expanded a
specially crafted archive, it could cause the gzip executable to crash or
execute arbitrary code. |
| Alerts: |
|
Comments (1 posted)
gzip: arbitrary command execution
| Package(s): | gzip |
CVE #(s): | CAN-2005-0758
|
| Created: | August 1, 2005 |
Updated: | January 10, 2007 |
| Description: |
zgrep in gzip before 1.3.5 does not handle shell metacharacters like '|'
and '&' properly when they occurred in input file names. This could be
exploited to execute arbitrary commands with user privileges if zgrep is
run in an untrusted directory with specially crafted file names. |
| Alerts: |
|
Comments (2 posted)
imagemagick: buffer overflows
| Package(s): | imagemagick |
CVE #(s): | CVE-2006-5868
|
| Created: | November 28, 2006 |
Updated: | February 16, 2007 |
| Description: |
Daniel Kobras discovered multiple buffer overflows in ImageMagick's SGI
file format decoder. By tricking a user or an automated system into
processing a specially crafted SGI image, this could be exploited to
execute arbitrary code with the user's privileges. |
| Alerts: |
|
Comments (1 posted)
ImageMagick: buffer overflows
| Package(s): | ImageMagick |
CVE #(s): | CVE-2006-5456
|
| Created: | October 31, 2006 |
Updated: | March 8, 2007 |
| Description: |
Multiple buffer overflows in GraphicsMagick before 1.1.7 and ImageMagick
6.0.7 allow user-assisted attackers to cause a denial of service and
possibly execute execute arbitrary code via (1) a DCM image that is not
properly handled by the ReadDCMImage function in coders/dcm.c, or (2) a
PALM image that is not properly handled by the ReadPALMImage function in
coders/palm.c. |
| Alerts: |
|
Comments (2 posted)
imlib2: arbitrary code execution
| Package(s): | imlib2 |
CVE #(s): | CVE-2006-4806
CVE-2006-4807
CVE-2006-4808
CVE-2006-4809
|
| Created: | November 6, 2006 |
Updated: | August 13, 2007 |
| Description: |
M. Joonas Pihlaja discovered that imlib2 did not sufficiently verify the
validity of ARGB, JPG, LBM, PNG, PNM, TGA, and TIFF images. If a user
were tricked into viewing or processing a specially crafted image with
an application that uses imlib2, the flaws could be exploited to execute
arbitrary code with the user's privileges. |
| Alerts: |
|
Comments (none posted)
jbossas: arbitrary code execution
| Package(s): | jbossas |
CVE #(s): | CVE-2006-5750
|
| Created: | November 27, 2006 |
Updated: | November 29, 2006 |
| Description: |
Symantec discovered a flaw in the DeploymentFileRepository class of the
JBoss Application Server. A remote attacker who is able to access the
console manager could read or write to files with the permissions of the
JBoss user. This could potentially lead to arbitrary code execution as the
jboss user. |
| Alerts: |
|
Comments (none posted)
kdelibs: integer overflow
| Package(s): | kdelibs |
CVE #(s): | CVE-2006-4811
|
| Created: | October 18, 2006 |
Updated: | March 5, 2007 |
| Description: |
The KDE khtml library can pass untrusted parameters into Qt, allowing a hostile user to trigger an integer overflow there and execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
kdelibs: kate backup file permission leak
| Package(s): | kdelibs kate kwrite |
CVE #(s): | CAN-2005-1920
|
| Created: | July 19, 2005 |
Updated: | September 21, 2010 |
| Description: |
Kate / Kwrite, as shipped with KDE 3.2.x up to including 3.4.0, creates a file backup before saving a modified file. These backup files are created with default permissions, even if the original file had more strict permissions set. See this advisory for more information. |
| Alerts: |
|
Comments (1 posted)
kernel: denial of service
| Package(s): | kernel |
CVE #(s): | CVE-2006-4623
|
| Created: | October 18, 2006 |
Updated: | November 14, 2007 |
| Description: |
The kernel DVB layer can be caused to crash with maliciously-formatted unidirectional lightweight encapsulation (ULE) data. |
| Alerts: |
|
Comments (none posted)
kernel: denial of service
| Package(s): | kernel |
CVE #(s): | CVE-2006-4535
CVE-2006-4538
|
| Created: | September 18, 2006 |
Updated: | January 5, 2009 |
| Description: |
Sridhar Samudrala discovered a local denial of service vulnerability
in the handling of SCTP sockets. By opening such a socket with a
special SO_LINGER value, a local attacker could exploit this to crash
the kernel. (CVE-2006-4535)
Kirill Korotaev discovered that the ELF loader on the ia64 and sparc
platforms did not sufficiently verify the memory layout. By attempting
to execute a specially crafted executable, a local user could exploit
this to crash the kernel. (CVE-2006-4538) |
| Alerts: |
|
Comments (none posted)
kernel: denial of service
| Package(s): | kernel |
CVE #(s): | CVE-2006-4572
CVE-2006-4997
|
| Created: | November 6, 2006 |
Updated: | January 17, 2007 |
| Description: |
Some vulnerabilities were discovered in the Linux 2.6 kernel:
There are possibly exploitable bugs in the netfilter for IPv6 code.
(CVE-2006-4572)
The ATM subsystem of the Linux kernel could allow a remote attacker to
cause a Denial of Service (panic) via unknown vectors that cause the ATM
subsystem to access the memory of socket buffers after they are freed.
(CVE-2006-4997) |
| Alerts: |
|
Comments (none posted)
kernel: denial of service by memory consumption
| Package(s): | kernel |
CVE #(s): | CVE-2006-2936
|
| Created: | July 17, 2006 |
Updated: | November 14, 2007 |
| Description: |
The ftdi_sio driver (usb/serial/ftdi_sio.c) in Linux kernel 2.6.x up to
2.6.17, and possibly later versions, allows local users to cause a denial
of service (memory consumption) by writing more data to the serial port
than the driver can handle, which causes the data to be queued. |
| Alerts: |
|
Comments (none posted)
kernel: denial of service
| Package(s): | kernel |
CVE #(s): | CVE-2006-5757
|
| Created: | November 13, 2006 |
Updated: | November 14, 2007 |
| Description: |
From the MOKB-05-11-2006
advisory: "The ISO9660 filesystem handling code of the Linux
2.6.x kernel fails to properly handle corrupted data structures, leading to
an exploitable denial of service condition. This particular vulnerability
seems to be caused by a race condition and a signedness issue. When
performing a read operation on a corrupted ISO9660 fs stream, the
isofs_get_blocks() function will enter an infinite loop when
__find_get_block_slow() callback from sb_getblk() fails ("due to various
races between file io on the block device and getblk")." |
| Alerts: |
|
Comments (none posted)
kernel: denial of service
| Package(s): | kernel |
CVE #(s): | CVE-2006-2935
CVE-2006-4145
CVE-2006-3745
|
| Created: | September 1, 2006 |
Updated: | July 30, 2008 |
| Description: |
Previous versions of the kernel package are subject to several
vulnerabilities. Certain malformed UDF filesystems can cause the system to
crash (denial of service). Malformed CDROM firmware or USB storage devices
(such as USB keys) could cause system crash (denial of service), and if
they were intentionally malformed, can cause arbitrary code to run with
elevated privileges. In addition, the SCTP protocol is subject to a remote
system crash (denial of service) attack. |
| Alerts: |
|
Comments (none posted)
krb5: local privilege escalation
| Package(s): | krb5 |
CVE #(s): | CVE-2006-3083
|
| Created: | August 9, 2006 |
Updated: | July 7, 2010 |
| Description: |
Some kerberos applications fail to check the results of setuid() calls, with the result that, if that call fails, they could continue to execute as root after thinking they had switched to a nonprivileged user. A local attacker who can cause these calls to fail (through resource exhaustion, presumably) could exploit this bug to gain root privileges. |
| Alerts: |
|
Comments (none posted)
libgadu: memory alignment bug
| Package(s): | libgadu |
CVE #(s): | CAN-2005-2370
|
| Created: | July 29, 2005 |
Updated: | June 25, 2007 |
| Description: |
Szymon Zygmunt and Michal Bartoszkiewicz discovered a memory alignment
error in libgadu (from ekg, console Gadu Gadu client, an instant
messaging program) which is included in gaim, a multi-protocol instant
messaging client, as well. This can not be exploited on the x86
architecture but on others, e.g. on Sparc and lead to a bus error,
in other words a denial of service.
|
| Alerts: |
|
Comments (none posted)
libgd2: denial of service
| Package(s): | libgd2 |
CVE #(s): | CVE-2006-2906
|
| Created: | June 14, 2006 |
Updated: | January 16, 2007 |
| Description: |
Certain GIF images can cause libgd2 to go into an infinite loop, adversely affecting the performance of image processing applications. |
| Alerts: |
|
Comments (none posted)
libmms: buffer overflows
| Package(s): | libmms |
CVE #(s): | CVE-2006-2200
|
| Created: | July 6, 2006 |
Updated: | December 25, 2006 |
| Description: |
Several buffer overflows were found in libmms. By tricking a user into
opening a specially crafted remote multimedia stream with an application
using libmms, a remote attacker could overwrite an arbitrary memory portion
with zeros, thereby crashing the program. |
| Alerts: |
|
Comments (none posted)
libpam-ldap: insecure password control
| Package(s): | libpam-ldap |
CVE #(s): | CVE-2006-5170
|
| Created: | November 3, 2006 |
Updated: | December 21, 2006 |
| Description: |
Steve Rigler discovered that the PAM module for authentication against
LDAP servers processes PasswordPolicyReponse control messages incorrectly,
which might lead to an attacker being able to login into a suspended
system account. |
| Alerts: |
|
Comments (none posted)
libpng: denial of service
| Package(s): | libpng |
CVE #(s): | CVE-2006-5793
|
| Created: | November 16, 2006 |
Updated: | December 4, 2006 |
| Description: |
Applications that use libpng are vulnerable to a denial of service attack
that may be brought about by the decoding of malformed PNG files. |
| Alerts: |
|
Comments (none posted)
libpng: buffer overflow
| Package(s): | libpng |
CVE #(s): | CVE-2006-3334
|
| Created: | July 19, 2006 |
Updated: | December 15, 2008 |
| Description: |
In pngrutil.c, the function png_decompress_chunk() allocates
insufficient space for an error message, potentially overwriting stack
data, leading to a buffer overflow. |
| Alerts: |
|
Comments (none posted)
libpng: heap based buffer overflow
| Package(s): | libpng |
CVE #(s): | CVE-2006-0481
|
| Created: | February 13, 2006 |
Updated: | December 15, 2008 |
| Description: |
A heap based buffer overflow bug was found in the way libpng strips alpha
channels from a PNG image. An attacker could create a carefully crafted PNG
image file in such a way that it could cause an application linked with
libpng to crash or execute arbitrary code when the file is opened by a
victim. |
| Alerts: |
|
Comments (1 posted)
libtiff: buffer overflow
| Package(s): | libtiff |
CVE #(s): | CVE-2006-2193
|
| Created: | June 15, 2006 |
Updated: | September 1, 2008 |
| Description: |
The t2p_write_pdf_string function in libtiff 3.8.2 and earlier is vulnerable
to a buffer overflow. Attackers can use a TIFF file with UTF-8 characters
in the DocumentName tag to overflow a buffer, causing a denial of service,
and possibly the execution of arbitrary code. |
| Alerts: |
|
Comments (none posted)
libvncserver: authentication bypass
| Package(s): | libvncserver |
CVE #(s): | CVE-2006-2450
|
| Created: | August 4, 2006 |
Updated: | March 19, 2007 |
| Description: |
LibVNCServer fails to properly validate protocol types effectively
letting users decide what protocol to use, such as "Type 1 - None".
