The
One Laptop Per Child project is likely
to be familiar to most LWN readers by now. An important milestone on this
project's plan for the creation of low-cost educational systems is the
production of "BTest-1" systems. The project has manufactured on the order
of 1000 laptops and distributed them to testers worldwide as a way of,
hopefully, shaking out the remaining hardware issues and making a start on
the software side of the equation. Some systems have even been shipped to
Microsoft so that some sort of Windows port can be done; this move has
upset some OLPC supporters, but when the designers of the laptop said they
planned to make a 100% open system, they meant it.
Your editor was lucky enough to receive one of these systems, after having
been put through the indignity of seeing everybody else's "I got my laptop"
posts first. There has not been a great deal of time to play with it yet,
but your editor has had the chance to form some first impressions. The
OLPC XO (or whatever it is eventually called) is going to be a nice system.
Back in July, we interviewed Jim
Gettys about this system; one of the questions we asked was how they
planned to keep adults from stealing the laptops from the children for
their own purposes. Jim answered:
First, we intend that the systems be instantly recognizable as
kid's systems, not only so that kids like them and value them more
and take care of them carefully, but also so that adults with
machines in their possession may be asked questions about whether
they should have the machine.
Even with this in mind, most people who see an OLPC for the first time are
surprised by just how small it is. Understanding sets in for real when one
attempts to use the keyboard; the small keys will work for a small child,
but, for your fat-fingered editor, it is very much a hunt-and-peck device.
There will be very few adults who will be able to type comfortably on this
system. With the size of the device and its bright colors, they will also
look decidedly silly in the attempt. This machine is clearly for kids.
Another way to make adults look silly is to hand the laptop to one of them
and suggest that they open it. Your editor has performed this experiment
several times now, and has not yet seen anybody succeed. Most people try
pushing on the green square that looks like a latch, but which is,
in reality, the hinge. The secret is to lift up the two "ears," which
happen to be the wireless network antennas, and open the top toward the
handle. Anybody attempting to use a crowbar should be stopped immediately.
The display can rotate 180 degrees and be closed over the keyboard, putting
the device into "ebook" mode. There is no touchscreen on the device, so
the only controls available in this mode are the eight buttons (four arrows
and four which, for now, look like Sony game controller buttons) next to
the display.
On the software side, the test system is running a pared-down version of
the Fedora Core distribution. The kernel is essentially 2.6.19-rc2 with a
fair set of patches (some since merged into the mainline) to support the OLPC
hardware. Many of the basic utilities are there, and there is a Python
interpreter available. But anybody looking for a C compiler,
OpenOffice.org, emacs, Wesnoth, etc. will not find them. The system has
little space (512MB of flash storage) and even less memory, so a lot of
larger applications will never find space there.
The BTest-1 release
notes make it clear that the process of putting together the software
is just beginning; the focus, until now, has been on getting the hardware
working. So many of the provided "activities" are present only in a
preliminary form, and others are not there at all yet. It is not,
according to the release notes, time to test the device on children (though
your editor's children disagree rather strongly). Certainly the adults are
starting to have fun with the system; your editor was gratified by this brief
posting on video conferencing on the OLPC using the telepathy package.
Running software on the test system drives home a point the project has
been making for some time: much of the software we run now is far too
bloated and slow. With a suitable amount of attention to resource use, the
OLPC hardware is powerful enough to accomplish a wide variety of tasks -
web browsing, document editing, video conferencing, and more. But, with
the wrong software, the system will just sit there and thrash. So one of
the primary goals for the OLPC software team in the coming months will be
to put the system's applications on a diet until they fit comfortably on
this small system. This work will benefit us all in the end; some of the
work aimed at slimming down the Gecko rendering engine can already be found
in Firefox 2.
Beyond that, however, this project is setting up to put millions of
Linux-based laptops into the hands of children worldwide. These systems
will include mesh networking and cameras; this is a combination which is
likely to lead to interesting things to see on video sharing sites - and
serious news channels. The laptop will be wide open, with the "view source"
functionality built in. There are many people who question this project
and whether the countries involved might better spend their resources on
clean water, sanitation, and so on. Those are legitimate questions which
cannot be simply brushed off. But one should also consider what those kids
will be able to do given better access to knowledge, communications, and a
platform they can hack to their own ends. It is going to be interesting to
watch.
Comments (24 posted)
Recent weeks have seen a great deal of debate over Microsoft's OpenXML
document format. This format, which is headed for standard status, is a
complex beast. Some have questioned whether it will ever be able to create
independent implementations of OpenXML which are truly interoperable with
each other. Others ask whether it is right for the free software community
to even try. To many members of our community, the right path is to
encourage the use of OpenDocument, which already has standard status and
implementations in free software. Why get onto another document format
treadmill when a better solution is already available?
These questions are valid, they deserve full consideration. But they may
also, to an extent, be missing the real point. It is entirely possible
that the document format battles are done; even if OpenXML is not a perfect
standard, it is far more open than its predecessors. While
Microsoft is not inclined to make life easy for those who would
interoperate with its file formats, the company may well have realized that
obscure formats have outlived their usefulness as a way of maintaining
desktop domination. This might just be a battle we have won, even if the
victory is rather more messy than we would like.
Before we charter an aircraft carrier for our "mission accomplished" party,
however, it is worth reflecting on different forms this fight could take in
the future. Cory Doctorow gave us a good hint in this
InformationWeek article on "information rights management." IRM is a
feature touted by Microsoft for a few years now which has the potential to
complicate life considerably in the future.
IRM offers some interesting features to people who are worried about the
information they put into their documents, presentations, and
spreadsheets. With IRM, the document owner can specify exactly who can
read a particular file, and under what conditions. Access can have an
expiration time attached to it - or it can be revoked at any time. Actions
like printing can be restricted. For anybody who feels the need to control
information, these features cannot fail to be appealing.
But these features only work if the client plays along, and free software
clients have not always distinguished themselves in this area. Or, rather,
they have distinguished themselves very well by serving the needs of their
users. Even if a programmer implements the "this document can only be
printed once" flag, somebody else, perhaps after having lost their one
printing opportunity
to a particularly nasty paper jam, will hack it out. Clearly, Microsoft
must prevent the creation of free applications which can read IRM-protected
documents or it will be unable to live up to the promises it has made for
that technology.
Microsoft has a couple of weapons at its disposal (beyond pure obscurity)
which can be used against any potential free IRM implementation. One is
the DMCA, which, in the US (and countries which have implemented similar
laws), can be employed against those who bypass access restriction
mechanisms. Anybody who posted code that, say, allowed the user to cut and
paste text out of an IRM-protected document would likely face an unpleasant
reception in the US. They would be in a situation much like that faced by
Dmitry Sklyarov, who bypassed similar restrictions in PDF files, a few
years ago.
Of course, the Sklyarov case did not necessarily work to Adobe's advantage
in the end, and Microsoft might wish to avoid a similar storm of bad
publicity. So, as Cory's article points out, Microsoft might pursue a
different option: the use of the trusted computing module (TPM)
increasingly being built into new computers. With the remote attestation
feature of the TPM, it is possible to refuse to pass decryption keys to any
system which cannot be shown to be running approved software. This system
would be quite tight and hard to defeat - it might just work. And it would
no longer matter how "open" the document format is.
The full remote attestation scenario requires the cooperation of the entire
system, starting with a "secure" BIOS which initializes the TPM properly.
Most systems do not currently operate in this mode, so the realization of
this threat will not happen in the immediate future. One should not,
however, forget that the TPM has been designed to support just this mode of
operation. It does not take all that much paranoia to imagine that these
capabilities will not go unused forever. "Trusted computing" has yet to
touch most of us, but we ignore it at great risk. Among other things, it
could make the current discussion of open document formats entirely moot.
Comments (16 posted)
The recent Fedora Summit reached a number of conclusions about the future
of the project. These include the elimination of the distinction between
Fedora Core and Fedora Extras and the extension of the support period for
Fedora releases to approximately 13 months. Since then, various parts of
the project have tried to figure out what is really
going to happen. It is beginning to appear that a few things, at least,
are coming into focus.
When changes of this magnitude are in store, one's thoughts immediately
turn to the most important topic: what will be the project's new name?
Quite a few possibilities were discussed, including Fedora Union (not
everybody liked the acronym) and Fedora Freedom (which, it seems, brings
unwelcome associations with "freedom fries" to a fair number of people).
After weeks of discussion, it would appear that people are converging on
(...drum roll...) "Fedora." Who would have guessed?
So when will the next Freedom Fries Fedora release be?
According to a recently-posted schedule
proposal, Fedora 7 will come out on April 24, 2007. That
date seems to be driven by the Red Hat Summit, which starts on May 9;
the Fedora folks would like to have something to show off at that event.
On this schedule, the first test release would be on January 30, just
before the next FUDcon, which appears set for February 2 to 4.
Assuming the schedule does not slip, it should be possible to hand out
Fedora 7 disks to Red Hat Summit attendees.
The only problem is that Fedora schedules have been known to slip at
times. This realization has led to a discussion on what went wrong, and
how schedule slips might be avoided this time around. There were a number
of issues that came up toward the end of the Fedora Core 6 effort,
some of which would have been hard to anticipate and avoid. One of the
biggest issues, however, was the fact that Xen didn't work. Fedora kernel
maintainer Dave Jones has some choice words
about Xen, along with a grim prognosis about the potential for future
problems. It rather appears
that Fedora might be best served by dropping Xen altogether, but that is
unlikely to happen in the short term. Red Hat Enterprise Linux needs to
have Xen (after all, Novell ships it), and Fedora is where these
technologies get much of their early testing.
That said, there seems to be a fair amount of sympathy for the idea of
simply dropping features with problems that threaten to delay the release.