LibVNCServer will accept this security type, even if it is not offered
by the server. |
| Alerts: |
|
Comments (none posted)
libxml2 - arbitrary code execution
| Package(s): | libxml2 |
CVE #(s): | CAN-2004-0110
|
| Created: | February 26, 2004 |
Updated: | August 19, 2009 |
| Description: |
Yuuichi Teranishi discovered a flaw in libxml2 versions prior to 2.6.6.
When fetching a remote resource via FTP or HTTP, libxml2 uses special
parsing routines. These routines can overflow a buffer if passed a very
long URL. If an attacker is able to find an application using libxml2 that
parses remote resources and allows them to influence the URL, then this
flaw could be used to execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
libxml2: multiple buffer overflows
| Package(s): | libxml2 |
CVE #(s): | CAN-2004-0989
|
| Created: | October 28, 2004 |
Updated: | August 19, 2009 |
| Description: |
libxml2 prior to version 2.6.14 has multiple buffer overflow
vulnerabilities, if a local user passes a specially crafted
FTP URL, arbitrary code may be executed. |
| Alerts: |
|
Comments (none posted)
linux-restricted-modules: nVidia driver vulnerability
| Package(s): | linux-restricted-modules |
CVE #(s): | CVE-2006-5379
|
| Created: | November 6, 2006 |
Updated: | January 11, 2007 |
| Description: |
Derek Abdine discovered that the NVIDIA Xorg driver did not correctly
verify the size of buffers used to render text glyphs. When displaying
very long strings of text, the Xorg server would crash. If a user were
tricked into viewing a specially crafted series of glyphs, this flaw
could be exploited to run arbitrary code with root privileges. |
| Alerts: |
|
Comments (none posted)
lynx: arbitrary command execution
| Package(s): | lynx |
CVE #(s): | CVE-2005-2929
|
| Created: | November 14, 2005 |
Updated: | September 14, 2009 |
| Description: |
An arbitrary command execute bug was found in the lynx "lynxcgi:" URI
handler. An attacker could create a web page redirecting to a malicious URL
which could execute arbitrary code as the user running lynx. |
| Alerts: |
|
Comments (none posted)
mono: symlink vulnerability
| Package(s): | mono |
CVE #(s): | CVE-2006-5072
|
| Created: | October 4, 2006 |
Updated: | December 1, 2006 |
| Description: |
The mono System.CodeDom.Compiler classes suffer from a temporary file symlink vulnerability which could be used to overwrite files, or, in this case, even inject arbitrary code into a running mono application. |
| Alerts: |
|
Comments (none posted)
mysql: format string bug
| Package(s): | mysql |
CVE #(s): | CVE-2006-3469
|
| Created: | July 21, 2006 |
Updated: | July 30, 2008 |
| Description: |
Jean-David Maillefer discovered a format string bug in the
date_format() function's error reporting. By calling the function with
invalid arguments, an authenticated user could exploit this to crash
the server. |
| Alerts: |
|
Comments (none posted)
MySQL: privilege violations
| Package(s): | mysql |
CVE #(s): | CVE-2006-4031
CVE-2006-4226
|
| Created: | August 25, 2006 |
Updated: | July 30, 2008 |
| Description: |
MySQL 4.1 before 4.1.21 and 5.0 before 5.0.24 allows a local user to access
a table through a previously created MERGE table, even after the user's
privileges are revoked for the original table, which might violate intended
security policy (CVE-2006-4031).
MySQL 4.1 before 4.1.21, 5.0 before 5.0.25, and 5.1 before 5.1.12, when run
on case-sensitive filesystems, allows remote authenticated users to create
or access a database when the database name differs only in case from a
database for which they have permissions (CVE-2006-4226). |
| Alerts: |
|
Comments (none posted)
MySQL: logging bypass
| Package(s): | mysql |
CVE #(s): | CVE-2006-0903
|
| Created: | April 4, 2006 |
Updated: | May 21, 2008 |
| Description: |
MySQL 5.0.18 and earlier allows local users to bypass logging mechanisms
via SQL queries that contain the NULL character, which are not properly
handled by the mysql_real_query function. NOTE: this issue was originally
reported for the mysql_query function, but the vendor states that since
mysql_query expects a null character, this is not an issue for mysql_query. |
| Alerts: |
|
Comments (2 posted)
nbd: arbitrary code execution
| Package(s): | nbd |
CVE #(s): | CVE-2005-3534
|
| Created: | January 6, 2006 |
Updated: | March 7, 2011 |
| Description: |
Kurt Fitzner discovered that the NBD (network block device) server did not
correctly verify the maximum size of request packets. By sending specially
crafted large request packets, a remote attacker who is allowed to access
the server could exploit this to execute arbitrary code with root
privileges. |
| Alerts: |
|
Comments (none posted)
ncompress: buffer underflow
| Package(s): | ncompress |
CVE #(s): | CVE-2006-1168
|
| Created: | August 10, 2006 |
Updated: | February 21, 2012 |
| Description: |
The ncompress compression utility has a missing boundary check.
A local user can use a maliciously created file to cause a
a .bss buffer underflow. |
| Alerts: |
|
Comments (none posted)
openldap: denial of service
| Package(s): | openldap |
CVE #(s): | CVE-2006-5779
|
| Created: | November 10, 2006 |
Updated: | December 1, 2006 |
| Description: |
openldap has a denial of service vulnerability. Remote attackers can
create special LDAP Bind requests to trigger a libldap assertion
failure. |
| Alerts: |
|
Comments (none posted)
openldap: security bypass
| Package(s): | openldap |
CVE #(s): | CVE-2006-4600
|
| Created: | September 29, 2006 |
Updated: | June 12, 2007 |
| Description: |
slapd in OpenLDAP before 2.3.25 allows remote authenticated users with
selfwrite Access Control List (ACL) privileges to modify arbitrary
Distinguished Names (DN). |
| Alerts: |
|
Comments (none posted)
openoffice.org: several vulnerabilities
| Package(s): | openoffice.org |
CVE #(s): | CVE-2006-2198
CVE-2006-2199
CVE-2006-3117
|
| Created: | June 30, 2006 |
Updated: | January 4, 2007 |
| Description: |
Several vulnerabilities have been discovered in OpenOffice.org, a free
office suite.
- It turned out to be possible to embed arbitrary BASIC macros in
documents in a way that OpenOffice.org does not see them but executes them
anyway without any user interaction. (CVE-2006-2198)
- It is possible to evade the Java sandbox with specially crafted Java
applets. (CVE-2006-2199)
- Loading malformed XML documents can cause buffer overflows and cause a
denial of service or execute arbitrary code. (CVE-2006-3117)
|
| Alerts: |
|
Comments (none posted)
OpenSSH: denial of service
| Package(s): | openssh |
CVE #(s): | CVE-2006-4925
CVE-2006-5052
|
| Created: | October 6, 2006 |
Updated: | November 15, 2007 |
| Description: |
packet.c in ssh in OpenSSH allows remote attackers to cause a denial of
service (crash) by sending an invalid protocol sequence with
USERAUTH_SUCCESS before NEWKEYS, which causes newkeys[mode] to be NULL.
An unspecified vulnerability in portable OpenSSH before 4.4, when running
on some platforms, allows remote attackers to determine the validity of
usernames via unknown vectors involving a GSSAPI "authentication abort." |
| Alerts: |
|
Comments (none posted)
openssh: privilege separation issue
| Package(s): | openssh |
CVE #(s): | CVE-2006-5794
|
| Created: | November 8, 2006 |
Updated: | April 5, 2007 |
| Description: |
From the OpenSSH 4.5 announcement: "Fix a bug in the sshd privilege separation monitor that weakened its
verification of successful authentication. This bug is not known to
be exploitable in the absence of additional vulnerabilities." |
| Alerts: |
|
Comments (none posted)
openssh: remote denial of service
| Package(s): | openssh |
CVE #(s): | CVE-2006-4924
CVE-2006-5051
|
| Created: | September 27, 2006 |
Updated: | September 17, 2008 |
| Description: |
Openssh 4.4 fixes some
security issues, including a pre-authentication denial of service, an
unsafe signal hander and on portable OpenSSH a GSSAPI authentication abort
could be used to determine the validity of usernames on some platforms. |
| Alerts: |
|
Comments (none posted)
openssl: multiple vulnerabilities
| Package(s): | openssl |
CVE #(s): | CVE-2006-2937
CVE-2006-2940
CVE-2006-3780
CVE-2006-4343
CVE-2006-3738
|
| Created: | September 28, 2006 |
Updated: | December 12, 2006 |
| Description: |
OpenSSL has a number of denial of service vulnerabilities including:
two vulnerabilities involving invalid ASN.1 structures, a buffer overflow
in the SSL_get_shared_ciphers() function and an SSLv2 client crash that
can be caused by a malicious server. |
| Alerts: |
|
Comments (none posted)
php: several vulnerabilities
| Package(s): | php |
CVE #(s): | CVE-2006-4481
CVE-2006-4484
CVE-2006-4485
|
| Created: | September 8, 2006 |
Updated: | June 13, 2008 |
| Description: |
The file_exists and imap_reopen functions in PHP before 5.1.5 do not check
for the safe_mode and open_basedir settings, which allows local users to
bypass the settings (CVE-2006-4481).
A buffer overflow in the LWZReadByte function in ext/gd/libgd/gd_gif_in.c
in the GD extension in PHP before 5.1.5 allows remote attackers to have an
unknown impact via a GIF file with input_code_size greater than
MAX_LWZ_BITS, which triggers an overflow when initializing the table array
(CVE-2006-4484).
The stripos function in PHP before 5.1.5 has unknown impact and attack
vectors related to an out-of-bounds read (CVE-2006-4485). |
| Alerts: |
|
Comments (1 posted)
php: buffer overflows
| Package(s): | php |
CVE #(s): | CVE-2006-5465
|
| Created: | November 3, 2006 |
Updated: | January 18, 2010 |
| Description: |
The Hardened-PHP Project discovered buffer overflows in
htmlentities/htmlspecialchars internal routines to the PHP Project. Of
course the whole purpose of these functions is to be filled with user
input. (The overflow can only be when UTF-8 is used) |
| Alerts: |
|
Comments (none posted)
phpbb2: missing input sanitizing
| Package(s): | phpbb2 |
CVE #(s): | CVE-2006-1896
|
| Created: | May 22, 2006 |
Updated: | February 11, 2008 |
| Description: |
It was discovered that phpbb2, a web based bulletin board, insufficiently
sanitizes values passed to the "Font Color 3" setting, which might lead to
the execution of injected code by admin users. |
| Alerts: |
|
Comments (none posted)
phpbb2: multiple vulnerabilities
| Package(s): | phpbb2 |
CVE #(s): | CVE-2005-3310
CVE-2005-3415
CVE-2005-3416
CVE-2005-3417
CVE-2005-3418
CVE-2005-3419
CVE-2005-3420
CVE-2005-3536
CVE-2005-3537
|
| Created: | December 22, 2005 |
Updated: | February 11, 2008 |
| Description: |
The phpbb2 web forum has a number of vulnerabilities including:
a web script injection problem, a protection mechanism bypass, a
security check bypass, a remote global variable bypass, cross site
scripting vulnerabilities, an SQL injection vulnerability,
a remote regular expression modification problem, missing input
sanitizing, and a missing request validation problem. |
| Alerts: |
|
Comments (none posted)
phpMyAdmin: several vulnerabilities
| Package(s): | phpMyAdmin |
CVE #(s): | CVE-2006-3388
CVE-2006-5116
CVE-2006-5117
CVE-2006-5718
|
| Created: | November 24, 2006 |
Updated: | November 29, 2006 |
| Description: |
Several vulnerabilities have been fixed in phpMyAdmin version 2.9.1.1,
including cross-site scripting and cross-site request forgery vulnerabilities. |
| Alerts: |
|
Comments (none posted)
postgresql: SQL injection
| Package(s): | postgresql |
CVE #(s): | CVE-2006-2313
CVE-2006-2314
|
| Created: | May 24, 2006 |
Updated: | June 6, 2007 |
| Description: |
The PostgreSQL team has put out a set of "urgent updates" (in the form of the 7.3.15, 7.4.13, 8.0.8, and 8.1.4 releases) closing a
newly-discovered set of SQL injection issues. Details about the problem
can be found on the
technical information page; in short: multi-byte encodings can be used
to defeat normal string sanitizing techniques. The update fixes one problem
related to invalid multi-byte characters, but punts on another by simply
disallowing the old, unsafe technique of escaping single quotes with a
backslash. |
| Alerts: |
|
Comments (1 posted)
proftpd: denial of service
| Package(s): | proftpd |
CVE #(s): | CVE-2006-5815
|
| Created: | November 17, 2006 |
Updated: | January 24, 2007 |
| Description: |
A denial of service (DoS) vulnerability exists in the FTP server ProFTPD, up
to and including version 1.3.0. The flaw is due to both a potential bus
error and a definitive buffer overflow in the code which determines the FTP
command buffer size limit. The vulnerability can be exploited only if the
"CommandBufferSize" directive is explicitly used in the server
configuration. |
| Alerts: |
|
Comments (none posted)
pstotext: insecure file name quoting
| Package(s): | pstotext |
CVE #(s): | CVE-2006-5869
|
| Created: | November 27, 2006 |
Updated: | November 29, 2006 |
| Description: |
Brian May discovered that pstotext, a utility to extract plain text from
Postscript and PDF files, performs insufficient quoting of file names,
which allows execution of arbitrary shell commands. |
| Alerts: |
|
Comments (none posted)
quake: buffer overflow
| Package(s): | quake3-bin |
CVE #(s): | CVE-2006-2236
|
| Created: | May 10, 2006 |
Updated: | January 12, 2009 |
| Description: |
Games based on the Quake 3 engine are vulnerable to a buffer overflow exploitable by a hostile game server. |
| Alerts: |
|
Comments (none posted)
rpm: arbitrary code execution
| Package(s): | rpm |
CVE #(s): | CVE-2006-5466
|
| Created: | November 6, 2006 |
Updated: | August 28, 2007 |
| Description: |
An error was found in the RPM library's handling of query reports. In
some locales, certain RPM packages would cause the library to crash. If
a user was tricked into querying a specially crafted RPM package, the
flaw could be exploited to execute arbitrary code with the user's
privileges. |
| Alerts: |
|
Comments (none posted)
ruby: denial of service
| Package(s): | ruby |
CVE #(s): | CVE-2006-5467
|
| Created: | October 30, 2006 |
Updated: | December 13, 2006 |
| Description: |
The CGI library in Ruby 1.8 allowed a remote attacker to cause a denial of
service via an HTTP request with a multipart MIME body that contained an
invalid boundary specifier, which would result in an infinite loop and CPU
consumption. |
| Alerts: |
|
Comments (none posted)
shadow-utils: mailbox creation vulnerability
| Package(s): | shadow-utils |
CVE #(s): | CVE-2006-1174
|
| Created: | May 25, 2006 |
Updated: | June 12, 2007 |
| Description: |
The useradd tool from the shadow-utils package has a potential security
problem. When a new user's mailbox is created, the permissions are
set to random garbage from the stack, potentially allowing the
file to be read or written during the time before fchmod() is called. |
| Alerts: |
|
Comments (none posted)
tar: symlink vulnerability
| Package(s): | tar |
CVE #(s): | CVE-2006-6097
|
| Created: | November 28, 2006 |
Updated: | December 20, 2006 |
| Description: |
Teemu Salmela discovered that tar still handles the deprecated
GNUTYPE_NAMES record type. This record type could be used to create
symlinks that would be followed while unpacking a tar archive. If a user
or an automated system were tricked into unpacking a specially crafted tar
file, arbitrary files could be overwritten with user privileges. |
| Alerts: |
|
Comments (none posted)
thttpd: insecure temporary files
| Package(s): | thttpd |
CVE #(s): | CVE-2006-4248
|
| Created: | November 3, 2006 |
Updated: | December 1, 2006 |
| Description: |
Marco d'Itri discovered that thttpd, a small, fast and secure webserver,
makes use of insecure temporary files when its logfiles are rotated,
which might lead to a denial of service through a symlink attack. |
| Alerts: |
|
Comments (none posted)
Mozilla products: multiple vulnerabilities
| Package(s): | thunderbird firefox seamonkey |
CVE #(s): | CVE-2006-5463
CVE-2006-5747
CVE-2006-5748
CVE-2006-5464
|
| Created: | November 8, 2006 |
Updated: | December 11, 2006 |
| Description: |
Numerous vulnerabilities have been found in the Mozilla JavaScript and HTML
rendering code, leading to possible remote code execution attacks. This CERT advisory contains details. |
| Alerts: |
|
Comments (none posted)
trac: cross-site request forgery
| Package(s): | trac |
CVE #(s): | CVE-2006-5848
CVE-2006-5878
|
| Created: | November 13, 2006 |
Updated: | December 13, 2006 |
| Description: |
It was discovered that Trac, a wiki and issue tracking system for
software development projects, performs insufficient validation against
cross-site request forgery, which might lead to an attacker being able
to perform manipulation of a Trac site with the privileges of the
attacked Trac user. |
| Alerts: |
|
Comments (none posted)
unzip: long file name buffer overflow
| Package(s): | unzip |
CVE #(s): | CVE-2005-4667
|
| Created: | February 6, 2006 |
Updated: | May 2, 2007 |
| Description: |
A buffer overflow in UnZip 5.50 and earlier allows local users to execute
arbitrary code via a long filename command line argument. NOTE: since the
overflow occurs in a non-setuid program, there are not many scenarios under
which it poses a vulnerability, unless unzip is passed long arguments when
it is invoked from other programs. |
| Alerts: |
|
Comments (1 posted)
w3c-libwww: possible stack overflow
| Package(s): | w3c-libwww |
CVE #(s): | CVE-2005-3183
|
| Created: | October 14, 2005 |
Updated: | May 2, 2007 |
| Description: |
xtensive testing of libwww's handling of multipart/byteranges content from
HTTP/1.1 servers revealed multiple logical flaws and bugs in
Library/src/HTBound.c |
| Alerts: |
|
Comments (1 posted)
wv: integer overflow
| Package(s): | wv |
CVE #(s): | CVE-2006-4513
|
| Created: | November 2, 2006 |
Updated: | December 7, 2006 |
| Description: |
The wv library has an integer overflow vulnerability in the DOC
file parser. If a user can be tricked into opening a maliciously
crafted MSWord file, a remote attacker can execute arbitrary code
with the privileges of the user. |
| Alerts: |
|
Comments (none posted)
xine-lib: buffer overflow
| Package(s): | xine-lib |
CVE #(s): | CVE-2006-1664
|
| Created: | April 27, 2006 |
Updated: | February 27, 2008 |
| Description: |
xine-lib does an improper input data boundary check on
MPEG streams. A specially crafted MPEG file can be
created that can cause arbitrary code execution when the
file is accessed. |
| Alerts: |
|
Comments (none posted)
xine-ui: format string vulnerabilities
| Package(s): | xine-ui |
CVE #(s): | CVE-2006-2230
|
| Created: | June 9, 2006 |
Updated: | January 24, 2007 |
| Description: |
Several format string vulnerabilities have been discovered in xine-ui,
the user interface of the xine video player, which may cause a denial
of service. |
| Alerts: |
|
Comments (none posted)
xinit: race condition
| Package(s): | xinit |
CVE #(s): | CVE-2006-5214
|
| Created: | October 17, 2006 |
Updated: | August 9, 2007 |
| Description: |
A race condition allows local users to see error messages generated during
another user's X session. This could allow potentially sensitive
information to be leaked. |
| Alerts: |
|
Comments (1 posted)
X.org: local privilege escalations
| Package(s): | xorg-x11 |
CVE #(s): | CVE-2006-4447
|
| Created: | August 28, 2006 |
Updated: | April 30, 2007 |
| Description: |
Several X.org libraries and X.org itself contain system calls to
set*uid() functions, without checking their result. Local users could
deliberately exceed their assigned resource limits and elevate their
privileges after an unsuccessful set*uid() system call. This requires
resource limits to be enabled on the machine. |
| Alerts: |
|
Comments (none posted)
X.Org: buffer overflow
| Package(s): | xorg-x11-server xorg-x11 |
CVE #(s): | CVE-2006-1526
|
| Created: | May 3, 2006 |
Updated: | January 10, 2007 |
| Description: |
There is a buffer overflow in the Xrender extension of the X.Org server; any process which is able to connect to the server may be able to exploit this overflow to run arbitrary code. Since the X server runs as root on most systems, this vulnerability could be exploited to gain root access. See the X.Org advisory for more information. |
| Alerts: |
|
Comments (none posted)
xorg-x11: privilege escalation
| Package(s): | xorg-x11 xfree86 |
CVE #(s): | CVE-2006-3739
CVE-2006-3740
|
| Created: | September 12, 2006 |
Updated: | December 14, 2006 |
| Description: |
iDefense reported two integer overflow
flaws in the way the X.org server processed CID font files. A malicious
authorized client could exploit this issue to cause a denial of service
(crash) or potentially execute arbitrary code with root privileges on the
X.org server. |
| Alerts: |
|
Comments (none posted)
xpdf: buffer overflow
| Package(s): | xpdf |
CVE #(s): | CAN-2005-0064
|
| Created: | January 19, 2005 |
Updated: | March 15, 2007 |
| Description: |
iDEFENSE has found yet another xpdf buffer overflow; see this advisory for details. |
| Alerts: |
|
Comments (1 posted)
xpdf: integer overflows
| Package(s): | xpdf, poppler, cupsys, tetex-bin |
CVE #(s): | CVE-2005-3624
CVE-2005-3625
CVE-2005-3626
CVE-2005-3627
|
| Created: | January 5, 2006 |
Updated: | November 30, 2006 |
| Description: |
xpdf has a number of integer overflows.
A remote attacker can trick a user into opening a maliciously
crafted pdf file, allowing the attacker to execute code with the
privileges of the local user.
This also affects the Poppler library, cupsys and tetex-bin. |
| Alerts: |
|
Comments (none posted)
Resources
Sourcefire has announced the availability of the free "OfficeCat" tool,
which scans Microsoft Office files for hostile content.
Full Story (comments: 2)
Page editor: Jonathan Corbet
Kernel development
Brief items
The current 2.6 kernel remains 2.6.19. The 2.6.20 merge window has
opened, and the first pile of patches has been merged (see below); it will
probably be at least another week before 2.6.20-rc1 comes out, however.
There have also been no -mm releases over the last week. Andrew Morton has
posted the -mm merge plan for
2.6.20, however, so one can see how -mm is expected to shrink as
patches move to the mainline.
Older release news: 2.6.18.5 was released on
December 1. It contains a couple dozen important fixes.
Adrian Bunk has released 2.6.16.35-rc1; it contains a
rather long list of fixes.
Willy Tarreau has announced 2.4.34-rc1 with one security
update and a relatively small number of other fixes.
Comments (none posted)
Kernel development news
-static void stli_dohangup(void *arg)
+static void stli_dohangup(struct work_struct *ugly_api)
{
- stliport_t *portp = (stliport_t *) arg;
+ stliport_t *portp = container_of(ugly_api, stliport_t, tqhangup);
--
Al Viro adapts to the new workqueue API
Comments (5 posted)
Toward the end of the 2.6.19 cycle, there was a brief linux-kernel
discussion on whether 2.6.20 should be a bugfix-only release. Just in case
anybody thought that might actually happen, the patches merged for 2.6.20
will make the situation clear. There will be a lot of new stuff in the
next stable kernel release.
That said, the rate of patches into the kernel has been lower than in some
previous cycles. It may be that the workqueue patches have created some
conflicts which are slowing things down.
As of this writing, the user-visible changes merged include:
- New drivers for NetXen 1G/10G Ethernet controllers, Atmel MACB
Ethernet modules, Tsi108/9 Ethernet controllers, and Chelsio Ethernet
controllers (but without TCP offload support).