Hopefully the Fedora developers won't have to make any such choices this
time around, but, should something come up, it will be interesting to see
how they respond.
Another open question is what happens to the Fedora Legacy project. Nobody
has really taken the step of officially shutting it down. Jesse Keating
has walked away from it, however, and few
people seem to see much reason for keeping it going. There are
users who would like to see more than 13 months of security support for
Fedora releases, but the subset of those users who are willing to help
Fedora Legacy provide that support is quite small.
Meanwhile, the project did (on December 12) put this note onto its web page:
The current model for supporting maintenance distributions is being
re-examined. In the meantime, we are unable to extend support to
older Fedora Core releases as we had planned. As of now, Fedora
Core 4 and earlier distributions are no longer being maintained.
Given that the project only managed one Fedora Core 4 update ever, one
could argue that the situation has not changed much. But at least it is
now clear. What is less clear is how the various hosting companies which
offer Fedora Core 4 servers have kept them secure so far, and what
they intend to do now.
Finally, the project still has not come to a final resolution on what to do about
RPM. The subject was apparently discussed at
the December 12 board meeting, but no communications are, as of
this writing, available. With luck, we'll hear from the project on this
topic before
too long. Infrastructure like RPM is too important to leave in a limbo
state for this long.
Comments (4 posted)
Page editor: Jonathan Corbet
Security
December 13, 2006
This article was contributed by Jake Edge.
When a security bug is found in the kernel, a patch is usually available
within hours; the kernel developers rightly take these things very seriously.
Once the patch is available, the stable team typically releases a new kernel
within a week or so and this is one of the big advantages of open source.
Once in a while, however, a bug that has been fixed previously can creep
back into the source, open or closed, and is known as a 'regression'.
This week's 2.6.19.1 kernel
release has a fix for something
that looks an awful lot like a regression, but technically is not.
Back in July, LWN described
a security problem in the then-current 2.6.17 kernel. The issue was that
local users could configure their processes to write core dump files in
directories that they did not have write permissions for. As the article
described, this could be trivially exploited for local privilege escalation;
in short, a local root hole.
This bug was fixed by the following patch:
--- a/kernel/sys.c
+++ b/kernel/sys.c
@@ -1983,7 +1983,7 @@ asmlinkage long sys_prctl(int option, un
error = current->mm->dumpable;
break;
case PR_SET_DUMPABLE:
- if (arg2 < 0 || arg2 > 2) {
+ if (arg2 < 0 || arg2 > 1) {
error = -EINVAL;
break;
}
which prevented processes from setting the
dumpable flag to two. That flag
governs whether core dumps are produced by the process; the special
value of two reflects an ability to dump core with root privileges, quite
possibly to directories that the user cannot normally write to. The code
did guard against overwriting existing files, for security reasons, but
did not consider the implications of allowing user processes to effectively
write anywhere.
The code which handles the dumpable flag lives in fs/exec.c in the
aptly named do_coredump() function:
if (mm->dumpable == 2) { /* Setuid core dump mode */
flag = O_EXCL; /* Stop rewrite attacks */
current->fsuid = 0; /* Dump root private */
}
and further down, flag is used as part of the filp_open()
call:
file = filp_open(corename, O_CREAT|2|O_NOFOLLOW|O_LARGEFILE|flag, 0600);
At the end of September, a
patch by Andi Kleen was
applied to allow core dumps to be piped to a userspace process. This
patch had been, according to Andi, "hanging around for a long time" and
lacked the flag
in the call to filp_open(). The patch made it into 2.6.19-rc1
kernel and from there into 2.6.19.
The impact of the bug is relatively low as a root user would have to set
the dumpable flag to two via
/proc/sys/fs/suid_dumpable. This would allow user processes to write
core dumps anywhere, which is as designed, but also would allow them to
overwrite existing files, which is not. It probably is not very common
that admins need to configure things that way, but it certainly is not
completely outside the realm of possibility either.
As described in the patch, Alexey Dobriyan
used a list of warnings
gathered from compiling the kernel. The warnings were grepped for
'was set but never used' and the first entry in the list pointed to this
problem. The kernel produces enough warnings that problems like this tend
to be obscured in a sea of bogus or overly picky warnings.
This particular bug is not technically a regression as there never was a bug
that allowed this behavior until it was introduced in the patch. It has been
assigned
CVE-2006-6304
(as of this writing, it is just a reserved CVE with no information).
It is great to see folks scrutinizing warnings and looking for bugs in the
kernel, this is just the kind of thing that the 'many eyes make all bugs
shallow' theory is referring to.
It would be nice to see a kernel regression test suite that contained
test cases for bugs that have previously been fixed as that kind of thing
might have caught this bug. It is a difficult problem, however, and keeping
up with the number of bug fix patches would be daunting. Perhaps a regression
suite that focused on security fixes would be a good place to start.
Comments (9 posted)
New vulnerabilities
clamav: missing sanity checks
| Package(s): | clamav |
CVE #(s): | CVE-2006-5874
|
| Created: | December 11, 2006 |
Updated: | December 14, 2006 |
| Description: |
Stephen Gran discovered that malformed base64-encoded MIME attachments
can lead to denial of service through a null pointer dereference. |
| Alerts: |
|
Comments (none posted)
enemies-of-carlotta: input sanitizing
| Package(s): | enemies-of-carlotta |
CVE #(s): | CVE-2006-5875
|
| Created: | December 13, 2006 |
Updated: | December 13, 2006 |
| Description: |
It would seem that enemies-of-carlotta, a mailing list manager, does not check email addresses before passing them to a shell. |
| Alerts: |
|
Comments (none posted)
gnupg: stack overwrite
| Package(s): | gnupg |
CVE #(s): | CVE-2006-6235
|
| Created: | December 12, 2006 |
Updated: | March 13, 2007 |
| Description: |
A "stack overwrite" vulnerability in GnuPG (gpg) allows attackers to
execute arbitrary code via crafted OpenPGP packets that cause GnuPG to
dereference a function pointer from deallocated stack memory. |
| Alerts: |
|
Comments (3 posted)
kdegraphics: stack overflow
| Package(s): | kdegraphics |
CVE #(s): | CVE-2006-6297
|
| Created: | December 12, 2006 |
Updated: | January 13, 2007 |
| Description: |
A stack overflow in the KFILE JPEG (kfile_jpeg) plugin in kdegraphics3, as
used by konqueror, digikam, and other KDE image browsers, allows remote
attackers to cause a denial of service (stack consumption) via a crafted
EXIF section in a JPEG file, which results in an infinite recursion. |
| Alerts: |
|
Comments (none posted)
l2tpns: buffer overflow
| Package(s): | l2tpns |
CVE #(s): | CVE-2006-5873
|
| Created: | December 8, 2006 |
Updated: | December 13, 2006 |
| Description: |
Rhys Kidd discovered a vulnerability in l2tpns, a layer 2 tunneling
protocol network server, which could be triggered by a remote user to
execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
libmodplug: boundary errors
| Package(s): | libmodplug |
CVE #(s): | CVE-2006-4192
|
| Created: | December 11, 2006 |
Updated: | May 4, 2011 |
| Description: |
Luigi Auriemma has reported various boundary errors in load_it.cpp and
a boundary error in the "CSoundFile::ReadSample()" function in
sndfile.cpp. A remote attacker can entice a user to read crafted modules
or ITP files, which may trigger a buffer overflow resulting in the
execution of arbitrary code with the privileges of the user running the
application. |
| Alerts: |
|
Comments (none posted)
madwifi-ng: buffer overflow
| Package(s): | madwifi-ng |
CVE #(s): | CVE-2006-6332
|
| Created: | December 11, 2006 |
Updated: | December 13, 2006 |
| Description: |
Laurent Butti, Jerome Raznieski and Julien Tinnes reported a buffer
overflow in the encode_ie() and the giwscan_cb() functions from
ieee80211_wireless.c. A remote attacker could send specially crafted
wireless WPA packets containing malicious RSN Information Headers (IE) that
could potentially lead to the remote execution of arbitrary code as the
root user. |
| Alerts: |
|
Comments (none posted)
ruby: denial of service
| Package(s): | ruby |
CVE #(s): | CVE-2006-6303
|
| Created: | December 7, 2006 |
Updated: | December 21, 2006 |
| Description: |
The Ruby CGI library, cgi.rb, does not properly detect
boundaries in MIME multipart content. A remote attacker can
use this to cause a denial of service. |
| Alerts: |
|
Comments (none posted)
squirrelmail: multiple cross-site scripting vulnerabilities
| Package(s): | squirrelmail |
CVE #(s): | CVE-2006-6142
|
| Created: | December 11, 2006 |
Updated: | January 31, 2007 |
| Description: |
Multiple cross-site scripting (XSS) vulnerabilities in SquirrelMail 1.4.0
through 1.4.9 allow remote attackers to inject arbitrary web script or HTML
via the mailto parameter in webmail.php, the session and delete_draft
parameters in compose.php, and unspecified vectors involving "a shortcoming
in the magicHTML filter." |
| Alerts: |
|
Comments (none posted)
Updated vulnerabilities
apache: cross-site scripting
| Package(s): | apache |
CVE #(s): | CVE-2006-3918
|
| Created: | August 9, 2006 |
Updated: | April 4, 2008 |
| Description: |
From the Red Hat advisory: "A bug was found in Apache where an invalid Expect header sent to the server
was returned to the user in an unescaped error message. This could
allow an attacker to perform a cross-site scripting attack if a victim was
tricked into connecting to a site and sending a carefully crafted Expect
header." |
| Alerts: |
|
Comments (none posted)
apache-mod_auth_kerb: off-by-one error
| Package(s): | apache-mod_auth_kerb |
CVE #(s): | CVE-2006-5989
|
| Created: | November 24, 2006 |
Updated: | January 23, 2007 |
| Description: |
An off-by-one error in the der_get_oid function in mod_auth_kerb 5.0 allows
remote attackers to cause a denial of service (crash) via a crafted
Kerberos message that triggers a heap-based buffer overflow in the
component array. |
| Alerts: |
|
Comments (none posted)
asterisk: arbitrary code execution
| Package(s): | asterisk |
CVE #(s): | CVE-2006-5444
|
| Created: | October 19, 2006 |
Updated: | December 6, 2006 |
| Description: |
The Asterisk telephony PBX application has a heap overflow vulnerability
in the skinny channel driver. A remote attacker can use this to
arbitrarily execute code with the privileges of the Asterisk user.