- Numerous serial and parallel ATA driver improvements.
- SCSI busses can optionally be scanned asynchronously. On large
systems with many SCSI peripherals, this can speed the bootstrap
process considerably.
- The set of TCP congestion control algorithms which can be selected by
unprivileged process has been restricted to those which are known to
be robust and fair. The system administrator can still select any
algorithm supported by Linux.
- Various improvements have been made to the DCCP code, including
SELinux support.
- Some obsolete, unsupported, and presumably unused capabilities have
been removed, including the frame diverter and the floppy tape (ftape)
driver.
- MD5 protection for TCP sessions (RFC 2385) has been added; this
capability is normally only used with the BGP routing protocol.
- The UDP-Lite protocol (RFC 3828) is now supported; see the UDP-Lite
page for more information on this protocol, which is oriented
toward the needs of streaming multimedia applications.
Changes visible to kernel developers include:
- The workqueue API
changes have been merged, resulting in changes throughout the
tree. David Howells has posted a detailed
set of instructions on how to fix code broken by these changes.
- Much of the sysfs-related code has been changed to use struct
device in place of struct class_device. The latter
structure will eventually go away as the class and device mechanisms
are merged.
- There is a new function:
int device_move(struct device *dev, struct device *new_parent);
This function will reparent the given device to new_parent,
making the requisite sysfs changes and generating a special
KOBJ_MOVE event for user space.
- The networking subsystem has been heavily annotated for automated
checking using sparse.
- A number of kernel header files which included other headers no longer
do so. For example, <linux/fs.h> no longer includes
<linux/sched.h>. These changes should speed kernel
build times by getting rid of large number of unneeded includes, but
might break some out-of-tree modules which do not explicitly include
all the headers they need.
The merge window should stay open for another week or so, so there's plenty
of time for more stuff to be added. Those who can't wait might want to
take a look at Andrew Morton's -mm merge plan posting for some
previews of what's coming.
Comments (16 posted)
The timer API allows kernel code to request that a function be called at
some point in the future. At its core is the
timer_list
structure, which contains a few fields of interest:
struct timer_list {
unsigned long expires;
void (*function)(unsigned long);
unsigned long data;
/* ... */
};
To request an action in the future, a kernel function places a relative
expiration time (expressed in jiffies) in expires and some sort of
useful private value in data. function() is a pointer to
a routine which will be called after (at least) the requested
number of jiffies have passed; data will be its only parameter.
After the timer_list structure has been set up, a call to
add_timer() puts the request into the system.
This API has not changed much in some time; as a result, the description of
timers in Chapter 7 of Linux Device
Drivers is still useful for those wanting details. It may, in fact, be
the only part of LDD3 which is not yet thoroughly obsolete.
That situation may change soon, however, as there are developers with their
eyes on this interface. Interestingly, there are two very different ideas
of how the timer API should be changed.
The conversation was started by Al Viro
who, for some time now, has been working on improving the type safety of
the kernel API. He notes that the unsigned long argument to timer
functions is, in fact, almost always a pointer value. So there is a lot of
code in the kernel which is busily casting pointers to unsigned
long values and back - or engaging in lazy trickery to avoid having to
do those casts. Casts like this make compile-time type checking almost
impossible, so every one is an opportunity to introduce hard-to-find bugs.
Al would like to fix this problem by creating a more type-safe interface to
the kernel timer subsystem. His approach involves changing the type of the
timer function argument to void *, reflecting the fact that
it's usually a pointer type. He then has a SETUP_TIMER() macro
which involves the following bit of code:
typeof(*data) *p = data;
timer->function = (void (*)(void *)) func;
timer->data = (void *) p;
(void)(0 && (func(p), 0));
The middle two lines are simply initializing the relevant fields of the
timer_list structure. What the last line is doing, however, is
creating a call to the timer function with the provided argument; if there
is a type mismatch between that argument and the function's prototype, the
compiler will complain. The call is written in such a way that it will be
optimized out, so that call does not make it through to the kernel image.
But, in the running kernel, it will be known that the timer function is
receiving an appropriately-typed argument.
There are a lot of timers in the kernel, so this is the sort of
change which makes people nervous. Al's plan involves creating the
SETUP_TIMER() macro, but leaving the callback function's prototype
unchanged. Then parts of the kernel could be converted at leisure, with
the callback function prototype being changed once the conversion of
in-kernel code is complete.
Thomas Gleixner joined in with an
alternative suggestion: remove the data value from struct
timer_list altogether, and pass a pointer to the timer_list
structure into the callback function. If that structure is embedded within
some other structure which has the information the callback really needs, a
simple recast with container_of() will yield the needed pointer.
The result would be a smaller timer_list structure. This approach
mirrors the proposed workqueue
API changes discussed here last week.
Al doesn't like that idea. He has been working to get rid of casts in the
kernel, but this API would require the introduction of hundreds more of
them. There is little type safety built into container_of(). To
him, the space required for a pointer is more than justified by the extra
compile-time checking that comes from its use.
Ingo Molnar, in disagreeing, makes the
tradeoff clear:
The question is: which is more important, the type safety of a
container_of() [or type cast], which if we get it wrong produces a
/very/ trivial crash that is trivial to fix - or embedded timers
data structure size all around the kernel? I believe the latter is
more important.
Not too many other developers have joined the discussion so far. It's an
important one, though; how this decision goes could shape how kernel APIs
are designed in the future. Perhaps somebody will come up with a way to
have both type safety and smaller size. Until such a time, however, there
is a tradeoff to be made, and it's not clear which way the decision will
go.
Comments (19 posted)
A look at the man page for the
chattr command reveals some
interesting functionality; users may set special bits on files to request
either that the file be undeletable, or that deletion be "secure" - meaning
that the file's contents truly disappear from the disk. The key word here,
however, is "request." Those bits have existed for many years, but few -
if any - Linux filesystems actually implement those features. The
undeletable and secure deletion flags are just placeholders for a "would be
nice" feature to be added in the future. Someday.
That day may be a little closer thanks to this patch posted by Nikolai
Joukov. It adds support for those two flags to ext4 in a relatively simple
and straightforward way.
The patch works like this: whenever the last link is removed from a file,
the undeletable and secure deletion flags are checked. Should either one
be set, the file will be moved over to the .trash/<uid>/
directory in the root of the filesystem. Each per-uid directory has
restrictive permissions, keeping users from perusing each others' deleted
files. There are no subdirectories, so the path information is lost;
preserving paths might be added in a future version. A number is appended
to the file name when collisions with files already in the trash happen.
That's it for the kernel side. Undeletion is easily handled from user
space by simply moving the file back out of the trash. The secure deletion
feature is also to be done in user space, however. A special daemon can
overwrite the file data in whatever way best suits the user's paranoia,
then delete the file for real. A possible addition to the patch is a
notification mechanism to force that daemon to run when filesystem space
gets tight. In any case, all of the policy decisions on how to handle
secure deletion requests would live in user space.
One might wonder why the trash can needs to be implemented in the kernel.
The desktop projects have, after all, had a trash can available for some
time. There seem to be two reasons why this patch adds that
functionality. The first is that it comes for free with this approach to
secure deletion. More importantly, however: it is not really possible for
a user-space solution to intercept every attempt to delete a file. The
nicest file manager available will not be able do do anything about an
"rm" command typed into a shell, or an unlink() call from
within a non-cooperating application. Catching file deletion within the
kernel ensures that none will slip through the cracks.
The patch has not received a whole lot of comments as of this writing. One
question which has come up is: why not do this at the VFS layer, rather
than within ext4? There is little that is ext4-specific about the patch,
and doing the work within the VFS would make this feature available to all
filesystems - at least those which support the relevant file flags.
Mr. Joukov agrees that moving this feature
up might be the right thing to do, so there may be a reworked version of
this patch coming in the future.
Comments (22 posted)
Patches and updates
Kernel trees
Core kernel code
Development tools
Device drivers
Documentation
Filesystems and block I/O
Memory management
Networking
Architecture-specific
Security-related
Virtualization and containers
Miscellaneous
Page editor: Jonathan Corbet
Distributions
News and Editorials
Kanotix is a live CD distribution,
that originally used Knoppix as a base. As a live CD it automatically
detects and configures lots of hardware and has software for analysis, data
rescue, forensic work, removal of viruses on Windows systems, or it can be used for
surfing and mailing in an Internet cafe. Kanotix can also be installed to a
hard drive where it allows the user access to all the packages available in
the Debian unstable repository. The Kanotix fan base has remained loyal
because of the hardware support and because of the great community support
available to help smooth over the rough spots while following Debian
unstable, aka 'sid'.
Now it seems that Kanotix will be changing. One developer, Stefan
Lippers-Hollmann (slh) has left the project. Lead developer Jörg
Schirottke (Kano) writes:
Since financing Kanotix through donations has proved a failure and I am
planning restructuring to a more stable base (be it Ubuntu or Debian will
have to show in tests) and I myself regard Debian/Sid as unfortunately not
compliant with a more commercial orientation, he [Stefan Lippers-Hollmann]
has left the project.
Stefan Lippers-Hollmann posted his resignation to an internal section of
the forum, but it has been copied in its entirety (with permission) into
this public
forum post by kelmo. Stefan writes:
I hereby I resign from all positions within in the Kanotix project because of
technical and personal disagreements about the status quo. Therefore I suggest
changing all passwords I might have had access to (including the webserver,
different login passwords, postnuke accounts etc.) and locking my account on
the forum. I've already withdrawn my key from kanotix-archive-keyring.
Why do I resign after two years of hard work for Kanotix?
As expected this isn't easy to answer and has evolved over time, but technical
and personal disagreements make this step inevitable and non revocable for me.
In particular I object about:
- almost one year without any form of suitable release:
- this is an eternity for an debian sid based distribution, clean upgrading
from the latest release to current -sid is no longer possible
- no significant technical progress in those >11 months from upper leading
personnel, planned milestones slipped, finished code improvements were
neither incorporated nor even tested
- seriously deteriorating inter project communications and working athmosphere
- unequal distribution of workload and/ or responsibilities
- a significant shift of agenda in ways I can- and will not endorse
Meanwhile, for those who still want to follow Debian sid, but need some help getting
through the rougher spots, a new distribution, sidux, is on the horizon. This sidux press release introduces a new
star in the Linux galaxy:
On 24th of November 2006 sidux was formed by a group of people who strive
to do the impossible: making Debian Sid (aka "Unstable") stable. The goal
is becoming the best Debian Sid based live distro with special focus on
clean and easy hard disk install. Strategic milestones and 3-4 planned
releases timetabled will give stability and accountability to corporate and
home users with a demand for bleeding edge software running on modern
hardware, and a definable path over time.
sidux has yet to see its first release, but the documentation is there
to upgrade an existing Kanotix system, or to install sidux on a free
partition. The forums and IRC channels are open and there's code available
in its SVN repository. This would seem to be a good time to get started,
while Debian sid is relatively stable.
Comments (2 posted)
New Releases
openSUSE 10.2 has been completed.
"
There are still a lot of bugs open for 10.2 and I'm sure real usage
over the time will find some more. We will release via online update
security updates for 10.2 as usual and release also the most severe bug
fixes. But most bug fixes will only be done for 10.3, our next release
coming out next summer."
Full Story (comments: none)
rPath has released a updated images for rPath Linux 1. "
The new
images incorporate installation fixes for certain installation methods and
all package updates released as of November 22. The Xen dom0 images have
been enhanced with several additional packages for various filesystems and
LVM support."
Full Story (comments: none)
The first test release for the upcoming Ubuntu "Feisty Fawn" distribution
is now available. They suggest not trying it if you're not prepared to run
into a few bugs. See
this
page for a list of new things in Feisty. "
Feisty will certainly
lead the way with new desktop technologies, including 3d effects and
windows that wobble. On the networking side, Network Manager is likely
going to finally make it on the default desktop, after what seems like
forever waiting in the wings. On the Zeroconf side, Feisty will have Avahi
installed and enabled by default. Upstart, the sysvinit replacement, is
going to have the new event-based init system actually turned on, for
faster and more reliable booting."
Full Story (comments: 9)
A beta live CD version of Fedora 6 with software from Core and Extras is
available. Click below for download information.
Full Story (comments: none)
Distribution News
Andreas Barth looks at the Etch release. "
There are a few items that
should be resolved prior to the hard freeze, for the very good reason that
we don't want to spend time reviewing fixes if we can use the same time
(more productive) for fixing bugs."
Full Story (comments: none)
Linspire, Inc. has
announced
the immediate release and digital availability of Linspire 5 in German,
Dutch, Spanish, and Standard English (UK). "
The combined translation
efforts from the community-based desktop Linux localization IRMA Project,
with the commercial support from Linspire translation specialists and
strategic partners, continues the international expansion of new language
offerings, following the announcement of Linspire 5 French last
week."
Comments (none posted)
Mandriva has launched Mandriva Flash, the first Mandriva Linux Live USB
key. "
Bringing its long experience with Live CDs, Mandriva aims to
offer the best performing live system. All you have to do is plug in the
USB key, turn the PC on and the Mandriva Linux 2007 operating system is
ready to use in no time, with all you need for office work, Internet and
multimedia tasks."
Full Story (comments: none)
OpenPKG GmbH has created an
Advent Calendar, with
background information and tips & tricks about OpenPKG.
Full Story (comments: none)
Distribution Newsletters
The
Fedora
Weekly News for December 4, 2006 covers Fedora Project is Hiring,
Fedora Ambassadors Day, Eclipse on Linux Distributions Project, FUDCon
Boston 2007, SCALE 5X Registration Opens, Migration to Fedora Core 6, and
several other topics.
Comments (none posted)
The
Gentoo
Weekly Newsletter for the week of November 27, 2006 is out, with a look
at new x86/i586 stages, experimental Alpha/PPC LiveCD images, GNOME 2.16
going stable, new virtual/mysql, and much more.
Comments (none posted)
The first Ulteo Newsletter takes a look at what's been happening behind the
scenes of the
Ulteo Project. The first
alpha release of Ulteo should be available soon. "
For this first
alpha release, be prepared to dive a bit inside the system to understand
the potential of Ulteo. On the desktop you will find only a few differences
with what you can use or see when compared to a graphical environment on
other distro's. Maybe then you will understand what makes Ulteo different,
and you will start to think about the next steps of development."
(For those just tuning in, Ulteo is what Gaël Duval has been working on since leaving Mandriva).
Full Story (comments: 8)
The
DistroWatch
Weekly for December 4, 2006 is out. "
It's openSUSE week, as one
of the oldest and most popular Linux distributions on the market makes a
brand new release on Thursday. Will the project's association with Novell
(and, indirectly, Microsoft) hurt the download figures? We'll have to wait
and see. In the meantime, the much awaited public release from Gaël
Duval's Ulteo is about to hit the download mirrors - expect the live CD
image later this week. Also in the news: interest in running Linux on Sony
PlayStation 3 intensifies, KANOTIX is rocked by resignation of a
co-developer, and Ubuntu developers react on the project's decision to
include proprietary graphics driver in Feisty. Finally, we are pleased to
announce that the recipient of DistroWatch's November 2006 donation is the
digiKam project."
Comments (none posted)
Package updates
Updates for
Fedora Core 6:
parted
(upgrade to GNU parted-1.8.0),
pyparted
(upgrade to pyparted-1.8.0),
net-snmp (fix
memory leak),
gjdoc (fixes required to
build multlib version of Eclipse),
gnome-volume-manager (prevent storage devices
from mounting when the screen saver is running),
hal (bug fixes),
dbus-glib (bug fixes),
authconfig (bug fixes),
mod_auth_kerb (bug fix),
audit (bug fix),
dbus (update to 1.0.1),
redhat-menus (bug fix),
hsqldb (add missing entries to files section),
openssl (bug fix),
control-center (gnome bug fix),
rhythmbox (bug fix),
gnome-session (bug fix),
m17n-db (fixed a typo),
ppp (bug fix),
frysk (new upstream version),
freetype (bug fixes, Asian font fix),
dbus (bug fix),
boost (bug fixes),
libsoup (update to 2.2.98),
gtk2 (bug fixes),
selinux-policy (bug fixes),
gamin (bug fix),
gtkhtml3 (update to 3.12.2),
evolution (update to latest 2.8 release),
evolution-data-server (update to 1.8.2),
evolution-connector (update to latest 2.8
release),
libsepol (upgrade to latest from
NSA),
gnome-icon-theme (bug fix),
paps (bug fix),
ypbind (bug fixes),
autofs (bug fixes),
policycoreutils (bug fix),
libvirt (bug fixes, new features),
tar (security bug fix),
freetype (bug fixes),
eclipse (bug fixes),
cpio (bug fix),
gnome-bluetooth (bug fixes),
ntp (bug fix),
initscripts (bug fixes),
kudzu (bug fixes),
virt-manager (bug fix),
fonts-indic (bug fixes),
gaim (bug fixes).
Updates for Fedora Core 5: parted
(upgrade to GNU parted-1.8.0), pyparted
(upgrade to pyparted-1.8.0), audit (fix
minor parsing problem and add new msg types), gamin (bug fixes), boost (bug fixes), tar (security bug fix).
Comments (none posted)
Updates for
Mandriva Linux 2007.0:
rpmdrake (bug fixes),
drakxtools (bug fixes),
clamav (new upstream version, also available
for 2006.0, Corporate 3.0 & 4.0).
Comments (none posted)
Updates for
rPath Linux 1:
conary,
conary-build, conary-repository (Conary 1.0.40 maintenance release)
openldap, openldap-clients, openldap-servers
(bug fixes).
Comments (none posted)
Updates for
Trustix Secure Linux 2.2 & 3.0:
samba (new upstream version).
Comments (none posted)
Updates for
Ubuntu 6.10:
lvm2
2.02.06-2ubuntu3.2,
initramfs-tools
0.69ubuntu20.0edgy1,
mediawiki_1.7~edgy1,
katapult_0.3.1.4-0ubuntu2~edgy1,
brasero_0.5.1-0ubuntu2~edgy1,
compiz_0.3.3-0ubuntu2~git2006112~edgy1,
comix_3.6-1~edgy1,
rar_3.6.0-0ubuntu1~edgy1,
lyx_1.4.3-2~edgy1,
flashplugin-nonfree_9.0.21.78.2ubuntu1~edgy1,
seahorse_0.9.7-0ubuntu1~edgy1,
soundconverter_0.9.3-1~edgy1,
stardict_2.4.8-1~edgy1,
unrar-nonfree_3.6.8-0ubuntu2~edgy1,
trac_0.10.2-1~edgy1,
kopete 4:3.5.5+kopete0.12.3-0ubuntu2.1,
mdadm 2.4.1-6ubuntu5.1.
Updates for Ubuntu 6.06 LTS: lvm2
2.02.02-1ubuntu1.2, scummvm_0.9.0-0ubuntu1~dapper1, moodle-book_1.6.1-1~dapper1, seahorse_0.9.7-0ubuntu1~dapper1, moodle_1.6.3-1ubuntu1~dapper1, mediawiki_1.7~dapper1, lirc_0.8.0-9ubuntu1~dapper1, apcupsd_3.12.4-2~dapper1, kino_0.92-1ubuntu2~dapper1, gcin_1.2.9-1ubuntu1~dapper1, mythtv_0.20-0.2ubuntu2~dapper1, mythplugins_0.20-0.6ubuntu4~dapper1, conky_1.4.4-1~dapper1, amule_2.1.3-1~dapper1, libraw1394_1.2.1-2build1~dapper1, rkhunter_1.2.9-2~dapper1, bzflag_2.0.8.20060605ubuntu1~dapper1, flashplugin-nonfree_9.0.21.78.2ubuntu1~dapper1,
cmake_2.4.3-1ubuntu1~dapper1.
Comments (1 posted)
Newsletters and articles of interest
HowtoForge
looks at
creating a custom kernel on SUSE Linux. "
Each distribution has some
specific tools to build a custom kernel from the sources. This article is
about compiling a kernel on SuSE systems. It describes how to build a
custom kernel using the latest unmodified kernel sources from
www.kernel.org (vanilla kernel) so that you are independent from the
kernels supplied by your distribution. It also shows how to patch the
kernel sources if you need features that are not in there."
Comments (none posted)
Debian Admin
covers
some Synaptic tips for Ubuntu systems. "
Synaptic is a graphical user
interface (GUI) for managing software packages on Debian-based
distributions. If you are using Debian or Ubuntu you will easily find
Synaptic in the System Tools menu or in the Administration menu. Synaptic
uses the GTK graphic libraries . So, if you are using GNOME on your
debian-based distro you will probably have Synaptic installed as
well. Synaptic is a graphical package management program for apt. It
provides the same features as the apt-get command line utility with a GUI
front-end based on Gtk+."
Comments (none posted)
HowtoForge
looks at
the use of Automatix2 on Ubuntu. "
Although Ubuntu comes with
lots of applications that can be installed on your desktop, there are still
some applications that are available only from third-party
repositories. Finding all these repositories and installing these
applications manually is very time-consuming, but fortunately some people
have created a script called Automatix2 (which is the successor to
Automatix) which automates the task for you. It comes with a graphical
interface so that you can run it from your desktop, and this tutorial
describes how you do it."
Comments (none posted)
Distribution reviews
Open Addict has a
review of Xandros 4.1
Professional. "
Xandros Desktop Professional was released not too
long after Xandros Home Edition-Premium, but the differences are quite
extraordinary. I just recently bought (I'm talking about a week ago) a copy
of Home Edition-Premium (which will be referred to as HEP for the rest of
this review) and noticed it used an older kernel. HEP uses a 2.6.15.x
kernel while the Professional version uses the 2.6.18.x kernel. Another
note of significance is the addition of AIGLX/XGL to the Professional
edition as well as the ability to use Mobile Broadband connections via 3G
and other related technologies. Bluetooth is also available as well as the
addition of the Beagle search utility."
Comments (none posted)
Page editor: Rebecca Sobol
Development
FLAC,
the Free Lossless Audio CODEC, is an audio coder/decoder application.
The FLAC
features
document has this description:
FLAC stands for Free Lossless Audio Codec. Grossly oversimplified, FLAC is similar to MP3, but lossless, meaning that audio is compressed in FLAC without any loss in quality. This is similar to how Zip works, except with FLAC you will get much better compression because it is designed specifically for audio, and you can play back compressed FLAC files in your favorite player (or your car or home stereo, see
supported devices) just like you would an MP3 file.
FLAC formatted audio files are supported by a long list of
software applications on many operating system platforms.
FLAC is also supported by
Rockbox, an open-source
firmware replacement for portable music players.
FLAC can be used to compress common .wav files by a 2:1
ratio. Your author has used FLAC to work on an
audio archiving project, as described in
this article.
Version 1.1.3 of FLAC was recently announced:
Almost 2 years in the making, FLAC 1.1.3 is a major release with improved compression, improved cover art and multichannel support, better recovery for corrupted files, many new features and options in the command-line tools, and several bug fixes. For developers, the decoder and encoder APIs have also been simplified and there is a new porting guide.
The
changelog lists the latest improvements, including:
- The compression algorithm has been improved without changing the file format.
- Recovery when dealing with corrupted files is better.
- multi-channel support is improved.
- The encoder now supports transcoding of FLAC data into Ogg FLAC encapsulation.
- It is now possible to encode
pictures, such as album art, into a flac file.
- The options --picture, --import-picture-from and --export-picture-to
have been added.
- A new REPLAYGAIN_REFERENCE_LOUDNESS tag has been added for setting playback levels.