See this
vulnerability report
for more information. |
| Alerts: |
|
Comments (none posted)
avahi: sender id check
| Package(s): | avahi |
CVE #(s): | CVE-2006-5461
|
| Created: | November 13, 2006 |
Updated: | December 20, 2006 |
| Description: |
Steve Grubb discovered that netlink messages were not being checked for
their sender identity. This could lead to local users manipulating the
Avahi service. |
| Alerts: |
|
Comments (1 posted)
bind: denial of service
| Package(s): | bind |
CVE #(s): | CVE-2006-4095
CVE-2006-4096
|
| Created: | September 7, 2006 |
Updated: | February 1, 2007 |
| Description: |
Bind has two denial of service vulnerabilities.
Recursive servers queries for SIG records will trigger an assertion
failure if more than one RR set is returned.
An INSIST failure can be triggered by sending a large number of
recursive queries. |
| Alerts: |
|
Comments (none posted)
bugzilla: multiple vulnerabilities
| Package(s): | bugzilla |
CVE #(s): | CVE-2006-5453
CVE-2006-5454
CVE-2006-5455
|
| Created: | November 10, 2006 |
Updated: | August 28, 2007 |
| Description: |
Bugzilla has the following vulnerabilities:
Input data passed to various fields is not properly sanitized before
being passed back to users.
Users can gain unauthorized access to read attachment
descriptions while using diff mode.
HTTP GET and HTTP POST requests can be used to perform unauthorized
actions due to improper verification.
Input that is passed to showdependencygraph.cgi is not properly
sanitized before being returned to users. |
| Alerts: |
|
Comments (none posted)
busybox: insecure password generation
| Package(s): | busybox |
CVE #(s): | CVE-2006-1058
|
| Created: | May 5, 2006 |
Updated: | May 2, 2007 |
| Description: |
The BusyBox 1.1.1 passwd command does not use a proper salt when generating
passwords. This would create an instance where a brute force attack could
take very little time. |
| Alerts: |
|
Comments (2 posted)
bzip2: race condition and infinite loop
| Package(s): | bzip2 |
CVE #(s): | CAN-2005-0953
CAN-2005-1260
|
| Created: | May 17, 2005 |
Updated: | January 10, 2007 |
| Description: |
A race condition in bzip2 1.0.2 and earlier allows local users to modify
permissions of arbitrary files via a hard link attack on a file while it is
being decompressed, whose permissions are changed by bzip2 after the
decompression is complete. Also specially crafted bzip2 archives may cause
an infinite loop in the decompressor. |
| Alerts: |
|
Comments (2 posted)
cpio: arbitrary code execution
| Package(s): | cpio |
CVE #(s): | CVE-2005-4268
|
| Created: | January 2, 2006 |
Updated: | March 17, 2010 |
| Description: |
Richard Harms discovered that cpio did not sufficiently validate file
properties when creating archives. Files with e. g. a very large size
caused a buffer overflow. By tricking a user or an automatic backup
system into putting a specially crafted file into a cpio archive, a
local attacker could probably exploit this to execute arbitrary code
with the privileges of the target user (which is likely root in an
automatic backup system). |
| Alerts: |
|
Comments (none posted)
vixie-cron: privilege escalation
| Package(s): | cron |
CVE #(s): | CVE-2006-2607
|
| Created: | May 31, 2006 |
Updated: | June 1, 2009 |
| Description: |
The Vixie cron daemon does not check the return code from setuid(); if that call can be made to fail, a local attacker may be able to execute commands as root. |
| Alerts: |
|
Comments (1 posted)
cscope: buffer overflows
| Package(s): | cscope |
CVE #(s): | CVE-2006-4262
|
| Created: | October 2, 2006 |
Updated: | June 16, 2009 |
| Description: |
Will Drewry of the Google Security Team discovered several buffer overflows
in cscope, a source browsing tool, which might lead to the execution of
arbitrary code. |
| Alerts: |
|
Comments (none posted)
cscope: buffer overflows
| Package(s): | cscope |
CVE #(s): | CVE-2004-2541
|
| Created: | May 22, 2006 |
Updated: | June 19, 2009 |
| Description: |
A buffer overflow in Cscope 15.5, and possibly multiple overflows, allows
remote attackers to execute arbitrary code via a C file with a long
#include line that is later browsed by the target. |
| Alerts: |
|
Comments (1 posted)
Cyrus-SASL: DIGEST-MD5 Pre-Authentication Denial of Service
| Package(s): | cyrus-sasl |
CVE #(s): | CVE-2006-1721
|
| Created: | April 21, 2006 |
Updated: | September 4, 2007 |
| Description: |
Cyrus-SASL contains an unspecified vulnerability in the DIGEST-MD5
process that could lead to a Denial of Service. An attacker could possibly
exploit this vulnerability by sending specially crafted data stream to the
Cyrus-SASL server, resulting in a Denial of Service even if the attacker is
not able to authenticate. |
| Alerts: |
|
Comments (none posted)
dovecot: index cache file handling error
| Package(s): | dovecot |
CVE #(s): | CVE-2006-5973
|
| Created: | November 29, 2006 |
Updated: | May 8, 2007 |
| Description: |
The dovecot IMAP server has an error in its index cache file handling code which could be exploited by an authenticated user to execute arbitrary code. Only servers with the (non-default) mmap_disable=yes option setting are vulnerable. |
| Alerts: |
|
Comments (none posted)
elinks: arbitrary file access
| Package(s): | elinks |
CVE #(s): | CVE-2006-5925
|
| Created: | November 16, 2006 |
Updated: | October 22, 2009 |
| Description: |
The elinks text-mode browser has an arbitrary file access vulnerability
in the Elinks SMB protocol handler. If a user can be tricked into
visiting a specially crafted web page, arbitrary files may be read or
written with the user's permissions. |
| Alerts: |
|
Comments (none posted)
ffmpeg: buffer overflows
| Package(s): | ffmpeg |
CVE #(s): | CVE-2006-4799
CVE-2006-4800
|
| Created: | September 14, 2006 |
Updated: | May 28, 2007 |
| Description: |
the AVI processing code in FFmpeg has a number of buffer overflow
vulnerabilities.
If an attacker can trick a user into loading a specially crafted
crafted AVI, arbitrary code can be executed with the user's privileges. |
| Alerts: |
|
Comments (2 posted)
freeradius: several vulnerabilities
| Package(s): | freeradius |
CVE #(s): | CVE-2005-4745
CVE-2005-4746
|
| Created: | August 8, 2006 |
Updated: | April 24, 2007 |
| Description: |
Several remote vulnerabilities have been discovered in freeradius, a
high-performance RADIUS server, which may lead to SQL injection or denial
of service. |
| Alerts: |
|
Comments (none posted)
freetype: integer overflows
| Package(s): | freetype |
CVE #(s): | CVE-2006-0747
CVE-2006-1861
CVE-2006-2493
CVE-2006-2661
CVE-2006-3467
|
| Created: | June 8, 2006 |
Updated: | June 1, 2010 |
| Description: |
The FreeType library has several integer overflow vulnerabilities.
If a user can be tricked into installing a specially
crafted font file, arbitrary code can be executed with the privilege
of the user. |
| Alerts: |
|
Comments (none posted)
ftpd: privilege escalation
| Package(s): | ftpd |
CVE #(s): | CVE-2006-5778
|
| Created: | November 10, 2006 |
Updated: | February 14, 2007 |
| Description: |
Ftpd is vulnerable to a privilege escalation attack,
an incorrect seteuid() call can be used by an FTP user to gain
unauthorized access to files or directories. |
| Alerts: |
|
Comments (none posted)
gcc: file overwrite vulnerability
| Package(s): | gcc |
CVE #(s): | CVE-2006-3619
|
| Created: | September 6, 2006 |
Updated: | March 14, 2008 |
| Description: |
The fastjar utility found in the GNU compiler collection does not perform adequate file path checking, allowing the creation or overwriting of files outside of the current directory tree. |
| Alerts: |
|
Comments (none posted)
gdb: buffer overflow
| Package(s): | gdb |
CVE #(s): | CVE-2006-4146
|
| Created: | September 15, 2006 |
Updated: | June 12, 2007 |
| Description: |
A buffer overflow in dwarfread.c and dwarf2read.c debugging code in GNU
Debugger (GDB) 6.5 allows user-assisted attackers, or restricted users, to
execute arbitrary code via a crafted file with a location block
(DW_FORM_block) that contains a large number of operations. |
| Alerts: |
|
Comments (none posted)
gdm: improper file permissions
| Package(s): | gdm |
CVE #(s): | CVE-2006-1057
|
| Created: | April 19, 2006 |
Updated: | May 2, 2007 |
| Description: |
The .ICEauthority file may be created with the wrong ownership and permissions; gdm 2.14.2 fixes the problem. |
| Alerts: |
|
Comments (none posted)
gedit: format string vulnerability
| Package(s): | gedit |
CVE #(s): | CAN-2005-1686
|
| Created: | June 9, 2005 |
Updated: | February 5, 2009 |
| Description: |
A format string vulnerability has been discovered in gedit. Calling
the program with specially crafted file names caused a buffer
overflow, which could be exploited to execute arbitrary code with the
privileges of the gedit user. |
| Alerts: |
|
Comments (1 posted)
gnupg: buffer overflow
| Package(s): | gnupg |
CVE #(s): | CVE-2006-6169
|
| Created: | November 30, 2006 |
Updated: | December 11, 2006 |
| Description: |
GnuPG has a buffer overflow vulnerability. If a user can be tricked
into running gpg interactively on a specially crafted message,
arbitrary code can be executed with the user's privileges. |
| Alerts: |
|
Comments (none posted)
grip: buffer overflow
| Package(s): | grip |
CVE #(s): | CAN-2005-0706
|
| Created: | March 10, 2005 |
Updated: | November 19, 2008 |
| Description: |
Grip, a CD ripper, has a buffer overflow vulnerability that can
occur when the CDDB server returns more than 16 matches. |
| Alerts: |
|
Comments (none posted)
gv: stack-based buffer overflow
| Package(s): | gv |
CVE #(s): | CVE-2006-5864
|
| Created: | November 20, 2006 |
Updated: | April 9, 2007 |
| Description: |
Stack-based buffer overflow in the ps_gettext function in ps.c for GNU gv
3.6.2, and possibly earlier versions, allows user-assisted attackers to
execute arbitrary code via a PostScript (PS) file with certain headers that
contain long comments, as demonstrated using the DocumentMedia header. |
| Alerts: |
|
Comments (none posted)
gzip: multiple vulnerabilities
| Package(s): | gzip |
CVE #(s): | CVE-2006-4334
CVE-2006-4335
CVE-2006-4336
CVE-2006-4337
CVE-2006-4338
|
| Created: | September 19, 2006 |
Updated: | January 20, 2010 |
| Description: |
Tavis Ormandy of the Google Security Team discovered two denial of service
flaws in the way gzip expanded archive files. If a victim expanded a
specially crafted archive, it could cause the gzip executable to hang or
crash.
Tavis Ormandy of the Google Security Team discovered several code execution
flaws in the way gzip expanded archive files. If a victim expanded a
specially crafted archive, it could cause the gzip executable to crash or
execute arbitrary code. |
| Alerts: |
|
Comments (1 posted)
gzip: arbitrary command execution
| Package(s): | gzip |
CVE #(s): | CAN-2005-0758
|
| Created: | August 1, 2005 |
Updated: | January 10, 2007 |
| Description: |
zgrep in gzip before 1.3.5 does not handle shell metacharacters like '|'
and '&' properly when they occurred in input file names. This could be
exploited to execute arbitrary commands with user privileges if zgrep is
run in an untrusted directory with specially crafted file names. |
| Alerts: |
|
Comments (2 posted)
imagemagick: buffer overflows
| Package(s): | imagemagick |
CVE #(s): | CVE-2006-5868
|
| Created: | November 28, 2006 |
Updated: | February 16, 2007 |
| Description: |
Daniel Kobras discovered multiple buffer overflows in ImageMagick's SGI
file format decoder. By tricking a user or an automated system into
processing a specially crafted SGI image, this could be exploited to
execute arbitrary code with the user's privileges. |
| Alerts: |
|
Comments (1 posted)
ImageMagick: buffer overflows
| Package(s): | ImageMagick |
CVE #(s): | CVE-2006-5456
|
| Created: | October 31, 2006 |
Updated: | March 8, 2007 |
| Description: |
Multiple buffer overflows in GraphicsMagick before 1.1.7 and ImageMagick
6.0.7 allow user-assisted attackers to cause a denial of service and
possibly execute execute arbitrary code via (1) a DCM image that is not
properly handled by the ReadDCMImage function in coders/dcm.c, or (2) a
PALM image that is not properly handled by the ReadPALMImage function in
coders/palm.c. |
| Alerts: |
|
Comments (2 posted)
imlib2: arbitrary code execution
| Package(s): | imlib2 |
CVE #(s): | CVE-2006-4806
CVE-2006-4807
CVE-2006-4808
CVE-2006-4809
|
| Created: | November 6, 2006 |
Updated: | August 13, 2007 |
| Description: |
M. Joonas Pihlaja discovered that imlib2 did not sufficiently verify the
validity of ARGB, JPG, LBM, PNG, PNM, TGA, and TIFF images. If a user
were tricked into viewing or processing a specially crafted image with
an application that uses imlib2, the flaws could be exploited to execute
arbitrary code with the user's privileges. |
| Alerts: |
|
Comments (none posted)
kdelibs: integer overflow
| Package(s): | kdelibs |
CVE #(s): | CVE-2006-4811
|
| Created: | October 18, 2006 |
Updated: | March 5, 2007 |
| Description: |
The KDE khtml library can pass untrusted parameters into Qt, allowing a hostile user to trigger an integer overflow there and execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
kdelibs: kate backup file permission leak
| Package(s): | kdelibs kate kwrite |
CVE #(s): | CAN-2005-1920
|
| Created: | July 19, 2005 |
Updated: | September 21, 2010 |
| Description: |
Kate / Kwrite, as shipped with KDE 3.2.x up to including 3.4.0, creates a file backup before saving a modified file. These backup files are created with default permissions, even if the original file had more strict permissions set. See this advisory for more information. |
| Alerts: |
|
Comments (1 posted)
kernel: denial of service
| Package(s): | kernel |
CVE #(s): | CVE-2006-4623
|
| Created: | October 18, 2006 |
Updated: | November 14, 2007 |
| Description: |
The kernel DVB layer can be caused to crash with maliciously-formatted unidirectional lightweight encapsulation (ULE) data. |
| Alerts: |
|
Comments (none posted)
kernel: bridging code buffer overflow
| Package(s): | kernel |
CVE #(s): | CVE-2006-5751
|
| Created: | December 6, 2006 |
Updated: | January 3, 2007 |
| Description: |
A buffer overflow in the bridging code in kernels through 2.6.18.3 can lead to a denial of service or potential code execution. The 2.6.18.4 kernel contains the fix. |
| Alerts: |
|
Comments (none posted)
kernel: denial of service
| Package(s): | kernel |
CVE #(s): | CVE-2006-4535
CVE-2006-4538
|
| Created: | September 18, 2006 |
Updated: | January 5, 2009 |
| Description: |
Sridhar Samudrala discovered a local denial of service vulnerability
in the handling of SCTP sockets. By opening such a socket with a
special SO_LINGER value, a local attacker could exploit this to crash
the kernel. (CVE-2006-4535)
Kirill Korotaev discovered that the ELF loader on the ia64 and sparc
platforms did not sufficiently verify the memory layout. By attempting
to execute a specially crafted executable, a local user could exploit
this to crash the kernel. (CVE-2006-4538) |
| Alerts: |
|
Comments (none posted)
kernel: denial of service
| Package(s): | kernel |
CVE #(s): | CVE-2006-4572
CVE-2006-4997
|
| Created: | November 6, 2006 |
Updated: | January 17, 2007 |
| Description: |
Some vulnerabilities were discovered in the Linux 2.6 kernel:
There are possibly exploitable bugs in the netfilter for IPv6 code.
(CVE-2006-4572)
The ATM subsystem of the Linux kernel could allow a remote attacker to
cause a Denial of Service (panic) via unknown vectors that cause the ATM
subsystem to access the memory of socket buffers after they are freed.
(CVE-2006-4997) |
| Alerts: |
|
Comments (none posted)
kernel: denial of service by memory consumption
| Package(s): | kernel |
CVE #(s): | CVE-2006-2936
|
| Created: | July 17, 2006 |
Updated: | November 14, 2007 |
| Description: |
The ftdi_sio driver (usb/serial/ftdi_sio.c) in Linux kernel 2.6.x up to
2.6.17, and possibly later versions, allows local users to cause a denial
of service (memory consumption) by writing more data to the serial port
than the driver can handle, which causes the data to be queued. |
| Alerts: |
|
Comments (none posted)
kernel: denial of service
| Package(s): | kernel |
CVE #(s): | CVE-2006-5757
|
| Created: | November 13, 2006 |
Updated: | November 14, 2007 |
| Description: |
From the MOKB-05-11-2006
advisory: "The ISO9660 filesystem handling code of the Linux
2.6.x kernel fails to properly handle corrupted data structures, leading to
an exploitable denial of service condition. This particular vulnerability
seems to be caused by a race condition and a signedness issue. When
performing a read operation on a corrupted ISO9660 fs stream, the
isofs_get_blocks() function will enter an infinite loop when
__find_get_block_slow() callback from sb_getblk() fails ("due to various
races between file io on the block device and getblk")." |
| Alerts: |
|
Comments (none posted)
kernel: denial of service
| Package(s): | kernel |
CVE #(s): | CVE-2006-2935
CVE-2006-4145
CVE-2006-3745
|
| Created: | September 1, 2006 |
Updated: | July 30, 2008 |
| Description: |
Previous versions of the kernel package are subject to several
vulnerabilities. Certain malformed UDF filesystems can cause the system to
crash (denial of service). Malformed CDROM firmware or USB storage devices
(such as USB keys) could cause system crash (denial of service), and if
they were intentionally malformed, can cause arbitrary code to run with
elevated privileges. In addition, the SCTP protocol is subject to a remote
system crash (denial of service) attack. |
| Alerts: |
|
Comments (none posted)
koffice: integer overflow
| Package(s): | koffice |
CVE #(s): | CVE-2006-6120
|
| Created: | November 30, 2006 |
Updated: | February 20, 2007 |
| Description: |
The KOffice office suite has an integer overflow
vulnerability. If an attacker can trick a user into opening a
specially crafted PowerPoint (PPT) file, KOffice can be caused to crash or
possibly execute arbitrary code with the user's privileges. |
| Alerts: |
|
Comments (none posted)
krb5: local privilege escalation
| Package(s): | krb5 |
CVE #(s): | CVE-2006-3083
|
| Created: | August 9, 2006 |
Updated: | July 7, 2010 |
| Description: |
Some kerberos applications fail to check the results of setuid() calls, with the result that, if that call fails, they could continue to execute as root after thinking they had switched to a nonprivileged user. A local attacker who can cause these calls to fail (through resource exhaustion, presumably) could exploit this bug to gain root privileges. |
| Alerts: |
|
Comments (none posted)
libgadu: memory alignment bug
| Package(s): | libgadu |
CVE #(s): | CAN-2005-2370
|
| Created: | July 29, 2005 |
Updated: | June 25, 2007 |
| Description: |
Szymon Zygmunt and Michal Bartoszkiewicz discovered a memory alignment
error in libgadu (from ekg, console Gadu Gadu client, an instant
messaging program) which is included in gaim, a multi-protocol instant
messaging client, as well. This can not be exploited on the x86
architecture but on others, e.g. on Sparc and lead to a bus error,
in other words a denial of service.