- The
frame header definition adds new definitions for multiple-speakers.
- The
FLAC subset has new restrictions added for processing efficiency.
- The flac decoder adds a -F option for dealing with corrupted files.
- WAVEFORMATEXTENSIBLE .wav files can now be encoded and decoded.
- multi-channel AIFF and WAVEFORMATEXTENSIBLE files are properly handled.
- A --tag-from-file option has been added for importing cuesheets as a tag.
- The --apodization option is available for specifying LPC analysis window functions.
- Encoding of non-compressed AIFF-C data is now supported.
- metaflac adds support for read-only operations on Ogg FLAC files.
- The developer libraries and associated APIs have been simplified.
- Numerous bugs have been fixed.
The FLAC project has stayed true to its
project goals
statement, the new features look like useful additions and the
API simplification effort should be helpful to developers of new software.
Flac source code and package files are available
here.
Comments (15 posted)
System Applications
Audio Projects
Version 0.9.77 of Rivendell, a radio station automation system, is out.
"
Issues addressed include the following:
Broken PLAY Transitions -- Fixes random hangs and log stopdowns
between events with PLAY transition type.
Audio Importation Issues -- Fixes various issues with autotrimming
and level normalization.
RDLogManager Timed-Start Attributes -- Fixes a problem where an
event would fail receive a Hard Time 'Start Immediately' attribute
if the Pre-Import Carts list was empty."
Full Story (comments: 1)
CORBA
omniORB 4.1.0 and omniORBpy 3.0 have been announced, both are stable
versions and include some new features.
"
I am pleased to announce that omniORB 4.1.0 and omniORBpy 3.0 are now
available. omniORB is a robust, high performance CORBA implementation
for C++; omniORBpy is a version for Python."
Full Story (comments: none)
Database Software
PostgreSQL 8.2 has been released. There's a fair amount of new stuff in
this release, including significantly improved performance, SQL aggregates,
advisory locks, and more. Click below for details and download information.
Full Story (comments: 1)
The December 3, 2006 edition of the PostgreSQL Weekly News
is online with the latest PostgreSQL DBMS articles and resources.
Full Story (comments: none)
Printing
Version 1.25 of
PyKota, a printer quota and
accounting system,
has been announced.
"
After more than six months of work, PyKota v1.25 Official is finally out. The most important new feature is support for the accounting of ink usage, although most of the work took place in the several releases of pkpgcounter published since this past summer."
Comments (none posted)
Security
Version 0.33 of Sussen, a vulnerability and configuration issue
checker, is out with bug fixes and other improvements.
Full Story (comments: none)
Telecom
Version 0.8.0.0 beta of
1bizCom has been announced.
"
1bizCom is next generation web-based, multi-tenant, distributed, mulit-lingual, inbound, outbound Video enabled VoIP & VVoIP call/ contact center solution for Asterisk with Built-in phone, IVR, CRM, Predictive dialer, ACD, Chat, Mail, Fax, Video and other features.
1bC 0.8.0.0 beta is now available that includes major outbound call center software features."
Comments (none posted)
Web Site Development
Version 0.6.0 of Samizdat, an RDF-based engine for building collaboration
and open publishing web sites, is out.
"
The version increase attributes to the gradual changes in 0.5.x series
and incorporates almost two years worth of real-world deployment. Now
that Samizdat has finally become a mature open publishing system, the
road is cleared for more intrusive changes and major new features, such
as free exchange and calendaring.
In the way of major features, this version introduces ubiquitous message
translations and RSS syndication. Many old tools are now more flexible
and easier to use".
Full Story (comments: none)
Desktop Applications
Audio Applications
Version 2.0 beta 9 of Ardour, a multi-track audio editor, has been announced.
"
The changelog is persnickety but fulsome".
Comments (none posted)
Version 0.2.0 of HOgg has been announced.
"
The HOgg package provides a commandline tool for manipulating
Ogg files, and a corresponding Haskell library.
This is the initial public release. The focus is on correctness of Ogg
parsing and production. The capabilities of the hogg commandline tool are
roughly on par with those of the oggz* tools[0], although hogg does not
yet provide an equivalent to oggz-validate."
Full Story (comments: none)
Phil Frost has announced the
pyalsa
project.
"
PyAlsa is a set of wrappers for some parts of the
ALSA library. Currently wrapped
are some parts of the sequencer and mixer interfaces.
Included with PyAlsa is midimix.py, an ALSA mixer controllable by MIDI.
It has no GUI (by design) and can send feedback to move motorized faders and such when the mixer changes state in another application."
Full Story (comments: none)
Desktop Environments
Version 2.17.3 of GNOME has been announced.
"
This is our third development release on the road towards GNOME
2.18.0, which will be released in March 2007.
You all know what you have to do now. Go download it. Go compile it. Go
test it. And go hack on it, document it, translate it, fix it."
Full Story (comments: none)
Version 2.17.3 of GARNOME, the bleeding edge GNOME distribution, is out.
"
This release includes all of GNOME 2.17.3 plus a
whole bunch of further updates.
This is the third release in the unstable cycle, with more features,
more fixes and yet more madness added."
Full Story (comments: none)
The following new GNOME software has been announced this week:
You can find more new GNOME software releases at
gnomefiles.org.
Comments (none posted)
The following new KDE software has been announced this week:
You can find more new KDE software releases at
kde-apps.org.
Comments (none posted)
The December 3, 2006 edition of the
KDE Commit-Digest has been
announced.
The content summary says:
"
Substantial work and improvement in the
font installation KControl module. Support for OpenDocument annotations in
Okular. New Interface ideas and consistency work in Amarok. KTabEdit gets
better support for the 'Guitar Pro' file format. Iceland map added to
KGeography. Work starts on a new keyboard rendering engine in KTouch, and on
a model/view interface implementation for KVocTrain. Early work on a Phonon
backend for KsCD. Speed optimisations in Strigi, with experimental probing
for the feasibility of leveraging the inotify daemon. Experimental code sees
Akonadi become searchable through Strigi. Kross, the multi-language
application scripting framework, loses its dependency on KOffice and moves
into kdelibs as the cornerstone of scripting in KDE 4."
Comments (none posted)
The following new Xorg software has been announced this week:
More information can be found on the
X.Org Foundation wiki.
Comments (none posted)
Electronics
Development snapshot 2006-12-04 of gnucap, a circuit analysis package,
has been announced.
"
This snapshot keeps the new way devices and models are
dispatched, and adds two user commands "attach" and "detach".
These commands allow the user to add and remove plugins at run
time. The 2006-11-snapshot added the capability to add something just
by linking it, with no other changes required. This version
adds the ability to do it manually at run time.
Work on Verilog-AMS is going well."
Comments (none posted)
Financial Applications
Version 2.6.21 of
SQL-Ledger,
a web-based accounting package, is out with a new whitelist script variable.
See the
What's New document for change the project history.
Comments (none posted)
Multimedia
Version 0.2 of XMMS2, the descendent of the popular XMMS music player,
is out.
"
This release is minor
features addition and we wanted to get it out before merging
collections and waf migration. This (I know) has been stated before,
but this time we might even do it."
Full Story (comments: none)
Music Applications
Experimental auto-generation of melodies has been added to
MMA.
"
A few
discussions with one enthusiastic user and some false starts later, I've
come up with the idea of having a new track I've called an ARIA. Using
pattern definitions, much like those used in other MMA tracks, you set a
framework for MMA to generate a melody over a given set of chord changes."
Full Story (comments: none)
Office Applications
Version 4.3.1 of HylaFAX, a utility that can send and receive FAXes,
has been released.
"
This release introduces a powerful new email templating system that
offers an unprecedented level of control over the branding of the
email messages HylaFAX sends, and so we encourage you to check it
out. No release would be complete without bugfixes of course, and this
one has plenty. As always, our sincerest thanks go to all who
participate in the development and testing process."
Comments (none posted)
Office Suites
Release candidate 2 of OpenOffice.org 2.1.0 has been announced. See the
release notes for a long list of new features.
Full Story (comments: none)
The November, 2006 edition of the OpenOffice.org Newsletter
is out with the latest OO.o office suite articles and events.
Full Story (comments: none)
Video Applications
Version 0.4.0-rc1 of xjadeo is available.
"
Xjadeo is a simple movie player that synchronizes video to an external
time source such as jack transport. It is intended to aid sound
composition to a video clip.
This is a rewrite of the previous 0.1 release and a
conclusion of the ongoing development during the last year."
Full Story (comments: none)
Miscellaneous
Version 1.6.1 Update 1 of
OmegaT is out
with bug fixes.
"
OmegaT is a free and open source multiplatform Computer Assisted Translation tool with fuzzy matching, translation memory, keyword search, glossaries, and translation leveraging into updated projects."
Comments (none posted)
Languages and Tools
Caml
The December 5, 2006 edition of the Caml Weekly News
is out with new Caml language articles.
Full Story (comments: none)
Haskell
The Eleventh edition of the
Haskell Communities and Activities Report is online.
"
Welcome to the eleventh edition of the Haskell Communities and Activities Report a collection of entries about everything that is going on and related to Haskell in some way that appears twice a year."
Comments (none posted)
The December 5, 2006 edition of the
Haskell Weekly News
is online. This week we see the 11th Haskell Communities and Activities
Report released, Visual Haskell 0.2 is available, and a suite of new
libraries and applications are announced.
Comments (none posted)
Java
O'Reilly presents
part two of an excerpt series by by Maurice Naftalin and Philip
Wadler.
"
In the second part of an excerpt from Java Generics and Collections, authors
Maurice Naftalin and Philip Wadler continue their study of how to adopt Java
5.0 generics in a measured, sustainable fashion. Having shown how to
genericize a library while leaving the library in legacy mode, they now
present three approaches to the opposite scenario: genericizing a client that
uses a non-genericized library."
Comments (none posted)
Perl
The December 3, 2006 edition of the
Weekly Perl 6 mailing list summary is out with coverage of the latest
Perl 6 developments.
Comments (none posted)
Python
The December 4, 2006 edition of the Python-URL! is online with
a new collection of Python article links.
Full Story (comments: none)
Tcl/Tk
The December 6, 2006 edition of Dr. Dobb's Tcl-URL! is online with new
Tcl/Tk articles and resources.
Full Story (comments: none)
XML
Hew Wolff
uses XSLT for print formatting on O'Reilly's XML.com.
"
Recently I was wading through some hard-to-read XML files. Art & Logic, the company I work for, was helping a client to build an Ajax-style Web interface that used XML to talk to the backend and client-side XSLT to produce the HTML. I found myself reformatting the XML by hand to make things easier and finally wondering as I hit the spacebar yet again: couldn't an XSLT style sheet do this formatting for me? I had done something similar before, so I decided to try writing that style sheet, using a test-driven approach. Some hours later I had a handy utility, and a new appreciation for some of the wrinkles of XML. Here's a cleaned-up account of what I did."
Comments (1 posted)
IDEs
Tim McIntire
introduces
the Ajax Toolkit Framework for Eclipse in an IBM developerWorks article.
"
The Ajax Toolkit Framework (ATF) is a core piece of the new Open Ajax initiative, which aims to increase accessibility to the powerful Web programming technique through the Eclipse Foundation. The ATF extends the Eclipse Web Tools Platform (WTP) by adding an Asynchronous JavaScript and XML (Ajax) development environment for a variety of open source Ajax tool kits, including Dojo, Zimbra, and Rico. This article includes a HelloWorld example in which you install and configure the ATF, then use Eclipse and Dojo to create a basic Web application."
Comments (none posted)
Page editor: Forrest Cook
Linux in the news
Recommended Reading
The New York Times is running a front page
article on the One Laptop Per Child (OLPC) project.
"
When computer industry executives heard about a plan to build a $100 laptop for the developing worlds children, they generally ridiculed the idea. How could you build such a computer, they asked, when screens alone cost about $100?