|
| Alerts: |
|
Comments (none posted)
libgd2: denial of service
| Package(s): | libgd2 |
CVE #(s): | CVE-2006-2906
|
| Created: | June 14, 2006 |
Updated: | January 16, 2007 |
| Description: |
Certain GIF images can cause libgd2 to go into an infinite loop, adversely affecting the performance of image processing applications. |
| Alerts: |
|
Comments (none posted)
libgsf: heap buffer overflow
| Package(s): | libgsf |
CVE #(s): | CVE-2006-4514
|
| Created: | November 30, 2006 |
Updated: | January 11, 2007 |
| Description: |
The GNOME library libgsf, which is used for writing structured file
formats, has a heap buffer overflow that can be exploited for the
purpose of executing arbitrary code. |
| Alerts: |
|
Comments (none posted)
libmms: buffer overflows
| Package(s): | libmms |
CVE #(s): | CVE-2006-2200
|
| Created: | July 6, 2006 |
Updated: | December 25, 2006 |
| Description: |
Several buffer overflows were found in libmms. By tricking a user into
opening a specially crafted remote multimedia stream with an application
using libmms, a remote attacker could overwrite an arbitrary memory portion
with zeros, thereby crashing the program. |
| Alerts: |
|
Comments (none posted)
libpam-ldap: insecure password control
| Package(s): | libpam-ldap |
CVE #(s): | CVE-2006-5170
|
| Created: | November 3, 2006 |
Updated: | December 21, 2006 |
| Description: |
Steve Rigler discovered that the PAM module for authentication against
LDAP servers processes PasswordPolicyReponse control messages incorrectly,
which might lead to an attacker being able to login into a suspended
system account. |
| Alerts: |
|
Comments (none posted)
libpng: buffer overflow
| Package(s): | libpng |
CVE #(s): | CVE-2006-3334
|
| Created: | July 19, 2006 |
Updated: | December 15, 2008 |
| Description: |
In pngrutil.c, the function png_decompress_chunk() allocates
insufficient space for an error message, potentially overwriting stack
data, leading to a buffer overflow. |
| Alerts: |
|
Comments (none posted)
libpng: heap based buffer overflow
| Package(s): | libpng |
CVE #(s): | CVE-2006-0481
|
| Created: | February 13, 2006 |
Updated: | December 15, 2008 |
| Description: |
A heap based buffer overflow bug was found in the way libpng strips alpha
channels from a PNG image. An attacker could create a carefully crafted PNG
image file in such a way that it could cause an application linked with
libpng to crash or execute arbitrary code when the file is opened by a
victim. |
| Alerts: |
|
Comments (1 posted)
libtiff: buffer overflow
| Package(s): | libtiff |
CVE #(s): | CVE-2006-2193
|
| Created: | June 15, 2006 |
Updated: | September 1, 2008 |
| Description: |
The t2p_write_pdf_string function in libtiff 3.8.2 and earlier is vulnerable
to a buffer overflow. Attackers can use a TIFF file with UTF-8 characters
in the DocumentName tag to overflow a buffer, causing a denial of service,
and possibly the execution of arbitrary code. |
| Alerts: |
|
Comments (none posted)
libvncserver: authentication bypass
| Package(s): | libvncserver |
CVE #(s): | CVE-2006-2450
|
| Created: | August 4, 2006 |
Updated: | March 19, 2007 |
| Description: |
LibVNCServer fails to properly validate protocol types effectively
letting users decide what protocol to use, such as "Type 1 - None".
LibVNCServer will accept this security type, even if it is not offered
by the server. |
| Alerts: |
|
Comments (none posted)
libxml2 - arbitrary code execution
| Package(s): | libxml2 |
CVE #(s): | CAN-2004-0110
|
| Created: | February 26, 2004 |
Updated: | August 19, 2009 |
| Description: |
Yuuichi Teranishi discovered a flaw in libxml2 versions prior to 2.6.6.
When fetching a remote resource via FTP or HTTP, libxml2 uses special
parsing routines. These routines can overflow a buffer if passed a very
long URL. If an attacker is able to find an application using libxml2 that
parses remote resources and allows them to influence the URL, then this
flaw could be used to execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
libxml2: multiple buffer overflows
| Package(s): | libxml2 |
CVE #(s): | CAN-2004-0989
|
| Created: | October 28, 2004 |
Updated: | August 19, 2009 |
| Description: |
libxml2 prior to version 2.6.14 has multiple buffer overflow
vulnerabilities, if a local user passes a specially crafted
FTP URL, arbitrary code may be executed. |
| Alerts: |
|
Comments (none posted)
linux-restricted-modules: nVidia driver vulnerability
| Package(s): | linux-restricted-modules |
CVE #(s): | CVE-2006-5379
|
| Created: | November 6, 2006 |
Updated: | January 11, 2007 |
| Description: |
Derek Abdine discovered that the NVIDIA Xorg driver did not correctly
verify the size of buffers used to render text glyphs. When displaying
very long strings of text, the Xorg server would crash. If a user were
tricked into viewing a specially crafted series of glyphs, this flaw
could be exploited to run arbitrary code with root privileges. |
| Alerts: |
|
Comments (none posted)
lynx: arbitrary command execution
| Package(s): | lynx |
CVE #(s): | CVE-2005-2929
|
| Created: | November 14, 2005 |
Updated: | September 14, 2009 |
| Description: |
An arbitrary command execute bug was found in the lynx "lynxcgi:" URI
handler. An attacker could create a web page redirecting to a malicious URL
which could execute arbitrary code as the user running lynx. |
| Alerts: |
|
Comments (none posted)
mysql: format string bug
| Package(s): | mysql |
CVE #(s): | CVE-2006-3469
|
| Created: | July 21, 2006 |
Updated: | July 30, 2008 |
| Description: |
Jean-David Maillefer discovered a format string bug in the
date_format() function's error reporting. By calling the function with
invalid arguments, an authenticated user could exploit this to crash
the server. |
| Alerts: |
|
Comments (none posted)
MySQL: privilege violations
| Package(s): | mysql |
CVE #(s): | CVE-2006-4031
CVE-2006-4226
|
| Created: | August 25, 2006 |
Updated: | July 30, 2008 |
| Description: |
MySQL 4.1 before 4.1.21 and 5.0 before 5.0.24 allows a local user to access
a table through a previously created MERGE table, even after the user's
privileges are revoked for the original table, which might violate intended
security policy (CVE-2006-4031).
MySQL 4.1 before 4.1.21, 5.0 before 5.0.25, and 5.1 before 5.1.12, when run
on case-sensitive filesystems, allows remote authenticated users to create
or access a database when the database name differs only in case from a
database for which they have permissions (CVE-2006-4226). |
| Alerts: |
|
Comments (none posted)
MySQL: logging bypass
| Package(s): | mysql |
CVE #(s): | CVE-2006-0903
|
| Created: | April 4, 2006 |
Updated: | May 21, 2008 |
| Description: |
MySQL 5.0.18 and earlier allows local users to bypass logging mechanisms
via SQL queries that contain the NULL character, which are not properly
handled by the mysql_real_query function. NOTE: this issue was originally
reported for the mysql_query function, but the vendor states that since
mysql_query expects a null character, this is not an issue for mysql_query. |
| Alerts: |
|
Comments (2 posted)
nbd: arbitrary code execution
| Package(s): | nbd |
CVE #(s): | CVE-2005-3534
|
| Created: | January 6, 2006 |
Updated: | March 7, 2011 |
| Description: |
Kurt Fitzner discovered that the NBD (network block device) server did not
correctly verify the maximum size of request packets. By sending specially
crafted large request packets, a remote attacker who is allowed to access
the server could exploit this to execute arbitrary code with root
privileges. |
| Alerts: |
|
Comments (none posted)
ncompress: buffer underflow
| Package(s): | ncompress |
CVE #(s): | CVE-2006-1168
|
| Created: | August 10, 2006 |
Updated: | February 21, 2012 |
| Description: |
The ncompress compression utility has a missing boundary check.