Mary Lou Jepsen, the chief technologist for the project, likes to refer to the insight that transformed the machine from utopian dream to working prototype as a really wacky idea.
Ms. Jepsen, a former Intel chip designer, found a way to modify conventional laptop displays, cutting the screens manufacturing cost to $40 while reducing its power consumption by more than 80 percent. As a bonus, the display is clearly visible in sunlight."
(Thanks to Jonathan B. Horen.)
Comments (32 posted)
Linux.com
takes a look
at the OLPC laptops. "
The first One Laptop Per Child hardware
devices are still months from deployment, but you can sneak a peek at their
Sugar desktop environment and bundled applications by running an OS image
under an emulator. It's a great way to finally get some hands-on time with
this long-anticipated project, even though it's not perfect."
Comments (17 posted)
InformationWeek has
an
article by Cory Doctorow on Microsoft's use of "trusted computing"
technologies to lock up its document formats. "
Vista is the first
operating system to begin to use the features of the Trusted Computing
Module, though for now, Microsoft is eschewing the use of 'Remote
Attestation' where software is verified over a network (they've made no
promise about doing this forever, of course). No company has spent more
time and money on preventing its competitors from reading its documents:
remember the fight at the Massachusetts state-house over the proposal to
require that government documents be kept in open file-formats?"
Comments (6 posted)
The SCO Problem
Groklaw has
a new ruling from Judge Kimball in the SCO case reaffirming the magistrate's order tossing out much of the company's purported evidence. "
The court finds that SCO failed to comply with the courts previous discovery-related Orders and Rule 26(e), that SCO acted willfully, that SCOs conduct has resulted in prejudice to IBM, and that this resultthe inability of SCO to use the evidence at issue to prove its claims should come as no surprise to SCO." The end gets a little closer.
Comments (none posted)
Companies
Linux.com
looks into the reasons behind the delay of Adobe's Flash 9 player
for Linux.
"
Adobe skipped a version of Flash for Linux and released stable versions of the Flash 9 player for Windows and Mac OS X long before the beta of Flash 9 to Linux users. Paul Betlem, senior director of engineering for Adobe, explained why the process is taking so long.
Betlem says that several factors have contributed to the tardiness of Flash on Linux. The primary problem, says Betlem, is the complexity of porting the Flash player to Linux due to differing libraries used for sound, video, and type on different Linux distributions."
Comments (29 posted)
PC Pro
reports on a new HP Linux server sales landmark.
"
HP has sold its 100,000th Linux-based server in the UK. The company has also shipped over 1,500,000 Linux servers worldwide, it has announced.
The company pointed to figures from IDC that showed 32.7 per cent year-on-year growth in Linux server shipments by the company, gaining five percentage points of unit market share."
Comments (none posted)
Linux-Watch
looks into
Novell's
announcement of their upcoming Linux-based Open Enterprise Server 2
operating system.
"
Although OES 2 won't be out until early in the second quarter of 2007, it already has support commitments from Novell's software partners. The list currently includes backup solution vendors CA, Commvault, Symantec, and Syncsort, along with anti-virus software vendors McAfee and Trend Micro.
OES, which will be based on Novell's SLES (SUSE Linux Enterprise Server) 10, is designed to be a drop-in replacement for Novell NetWare servers, and as a direct competitor to Microsoft's Server 2003."
Comments (1 posted)
ZDNet
reports
on layoffs at Open Source Development Labs. "
CEO Stuart Cohen
resigned to pursue opportunities with higher-level open-source software,
and nine employees in technical and administrative roles lost their jobs,
said Mike Temple, OSDL's chief operating officer and its new leader. That
leaves a staff of 19, including Tom Hanrahan in charge of engineering,
Diane Peters in charge of legal work, and top Linux programmers Linus
Torvalds and Andrew Morton."
Comments (6 posted)
Linux at Work
EETimes
reports on the latest efforts by Turbolinux, Inc.
"
Turbolinux, Inc., a major Linux operating system supplier in Japan, said it will offer a Linux booting device in an iPod-sized media player as a way to promote Linux among consumers.
Dubbed "Wizpy," the player uses flash memory in a portable media player with radio and audio recording functions. More important, it functions as a USB flash memory drive that can boot Linux on PCs, enabling users to establish their own Linux working environment, browser, mailer and application software."
Comments (none posted)
Legal
The Software Freedom Law Center has filed a request with the US
Patent and Trademark Office (USPTO) to re-examine the
Blackboard e-Learning patent.
"
Blackboard, Inc., maker of web-based software that allows teachers and
students to interact outside of the classroom, was awarded the patent
on January 17, 2006. The patent, "Internet-based education support
system and methods" (U.S. 6988138), grants Blackboard a monopoly on
most educational software that differentiates between the roles of
teacher and student until the year 2022."
These articles on
NewsForge and
Groklaw
examine the case in more detail.
Full Story (comments: 1)
Interviews
KDE.News has
an interview with
some students working on KDE. "
A group of students at the Paul
Sabatier University in Toulouse will be collaborating on the KDE projects
KPlato and Umbrello as part of their Institut Universitaire
Professionalisé en Ingénierie des Systèmes Informatiques
(Professional Institute of Computer Software Engineering) course of
study."
Comments (3 posted)
KDE.News
talks with Jan
Mühlig. "
Just following the recent World Usability Day and
a few months past the third birthday of OpenUsability I took some time to
talk to Jan Mühlig, one of the OpenUsability founders and to get an
inside look at some of the history of the project, how it works from the
inside and some of the current direction."
Comments (1 posted)
Resources
Bruce Byfield
discusses
some lesser-known Debian package management tools in a Linux.com article.
"
For all the efficiency and continued evolution of Debian's APT tools, some gaps in package management functionality remain. One of the largest ones is that, when a package is removed, any other packages that depend on it are not removed. The result is a growing number of orphans on the system -- that is, packages that serve no purpose for the system as a whole, although in some cases they continue to be useful individually. Similarly, while you can keep track of security announcements for Debian or distributions derived from it, the basic package system has no way of telling you which vulnerabilities might affect your system. To compensate for these lacks, you can turn to a group of housekeeping tools that make maintaining your Debian system easier and more efficient."
Comments (12 posted)
LinuxWorld.com
takes
a look at lightweight Linux for HPC. "
Linux has long provided an
outstanding operating system for a wide range of users in a variety of
settings. However, high-performance computing users, who must run
applications on thousands of nodes, historically have faced challenges that
Linux could not effectively address."
Comments (1 posted)
O'ReillyNet
looks
at what happens when a Linux system runs out of memory. "
Perhaps
you rarely face it, but once you do, you surely know what's wrong: lack of
free memory, or Out of Memory (OOM). The results are typical: you can no
longer allocate more memory and the kernel kills a task (usually the
current running one). Heavy swapping usually accompanies this situation, so
both screen and disk activity reflect this."
Comments (29 posted)
The
December 2006
edition of Linux Gazette is out. Articles in this edition include Easy
Shell Scripting, Installing Knoppix, Plotting the spirograph equations with
'gnuplot', Poor Man's Laptop: Richer Features, Learning about Linux
Processes, and much more.
Comments (none posted)
Reviews
Linux.com
takes a
look at Bastille. "
Bastille is a program for improving system
security on Debian, Fedora, Gentoo, Mandriva, Red Hat Enterprise Linux, and
SUSE. Unlike packet sniffers, anti-virus programs, and the majority of
security programs available today, Bastille does not wait to react to
possible security breaches, but prevents them by removing system
vulnerabilities. With many distributions softening security in their
default installations in the name of convenience, this approach is enough
by itself to make Bastille an essential program."
Comments (none posted)
Linux.com
looks at
the Flickr Web portal. "
The Flickr Web portal allows people to
publish and share online, grouped and tagged by subject, whole galleries of
digital pictures. You can use Flickr with several GNU/Linux-based
applications. Developers can also use the API published on the Web site to
obtain an API_KEY and build new interfaces to download, upload, or process
pictures in Flickr. What might be less known is that Flickr already is
another place where GNU/Linux users can meet, as well as a potentially very
useful advocacy tool."
Comments (4 posted)
LinuxDevices
covers the
beta release of the Canola media player for Nokia's Linux-based 770 and
forthcoming "870" Internet tablets. "
The Instituto Nokia de
Tecnologia in Brazil released the first beta of the Canola media player for
Nokia's Linux-based 770 and forthcoming "870" Internet tablets. Canola can
index and render local and network-based music, video, and photos;
podcasts; photocasts; and Internet radio."
Comments (1 posted)
Nicholas Petreley
reviews The Ruby
Way on Linux Journal. "
I've wanted to tackle Ruby for quite
some time. Luckily, Addison-Wesley just sent me a copy of The Ruby Way,
Second Edition by Hal Fulton. This is one of those books that makes me
think publishers feel the need to sell books by the pound. The sad part
about that is that, in many cases, books printed by the pound contain tons
of fluff and useless information. Not so with The Ruby Way. Every page
contains gems valuable for anyone who wants to program with Ruby."
Comments (none posted)
Miscellaneous
Linux.com
covers the
OpenOffice.org template and clipart contest. "
OpenOffice.org has
announced the winners of its template and clipart contest. The judges
distributed a total of five cash prizes totalling $1,700 for templates, and
three cash prizes totalling $1,300 for clipart, as well as two Honorable
Mentions for templates. In addition, the project will send T-shirts and
other OpenOffice.org merchandise to many of the other entrants."
Comments (none posted)
Libervis
asks why the FSF sites run Debian when Debian is not on the FSF's list of free distributions. Quoting Richard Stallman: "
We did not install any of that non-free software, so it is ok for us to run Debian. But we cannot recommend its servers to the public. Other people might install the non-free software from the site."
Comments (62 posted)
Page editor: Forrest Cook
Announcements
Non-Commercial announcements
The Electronic Frontier Foundation has sent out a media release
concerning a self-help group's attempt to uncover an anonymous poster.
"
Landmark Education, known for its Landmark Forum
motivational workshops, served a subpoena for the identity
of an anonymous user of Google Video last month, claiming
that a French documentary posted by the user infringed
Landmark's copyrights. The piece, entitled "Voyage Au Pays
Des Nouveaux Gourous" (Voyage to the Land of the New
Gurus), is highly critical of Landmark and included hidden
camera footage from inside a French Landmark Forum event
along with panel discussions about the group."
Landmark has withdrawn the subpoena.
Full Story (comments: none)
Commercial announcements
Adaptive Planning has announced the release of Adaptive Planning Express
Edition Version 3.0. The latest version of Adaptive Planning's open source
budgeting and forecasting application is available via free download from
SourceForge.
Full Story (comments: none)
Ampro Computers, Inc. has
announced the availability of their 1.8 GHz
Pentium M 745 processor EPIC single board computer.
"
At a mere 4.5" x 6.5" (115mm x 165mm), the 1.8 GHz ReadyBoard 800
implements high CPU and I/O performance in a size that is 34% smaller than
the Mini-ITX form factor. The Intel(R) 82855 chipset is featured, with up
to 1GB DDR 333 SODIMM RAM, (4) USB 2.0 ports, (4) serial ports, (2) serial
ports with RS-422/485 capability, EIDE, Gigabit Ethernet, 10/100 Ethernet
with Wake on LAN support, LVDS, (8) general-purpose I/O (GPIO) pins,
integrated chipset graphics, and PCI-104 expansion (PCI bus)."
Comments (none posted)
Back in October, LWN
wrote about Compiere's difficulties in its relationship with its development community. Compiere Inc. has now
announced the hiring of Dawn Foster (or "
Geekygirl Dawn Foster" on her weblog) as "director of community and partner programs." "
Foster will serve as a liaison between Compiere and the open source community to ensure the company is effectively communicating with the community, while encouraging community contributions to the Compiere ERP & CRM project. She will also be responsible for managing Compieres recently expanded partner program and relationships with Compiere partners, many of whom are active participants in Compieres open source community."
Comments (none posted)
Jive Software has
announced the launch of their
IgniteRealtime.org web site.
"
IgniteRealtime.org is a community
website intended to increase support of Jive Software's active developer
and user communities.
IgniteRealtime.org builds upon the tremendous success of Jive
Software's Open Source EIM products by evolving the website from a source
code destination to the single biggest XMPP-centric product community on
the Web, with a goal of driving the adoption of XMPP as the primary
standard for open, real-time communications."
Comments (none posted)
Novell, Inc. has
announced the appointment of Susan Heystee.
"
Novell has appointed Susan Heystee, recently named vice president
and general
manager for Global Strategic Partners, to manage the relationship with
Microsoft under the recently announced Novell-Microsoft agreement to
promote Linux* and Windows* interoperability. Heystee will oversee both the
business and technical cooperation components of the agreement, ensuring
that Novell(R) customers gain the maximum benefit from interoperability
work around Linux."
Comments (none posted)
Novell, Inc. has
announced the appointment of Colleen O'Keefe as senior vice president
of services at Novell.
"
Former NCR executive, O'Keefe will oversee Novell's technical
support offerings, critical competitive differentiators for Novell in
the Linux market."
Comments (none posted)
Novell has sent out
a press release proclaiming its intent to implement OpenXML support for OpenOffice.org. "
Novell will release the code to integrate the Open
XML format into its product as open source and submit it for inclusion in
the OpenOffice.org project. As a result, end users will be able to more
easily share files between Microsoft Office and OpenOffice.org, as
documents will better maintain consistent formats, formulas and style
templates across the two office productivity suites."
Comments (14 posted)
Novell has
announced its "preliminary" quarterly and annual results. "
During the fourth fiscal quarter 2006, Novell reported $13 million of
revenue from Linux Platform Products, up 32 percent year-over-year."
Comments (none posted)
OpenLogic, Inc. has
announced the expansion of the OpenLogic Expert Community.
"
The OpenLogic Expert Community
is the first program to provide consolidated, commercial-grade support
across a wide range of open source products by tapping the open source
development community for enterprise support.
OpenLogic currently offers enterprise support for more than 160
certified open source products -- providing a single point of contact for
enterprise open source issues. Through the Expert Community, OpenLogic pays
qualified experts for help in resolving the most complex issues and
shepherds enterprise issues through the entire process to resolution."
Comments (none posted)
PolyServe, Inc. has
announced that it has joined the Red Hat Advanced Software
Partner Program.
"
Membership in the program ensures customers that
PolyServe's shared data clustering software solutions for Linux have been
tested for and are certified with Red Hat Enterprise Linux, are supported
under the Technical Support Alliance Network (TSANet) cooperative support
forum, and are compliant with Red Hat's guidelines for interoperability."
Comments (none posted)
Sun Microsystems has
announced the release of its "NetBeans C/C++ Development Pack" and "NetBeans Visual Web Pack" tools. The C/C++ tools are available under the CDDL; the "Visual Web Pack," instead, is available under the rather more restrictive "
Sun entitlement for software".
Comments (1 posted)
Terracotta, Inc. has announced that the company is open sourcing its Java
clustering product line to accelerate adoption by developers using open
source frameworks. The announcement is followed by a second press release
(click below for both) on the software companies and projects that are
backing Terracotta's move to open source its Java Virtual Machine (JVM)
clustering software.
Full Story (comments: none)
Virtual Bridges, Inc. has announced a major upgrade to its Win4Lin Pro
product.
"
Win4Lin Pro Desktop allows Linux users to run Windows applications from the security of the Linux
desktop. Win4Lin Virtual Desktop Server is the enterprise/SMB product for delivering Windows
applications on thin clients via a Linux server.
The Win4Lin Pro 3.5 upgrade includes new functionality, support for newer Linux distributions,
performance improvements and a roll-up of the maintenance releases since Win4Lin Pro 3 which was
released in May 2006."
Full Story (comments: none)
New Books
No Starch Press
has published the book
The Book of JavaScript, Second Edition: A Practical Guide to
Interactive Web Pages by thau!.
Full Story (comments: none)
Syngress has published the book
Cryptography for Developers by Tom St. Denis.
Full Story (comments: none)
O'Reilly has published the book
Head First Object-Oriented Analysis & Design by Brett D. McLaughlin, Gary Pollice, and David West.
Full Story (comments: none)
O'Reilly has published the book
Information Architecture for the World Wide Web, Third Edition by Louis Rosenfeld and Peter Morville.
Full Story (comments: none)
Contests and Awards
GnomeDesktop
has announced
the winning of an award by the Ekiga project.
"
Ekiga won last week one of the Free Software Awards in Soissons
(France). Ekiga was nominated in the "Multimedia" category.
The jury appreciated the quality of the project and the fact that it was
original (GnomeMeeting was the first Open Source GUI to support VoIP together
with video and the H.323 standard on GNU/Linux in 2001). It is now the first
Open Source application to support multiple major VoIP protocols at the same
time, again with audio and video."
Comments (none posted)
Thomas Wittek from Cologne has won the
GnuPG logo contest.
"
He will soon see his design used with GnuPG and also receive 50
percent of the received donation (we received as of now 215 Euro but
further donations won't be rejected)."
Full Story (comments: none)
Education and Certification
The Linux Professional Institute has announced a change in its
recertification policy.
"
The Linux Professional Institute
(LPI), the world's premier Linux certification is
changing the organization's "Recertification Policy" to ensure that the
skills and knowledge of Linux professionals continues to be relevant and
current. Candidates who have earned LPIC certifications will have to
re-certify every five years or alternatively earn a higher certification
status. Previously recertification was only required after ten years."
Full Story (comments: none)
The Linux Professional Institute (LPI) and Novell have announced
cooperation of Novell on the development of LPI's upcoming
enterprise-level certification program, LPIC-3.
"
LPIC-3 will be LPI's senior certification level for Linux professionals,
requiring candidates to hold both LPIC-1 and LPIC-2 designations. LPI
will launch the program in January 2007 and will hold the first North
American exam lab at Novell's BrainShare(R) event in March 2007."
Full Story (comments: none)
TimeSys has announced an expanded webinar series for embedded Linux
developers.
"
Beginning in early December, the new topics are designed to help
developers that are new to embedded Linux, showing the steps to boot
Linux on a target embedded board, get a sample application to run on
the board, and help attendees understand the options available for
filesystems to use with their project."
Full Story (comments: none)
Calls for Presentations
The second Call for Talks has gone out for the FOSDEM Debian
Developer's room.
"
About a month ago, I sent out a first Call for Talks to the
debian-project and debian-events-eu lists.
In the mean time, I did receive an official confirmation that we will be
able to get a DevRoom at FOSDEM for the whole weekend; more
specifically, we will be having room AW1.125, which has 76 seats, on
saturday from 14:15 to 19:00, and on sunday from 09:00 to 18:00."
Full Story (comments: none)
A call for papers has gone out for the NLUUG 2007 spring conference.
The event takes place in Ede, the Netherlands on May 10, 2007,
submissions are due by December 31.
Full Story (comments: none)
Upcoming Events
PyCon 2007 has been announced.
"
PyCon 2007, the fifth annual conference of
the Python community, will take place February 23-25 at the Dallas/Addison
Marriott Quorum hotel. The keynote speakers will include Ivan Krstiæ, from
the One Laptop Per Child project; Adele Goldberg, a developer of Smalltalk;
Robert R. Lefkowitz, an expert on the use of open source in business; and
Guido van Rossum, the creator of Python."
Full Story (comments: none)
LinuxMedNews
has announced
the registration for
SCALE 5X. The event takes place on February 10-11, 2007 in Los Angeles,
CA.
"
The Expo is now accepting early registrations. A full pass (expo floor and seminars is $60 until January 24, 2007, and $70 thereafter, a student pass is $30 until January 24, 2007, and $35 thereafter, and an expo-floor-only pass is $10. Join us for over 40 seminars and tutorials. Presentations from Chris Dibona, Ted Haeger, Don Marti, and more! Expo floor will include exhibits by Dell, ClearHealth, Google, Krugle, Ingres, Trolltech, and others."
Comments (none posted)
LinuxMedNews
has announced
the registration for the 14th VistA Community Meeting.
"
K.S. Bhaskar writes: As you may be aware, the next VistA Community Meeting
will be at the National Institute of Standards and Technology, Gaithersburg,
MD, USA, Tuesday through Thursday, January 9-11, 2007. We hope that you will
be able to attend."
Comments (none posted)
Events: December 14, 2006 to February 12, 2007
The following event listing is taken from the
LWN.net Calendar.
| Date(s) | Event | Location |
December 12 December 19 |
Virtual Congress UnInet Meeting UMeet'2006 |
irc.uninet.edu, #linux |
December 27 December 30 |
23rd Chaos Communication Congress 2006 |
Berlin, Germany, |
January 11 January 12 |
Foundations of Open Media Software |
Sydney, Australia |
January 15 January 20 |
linux.conf.au 2007 |
Sydney, Australia, |
January 20 January 26 |
Cell Hack-a-thon |
Loveland, CO, USA |
January 23 January 26 |
Open Source Meets Business |
Nürnberg, Germany |
| January 24 |
European Patent Conference |
Brussels, Belgium |
January 30 February 1 |
Solutions Linux Expo |
Paris, France |
February 1 February 2 |
LinuxDays Luxembourg |
Luxembourg, Luxembourg |
| February 2 |
FUDCon Boston 2007 |
Boston, MA, USA |
February 7 February 9 |
Free Software World Conference 3.0 |
Badajoz, Spain |
February 7 February 9 |
Xorg Developer's Conference |
Santa Clara, CA, USA |
| February 9 |
Women In Open Source |
Los Angeles, USA |
| February 9 |
Open Source Health Care Summit |
Los Angeles, USA |
February 10 February 11 |
2007 Southern California Linux Expo |
Los Angeles, USA |
If your event does not appear here, please
tell us about it.
Audio and Video programs
KDE.News
mentions
the availability of coverage from the aKademy 2006 conference.
"
Linux Magazine have put their overview of aKademy 2006 -- the KDE World Conference -- online from their December 2006 issue. They describe how aKademy helped plan the road to KDE 4, and also report on the widely-successful OpenDocument day. There is also a review of KAlarm available from the same issue. In other aKademy 2006 news, the videos of the presentations and talks are now being uploaded."
Comments (none posted)
The
Linux Action Show
has an interview with Novell's
Director of Marketing for Linux and Open Source Platforms.
"
The Linux Action Show gets
Novell's take on the Microsoft/Novell deal straight from the source: The
Director of Marketing for Linux and Open Source Platforms at Novell.
They Ask the questions and concerns on the minds of the community, plus
they get the insider's track on Suse Linux Enterprise, openSUSE and more."
Full Story (comments: none)
O'Reilly
presents an audio podcast from the Web 2.0 Summit.
"
Barry Diller and Arthur Sulzberger, Jr. talked to Web 2.0 Summit program
chair John Battelle about publishing content online. Sulzberger is chairman
of The New York Times Company which now includes NYTimes.com, Boston.com, and
About.com. Diller is the chairman and chief executive officer of
IAC/InterActiveCorp, and chairman of Expedia, Inc. In the second half of
their discussion they turn to community created content and answered
questions about its role in their various websites."
Comments (none posted)
Page editor: Forrest Cook
Letters to the editor
| From: |
| Florian Cramer <fcramer-AT-plaintext.cc> |
| To: |
| letters-AT-lwn.net |
| Subject: |
| LWN forums |
| Date: |
| Wed, 6 Dec 2006 21:49:42 +0100 |
Dear LWN editors,
unfortunately, it seems as if the LWN forums need either a moderation or
scoring system, or non-subscriber submission have to be blocked.
The amount of noise, flames and Slashdot-style immaturity is getting out
of hand.
Sincerely,
Florian Cramer
--
http://cramer.plaintext.cc:70
gopher://cramer.plaintext.cc
Comments (24 posted)
Page editor: Jonathan Corbet