A local user can use a maliciously created file to cause a
a .bss buffer underflow. |
| Alerts: |
|
Comments (none posted)
openldap: security bypass
| Package(s): | openldap |
CVE #(s): | CVE-2006-4600
|
| Created: | September 29, 2006 |
Updated: | June 12, 2007 |
| Description: |
slapd in OpenLDAP before 2.3.25 allows remote authenticated users with
selfwrite Access Control List (ACL) privileges to modify arbitrary
Distinguished Names (DN). |
| Alerts: |
|
Comments (none posted)
openoffice.org: several vulnerabilities
| Package(s): | openoffice.org |
CVE #(s): | CVE-2006-2198
CVE-2006-2199
CVE-2006-3117
|
| Created: | June 30, 2006 |
Updated: | January 4, 2007 |
| Description: |
Several vulnerabilities have been discovered in OpenOffice.org, a free
office suite.
- It turned out to be possible to embed arbitrary BASIC macros in
documents in a way that OpenOffice.org does not see them but executes them
anyway without any user interaction. (CVE-2006-2198)
- It is possible to evade the Java sandbox with specially crafted Java
applets. (CVE-2006-2199)
- Loading malformed XML documents can cause buffer overflows and cause a
denial of service or execute arbitrary code. (CVE-2006-3117)
|
| Alerts: |
|
Comments (none posted)
OpenSSH: denial of service
| Package(s): | openssh |
CVE #(s): | CVE-2006-4925
CVE-2006-5052
|
| Created: | October 6, 2006 |
Updated: | November 15, 2007 |
| Description: |
packet.c in ssh in OpenSSH allows remote attackers to cause a denial of
service (crash) by sending an invalid protocol sequence with
USERAUTH_SUCCESS before NEWKEYS, which causes newkeys[mode] to be NULL.
An unspecified vulnerability in portable OpenSSH before 4.4, when running
on some platforms, allows remote attackers to determine the validity of
usernames via unknown vectors involving a GSSAPI "authentication abort." |
| Alerts: |
|
Comments (none posted)
openssh: privilege separation issue
| Package(s): | openssh |
CVE #(s): | CVE-2006-5794
|
| Created: | November 8, 2006 |
Updated: | April 5, 2007 |
| Description: |
From the OpenSSH 4.5 announcement: "Fix a bug in the sshd privilege separation monitor that weakened its
verification of successful authentication. This bug is not known to
be exploitable in the absence of additional vulnerabilities." |
| Alerts: |
|
Comments (none posted)
openssh: remote denial of service
| Package(s): | openssh |
CVE #(s): | CVE-2006-4924
CVE-2006-5051
|
| Created: | September 27, 2006 |
Updated: | September 17, 2008 |
| Description: |
Openssh 4.4 fixes some
security issues, including a pre-authentication denial of service, an
unsafe signal hander and on portable OpenSSH a GSSAPI authentication abort
could be used to determine the validity of usernames on some platforms. |
| Alerts: |
|
Comments (none posted)
openssl: multiple vulnerabilities
| Package(s): | openssl |
CVE #(s): | CVE-2006-2937
CVE-2006-2940
CVE-2006-3780
CVE-2006-4343
CVE-2006-3738
|
| Created: | September 28, 2006 |
Updated: | December 12, 2006 |
| Description: |
OpenSSL has a number of denial of service vulnerabilities including:
two vulnerabilities involving invalid ASN.1 structures, a buffer overflow
in the SSL_get_shared_ciphers() function and an SSLv2 client crash that
can be caused by a malicious server. |
| Alerts: |
|
Comments (none posted)
php: several vulnerabilities
| Package(s): | php |
CVE #(s): | CVE-2006-4481
CVE-2006-4484
CVE-2006-4485
|
| Created: | September 8, 2006 |
Updated: | June 13, 2008 |
| Description: |
The file_exists and imap_reopen functions in PHP before 5.1.5 do not check
for the safe_mode and open_basedir settings, which allows local users to
bypass the settings (CVE-2006-4481).
A buffer overflow in the LWZReadByte function in ext/gd/libgd/gd_gif_in.c
in the GD extension in PHP before 5.1.5 allows remote attackers to have an
unknown impact via a GIF file with input_code_size greater than
MAX_LWZ_BITS, which triggers an overflow when initializing the table array
(CVE-2006-4484).
The stripos function in PHP before 5.1.5 has unknown impact and attack
vectors related to an out-of-bounds read (CVE-2006-4485). |
| Alerts: |
|
Comments (1 posted)
php: buffer overflows
| Package(s): | php |
CVE #(s): | CVE-2006-5465
|
| Created: | November 3, 2006 |
Updated: | January 18, 2010 |
| Description: |
The Hardened-PHP Project discovered buffer overflows in
htmlentities/htmlspecialchars internal routines to the PHP Project. Of
course the whole purpose of these functions is to be filled with user
input. (The overflow can only be when UTF-8 is used) |
| Alerts: |
|
Comments (none posted)
phpbb2: missing input sanitizing
| Package(s): | phpbb2 |
CVE #(s): | CVE-2006-1896
|
| Created: | May 22, 2006 |
Updated: | February 11, 2008 |
| Description: |
It was discovered that phpbb2, a web based bulletin board, insufficiently
sanitizes values passed to the "Font Color 3" setting, which might lead to
the execution of injected code by admin users. |
| Alerts: |
|
Comments (none posted)
phpbb2: multiple vulnerabilities
| Package(s): | phpbb2 |
CVE #(s): | CVE-2005-3310
CVE-2005-3415
CVE-2005-3416
CVE-2005-3417
CVE-2005-3418
CVE-2005-3419
CVE-2005-3420
CVE-2005-3536
CVE-2005-3537
|
| Created: | December 22, 2005 |
Updated: | February 11, 2008 |
| Description: |
The phpbb2 web forum has a number of vulnerabilities including:
a web script injection problem, a protection mechanism bypass, a
security check bypass, a remote global variable bypass, cross site
scripting vulnerabilities, an SQL injection vulnerability,
a remote regular expression modification problem, missing input
sanitizing, and a missing request validation problem. |
| Alerts: |
|
Comments (none posted)
postgresql: SQL injection
| Package(s): | postgresql |
CVE #(s): | CVE-2006-2313
CVE-2006-2314
|
| Created: | May 24, 2006 |
Updated: | June 6, 2007 |
| Description: |
The PostgreSQL team has put out a set of "urgent updates" (in the form of the 7.3.15, 7.4.13, 8.0.8, and 8.1.4 releases) closing a
newly-discovered set of SQL injection issues. Details about the problem
can be found on the
technical information page; in short: multi-byte encodings can be used
to defeat normal string sanitizing techniques. The update fixes one problem
related to invalid multi-byte characters, but punts on another by simply
disallowing the old, unsafe technique of escaping single quotes with a
backslash. |
| Alerts: |
|
Comments (1 posted)
proftpd: denial of service
| Package(s): | proftpd |
CVE #(s): | CVE-2006-5815
|
| Created: | November 17, 2006 |
Updated: | January 24, 2007 |
| Description: |
A denial of service (DoS) vulnerability exists in the FTP server ProFTPD, up
to and including version 1.3.0. The flaw is due to both a potential bus
error and a definitive buffer overflow in the code which determines the FTP
command buffer size limit. The vulnerability can be exploited only if the
"CommandBufferSize" directive is explicitly used in the server
configuration. |
| Alerts: |
|
Comments (none posted)
quake: buffer overflow
| Package(s): | quake3-bin |
CVE #(s): | CVE-2006-2236
|
| Created: | May 10, 2006 |
Updated: | January 12, 2009 |
| Description: |
Games based on the Quake 3 engine are vulnerable to a buffer overflow exploitable by a hostile game server. |
| Alerts: |
|
Comments (none posted)
rpm: arbitrary code execution
| Package(s): | rpm |
CVE #(s): | CVE-2006-5466
|
| Created: | November 6, 2006 |
Updated: | August 28, 2007 |
| Description: |
An error was found in the RPM library's handling of query reports. In
some locales, certain RPM packages would cause the library to crash. If
a user was tricked into querying a specially crafted RPM package, the
flaw could be exploited to execute arbitrary code with the user's
privileges. |
| Alerts: |
|
Comments (none posted)
ruby: denial of service
| Package(s): | ruby |
CVE #(s): | CVE-2006-5467
|
| Created: | October 30, 2006 |
Updated: | December 13, 2006 |
| Description: |
The CGI library in Ruby 1.8 allowed a remote attacker to cause a denial of
service via an HTTP request with a multipart MIME body that contained an
invalid boundary specifier, which would result in an infinite loop and CPU
consumption. |
| Alerts: |
|
Comments (none posted)
shadow-utils: mailbox creation vulnerability
| Package(s): | shadow-utils |
CVE #(s): | CVE-2006-1174
|
| Created: | May 25, 2006 |
Updated: | June 12, 2007 |
| Description: |
The useradd tool from the shadow-utils package has a potential security
problem. When a new user's mailbox is created, the permissions are
set to random garbage from the stack, potentially allowing the
file to be read or written during the time before fchmod() is called. |
| Alerts: |
|
Comments (none posted)
tar: symlink vulnerability
| Package(s): | tar |
CVE #(s): | CVE-2006-6097
|
| Created: | November 28, 2006 |
Updated: | December 20, 2006 |
| Description: |
Teemu Salmela discovered that tar still handles the deprecated
GNUTYPE_NAMES record type. This record type could be used to create
symlinks that would be followed while unpacking a tar archive. If a user
or an automated system were tricked into unpacking a specially crafted tar
file, arbitrary files could be overwritten with user privileges. |
| Alerts: |
|
Comments (none posted)
Mozilla products: multiple vulnerabilities
| Package(s): | thunderbird firefox seamonkey |
CVE #(s): | CVE-2006-5463
CVE-2006-5747
CVE-2006-5748
CVE-2006-5464
|
| Created: | November 8, 2006 |
Updated: | December 11, 2006 |
| Description: |
Numerous vulnerabilities have been found in the Mozilla JavaScript and HTML
rendering code, leading to possible remote code execution attacks. This CERT advisory contains details. |
| Alerts: |
|
Comments (none posted)
trac: cross-site request forgery
| Package(s): | trac |
CVE #(s): | CVE-2006-5848
CVE-2006-5878
|
| Created: | November 13, 2006 |
Updated: | December 13, 2006 |
| Description: |
It was discovered that Trac, a wiki and issue tracking system for
software development projects, performs insufficient validation against
cross-site request forgery, which might lead to an attacker being able
to perform manipulation of a Trac site with the privileges of the
attacked Trac user. |
| Alerts: |
|
Comments (none posted)
unzip: long file name buffer overflow
| Package(s): | unzip |
CVE #(s): | CVE-2005-4667
|
| Created: | February 6, 2006 |
Updated: | May 2, 2007 |
| Description: |
A buffer overflow in UnZip 5.50 and earlier allows local users to execute
arbitrary code via a long filename command line argument. NOTE: since the
overflow occurs in a non-setuid program, there are not many scenarios under
which it poses a vulnerability, unless unzip is passed long arguments when
it is invoked from other programs. |
| Alerts: |
|
Comments (1 posted)
w3c-libwww: possible stack overflow
| Package(s): | w3c-libwww |
CVE #(s): | CVE-2005-3183
|
| Created: | October 14, 2005 |
Updated: | May 2, 2007 |
| Description: |
xtensive testing of libwww's handling of multipart/byteranges content from
HTTP/1.1 servers revealed multiple logical flaws and bugs in
Library/src/HTBound.c |
| Alerts: |
|
Comments (1 posted)
wv: integer overflow
| Package(s): | wv |
CVE #(s): | CVE-2006-4513
|
| Created: | November 2, 2006 |
Updated: | December 7, 2006 |
| Description: |
The wv library has an integer overflow vulnerability in the DOC
file parser. If a user can be tricked into opening a maliciously
crafted MSWord file, a remote attacker can execute arbitrary code
with the privileges of the user. |
| Alerts: |
|
Comments (none posted)
xine-lib: buffer overflow
| Package(s): | xine-lib |
CVE #(s): | CVE-2006-6172
|
| Created: | December 5, 2006 |
Updated: | June 5, 2007 |
| Description: |
A buffer overflow was discovered in the Real Media input plugin in
xine-lib. If a user were tricked into loading a specially crafted stream
from a malicious server, the attacker could execute arbitrary code with the
user's privileges. |
| Alerts: |
|
Comments (none posted)
xine-lib: buffer overflow
| Package(s): | xine-lib |
CVE #(s): | CVE-2006-1664
|
| Created: | April 27, 2006 |
Updated: | February 27, 2008 |
| Description: |
xine-lib does an improper input data boundary check on
MPEG streams. A specially crafted MPEG file can be
created that can cause arbitrary code execution when the
file is accessed. |
| Alerts: |
|
Comments (none posted)
xine-ui: format string vulnerabilities
| Package(s): | xine-ui |
CVE #(s): | CVE-2006-2230
|
| Created: | June 9, 2006 |
Updated: | January 24, 2007 |
| Description: |
Several format string vulnerabilities have been discovered in xine-ui,
the user interface of the xine video player, which may cause a denial
of service. |
| Alerts: |
|
Comments (none posted)
xinit: race condition
| Package(s): | xinit |
CVE #(s): | CVE-2006-5214
|
| Created: | October 17, 2006 |
Updated: | August 9, 2007 |
| Description: |
A race condition allows local users to see error messages generated during
another user's X session. This could allow potentially sensitive
information to be leaked. |
| Alerts: |
|
Comments (1 posted)
X.org: local privilege escalations
| Package(s): | xorg-x11 |
CVE #(s): | CVE-2006-4447
|
| Created: | August 28, 2006 |
Updated: | April 30, 2007 |
| Description: |
Several X.org libraries and X.org itself contain system calls to
set*uid() functions, without checking their result. Local users could
deliberately exceed their assigned resource limits and elevate their
privileges after an unsuccessful set*uid() system call. This requires
resource limits to be enabled on the machine. |
| Alerts: |
|
Comments (none posted)
X.Org: buffer overflow
| Package(s): | xorg-x11-server xorg-x11 |
CVE #(s): | CVE-2006-1526
|
| Created: | May 3, 2006 |
Updated: | January 10, 2007 |
| Description: |
There is a buffer overflow in the Xrender extension of the X.Org server; any process which is able to connect to the server may be able to exploit this overflow to run arbitrary code. Since the X server runs as root on most systems, this vulnerability could be exploited to gain root access. See the X.Org advisory for more information. |
| Alerts: |
|
Comments (none posted)
xorg-x11: privilege escalation
| Package(s): | xorg-x11 xfree86 |
CVE #(s): | CVE-2006-3739
CVE-2006-3740
|
| Created: | September 12, 2006 |
Updated: | December 14, 2006 |
| Description: |
iDefense reported two integer overflow
flaws in the way the X.org server processed CID font files. A malicious
authorized client could exploit this issue to cause a denial of service
(crash) or potentially execute arbitrary code with root privileges on the
X.org server. |
| Alerts: |
|
Comments (none posted)
xpdf: buffer overflow
| Package(s): | xpdf |
CVE #(s): | CAN-2005-0064
|
| Created: | January 19, 2005 |
Updated: | March 15, 2007 |
| Description: |
iDEFENSE has found yet another xpdf buffer overflow; see this advisory for details. |
| Alerts: |
|
Comments (1 posted)
Page editor: Jonathan Corbet
Kernel development
Brief items
The current stable 2.6 kernel is 2.6.19.1,
released on December 11.
It contains quite a few fixes, including two for security-related problems.
There have been no 2.6 prepatches over the last week as the 2.6.20
merge window is still open. Quite a few patches have found their way into
the mainline git repository; see below for a summary.
The current -mm tree is 2.6.19-mm1. Recent changes to
-mm include new debugging features for kmap_atomic(), the user-space driver framework, and
a public-key transport mechanism for eCryptfs. Mostly, however, -mm has
shrunk considerably as patches have moved into the mainline.
For older 2.6 kernels: Adrian Bunk has released 2.6.16.35 with a few dozen fixes
(one security-related). He has also released 2.6.16.36-rc1 with a handful of
patches.
Comments (2 posted)
Kernel development news
So let's come out and ban binary modules, rather than pussyfooting
around, if that's what we actually want to do.
It comes down to a question of whether we have enough leverage to push
them into doing what we want, or not - are we prepared to call their
bluff?
The current half-assed solution of chipping slowly away at things by
making them EXPORT_SYMBOL_GPL one by one makes little sense - would
be better if we actually made an affirmative decision one way or the
other.
-- Martin Bligh
Give people 12 months warning (time to work out what they're going to do,
talk with the legal dept, etc) then make the kernel load only GPL-tagged
modules.
I think I'd favour that. It would aid those people who are trying to
obtain device specs, and who are persuading organisations to GPL their drivers.
-- Andrew Morton
I'll whip up such a patch in a
bit to spit out kernel log messages whenever such a module is loaded so
that people have some warning.
--
Greg Kroah-Hartman
Comments (7 posted)
When
last week's summary was
written, the process of merging patches for 2.6.20 had just begun. Linus
has been busy since then; some of the highlights of what has gone in appear
below.
User-visible changes include:
- The kernel can now operate with a 300Hz clock rate, which happens to
work well with both 25 frame-per-second and 30 FPS video.
- New drivers for the real-time clock on OMAP1 chips, the AES engine on
Geode LX processors, IBM GXT4500P display cards, DiBcom DiB7000M and
DiB7000P demodulators, Pinnacle 400e DVB-S USB receivers, Phillips
IP3204 I2C controllers, Atmel AT91 I2C controllers, Winbond W83793
hardware monitoring chips, National Semiconductor PC87427 hardware
monitoring chips, and Apple Motion Sensors.
The "usbvision" driver has been merged, adding support for "more than
50" USB video camera devices. Finally, your editor's drivers for the
"Cafe" camera controller and OmniVision OV7670 sensor (both used in
the OLPC system) have been merged.
- The kernel can now (on i386 systems) be built in an entirely
relocatable manner. This feature is most useful for people who
install a second kernel in memory to generate crash dumps.
- Support for the Liskov-Rivest-Wagner block cypher has been added.
- A large set of fixes and enhancements for the GFS2 filesystem have
been merged; these include support for TCP connections in the lock
manager.
- Support for I/O accounting has been improved. There is a new file
(/proc/pid/io) where a process's statistics may be
read (though the netlink-based taskstats interface remains the
preferred way to get this data).
- Support for Intel's hardware virtualization features (via /dev/kvm) has
been merged.
Changes of note for kernel developers include:
- Attempts to build the kernel with gcc 4.1.0 will generate warnings,
since this compiler is known to make mistakes.
- Fixes for code broken by the workqueue changes continue
to find their way into the tree. If you have to deal with some of
this code, these
instructions may prove helpful.
- As if the workqueue changes were not enough, there is also now a
"freezable" workqueue type, being a workqueue which can be frozen
early in the suspend-to-disk process. These queues are created with
create_freezeable_workqueue(); there is no single-threaded
version available.
- There is also a new run_scheduled_work() function which will
cause a previously-scheduled work_struct to run
synchronously, assuming it has not already run elsewhere.
- The internal __alloc_skb() function has a new parameter,
being the number of the NUMA node on which the structure should be
allocated.
- The slab allocator API has been cleaned up somewhat. The old
kmem_cache_t typedef is gone;
struct kmem_cache should be used instead. The various
slab flags (SLAB_ATOMIC, SLAB_KERNEL, ...) were all
just aliases for the equivalent GFP_ flags, so they have been
removed.
- A new boot-time parameter (prof=sleep) causes the kernel to
profile the amount of time spent in uninterruptible sleeps.
- dma_cache_sync() has a new argument: the device
structure for the device doing DMA.
- The paravirt_ops code
has gone in, making it easier for the kernel to support multiple
hypervisors.
- The struct path
changes have been merged, with changes rippling through the
filesystem and device driver subsystems.
- The fault injection
framework has been merged.
- There is now a generic layer for human input devices; the USB HID code
has been switched over to this new layer.
- A new function, round_jiffies(), rounds a jiffies value up to
the next full second (plus a per-CPU offset). Its purpose is to
encourage timeouts to occur together, with the result that the CPU
wakes up less frequently.
- The block "activity function," a callback intended for the
implementation of disk activity lights in software, has been removed;
nobody was actually using it.
The merge window remains open, as of this writing, so expect a few more
things to go in before 2.6.20 takes its final shape.
Comments (8 posted)
Some patches make it into the kernel in something very close to their
original form. Others have to go through a few changes first. The
all-time record for development iterations may be held by devfs; Richard
Gooch had just released
the 157th revision
when this ill-fated subsystem was merged for 2.3.46. On that scale,
Evgeniy Polyakov is just getting started with
kevent take 26; even so,
the process must be starting to seem like a long one.
In this case, however, the long process can be seen as evidence that the
system is working as it should. The kevent subsystem is a major addition
to the Linux system call API. Once it goes in, it will have to be
supported forever (to a finite-precision arithmetic approximation, at
least). Adding a kevent interface with warts, or which does not provide
the best performance possible, would be a serious mistake. Nobody wants to
be faced with designing and implementing a new event interface in a few
years while supporting the old one indefinitely. So it makes sense to go
slowly and make sure that things have been thought out well.
The number of people posting comments on the kevent patches has been
relatively small; for whatever reason, many normally vocal developers do
not seem to have much to say on this new API. Fortunately, Ulrich Drepper
(the glibc maintainer) has taken a strong interest in this interface and
has pushed hard for the changes he thought were necessary. One gets
the sense the Ulrich and Evgeniy have gotten a little tired of each other
over the last month or so. But, to their credit, they have stuck to the
task. As of this writing, Ulrich has not commented on the version of the
API implemented in the "take 26" patch set. It does, however, clearly
reflect some of the things he has been asking for.
While Evgeniy has been concerned with getting events out of the kernel,
Ulrich has been worried about performance and robustness. So he wanted
ways for multi-threaded programs to cancel threads at any time without
losing track of which events have been processed. Whenever possible, he
would like to be able to process events without involving the kernel at
all. And he has pushed strongly for timeout values to be represented in an
absolute format. Evgeniy has (a bit grudgingly, at times) addressed most
of these wishes.
It is still possible to get a kevent file descriptor by opening
/dev/kevent, though that is no longer the only way. The
kevent_ctl() system call is still used for the management of
events:
int kevent_ctl(int fd, unsigned int cmd, unsigned int num,
struct ukevent *arg);
With kevent_ctl(), an application can add requests for events,
remove them, or modify them in place. There is a new
KEVENT_CTL_READY operation which can be used to mark specific
events as being "ready" and cause the kernel to wake up one or more
processes waiting for events.
The synchronous interface has been changed slightly:
int kevent_get_events(int ctl_fd, unsigned int min_nr,
unsigned int max_nr, struct timespec timeout,
struct ukevent *buf, unsigned flags);
The difference is that the timeout value now is a struct
timespec. That value is still interpreted as a relative timeout,
however, unless flags contains KEVENT_FLAGS_ABSTIME. In
the latter case, timeout is an absolute time, and the code will
print a warning to the effect that Evgeniy was wrong in believing that
nobody would ever want to use absolute times.
It is expected, however, that performance-aware applications will use the
user-space ring buffer rather than the synchronous interface. That ring
buffer is still set up with kevent_init():
int kevent_init(struct kevent_ring *ring, unsigned int ring_size,
unsigned int flags);
The file descriptor argument has been removed from this system call;
instead, kevent_init() opens a new file descriptor and passes it
back as its return value. Thus, there is no separate need to open
/dev/kevent.
The kevent_ring structure has changed a bit since it was last
discussed on this page:
struct kevent_ring
{
unsigned int ring_kidx, ring_over;
struct ukevent event[0];
};
The new ring_over value counts the number of times that the index
into the ring has wrapped around. This parameter is used to ensure that
the kernel and the application have the same understanding of the state of
the ring buffer before allowing the application to mark events as being
consumed.
Waiting for events to arrive in the ring is done with
kevent_wait(), which now looks like this:
int kevent_wait(int ctl_fd, unsigned int num, unsigned int old_uidx,
struct timespec timeout, unsigned int flags);
Here, too, the timeout value is a struct timespec, and, once
again, absolute timeouts must be marked with the
KEVENT_FLAGS_ABSTIME flag. This call will wait until at least
one event is ready, then copy up to num events into the ring
buffer. The old_uidx is the index of the last event that the
calling application knows about; if more events are added between when the
application checks and when it calls kevent_wait(), that call will
return immediately.
In older versions of the patch, there was no way to tell the kernel when
events had been consumed out of the ring; one simply had to hope this had
happened by the time the index wrapped around and events were overwritten.
In the new version, instead, the application's current position is tracked,
and the kernel should be occasionally informed when entries in the ring
buffer are freed. That job is done with kevent_commit():
int kevent_commit(int ctl_fd, unsigned int new_idx, unsigned int over);
Here, new_idx is the index of the last event which has been
consumed by the application. The value for over should
be the ring_over field from the kevent_ring structure.
If that value does not match what the kernel thinks it should be, the
attempt to update the index will fail on the assumption that the calling
process got scheduled out for a while and things happened while it was not
looking. If this check were not made, confusion over index wraparound
could cause events to be lost.
As of this writing, the most significant comment is that the name "kevent" suggests an
in-kernel API. The commenter (Jeff Garzik) prefers a name like "uevent"
(even though there is already a subsystem which returns "uevents" in the
kernel). If that remains the most substantial criticism, the kevent code
might find its way into the mainline long before Evgeniy breaks the devfs
record.
Comments (8 posted)
This is the fourth article in the irregular LWN series on writing video
drivers for Linux. Those who have not yet read
the introductory article may
want to start there. This week's episode describes how an application can
determine which inputs and outputs are available on a given adapter and
select between them.
In many cases, a video adapter does not provide a lot of input and output
options. A camera controller, for example, may provide the camera and
little else. In other cases, however, the situation is more complicated.
A TV card might have multiple inputs corresponding to different connectors
on the board; it could even have multiple tuners capable of functioning
independently. Sometimes those inputs have different characteristics; some
might be able to tune to a wider range of video standards than others. The
same holds for outputs.
Clearly, for an application to be able to make full use of a video adapter,
it must be able to find out about the available inputs and outputs, and it
must be able to select the one it wishes to operate with. To that end, the
Video4Linux2 API offers three different ioctl() calls for dealing
with inputs, and an equivalent three for outputs. Drivers should implement
all three (for each functionality supported by the hardware), even though,
for simple
hardware, the corresponding code can be quite simple. Drivers should also
provide reasonable defaults on startup. What a driver should not do,
however, is reset input and output information when an application exits;
as with other video parameters, these settings should be left unchanged
between opens.
Video standards
Before we can get into the details of inputs and outputs, however, we must
have a look at video standards. These standards describe how a video
signal is formatted for transmission - resolution, frame rates, etc. These
standards are usually set by regulatory authorities in each country. There
are three major types of video standard used in the world: NTSC (used in North
America, primarily), PAL (much of Europe, Africa, and Asia), and SECAM
(France, Russia, parts of Africa). There are, however, variations in the
standards from one country to the next, and some devices are more flexible
than others in the variants they can work with.
The V4L2 layer represents video standards with the type
v4l2_std_id, which is a 64-bit mask. Each standard variant is then
one bit in the mask. So "standard" NTSC is V4L2_STD_NTSC_M, value
0x1000, but the Japanese variant is V4L2_STD_NTSC_M_JP
(0x2000). If a device can handle all variants of NTSC, it can set
a standard type of V4L2_STD_NTSC, which has all of the relevant
bits set. Similar sets of bits exist for the variants of PAL and SECAM.
See this
page for a complete list.
For user space, V4L2 provides an ioctl() command
(VIDIOC_ENUMSTD) which allows an application to query which
standards are implemented by a device. The driver does not need to answer
those queries directly, however; instead, it simply sets the
tvnorm field of the video_device structure with all of
the standards that it supports. The V4L2 layer will then split out the
supported standards for the application. The VIDIOC_G_STD
command, used to query which standard is active at the moment, is also
handled in the V4L2 layer by returning the value in the
current_norm field of the video_device structure. The
driver should, at startup, initialize current_norm to reflect
reality; some applications will get confused if no standard is set, even though
they have not set one.
When an application wishes to request a specific standard, it will issue a
VIDIOC_S_STD call, which is passed through to the driver via:
int (*vidioc_s_std) (struct file *file, void *private_data,
v4l2_std_id std);
The driver should program the hardware to use the given standard and return
zero (or a negative error code). The V4L2 layer will handle setting
current_norm to the new value.
The application may want to know what kind of signal the hardware actually
sees on its input. The answer can be found with VIDIOC_QUERYSTD,
which reaches the driver as:
int (*vidioc_querystd) (struct file *file, void *private_data,
v4l2_std_id *std);
The driver should fill in this field in the greatest detail possible. If
the hardware does not provide much information, the std field
should indicate any of the standards which might be present.
There is one more point worth noting here: all video devices must support
(or at least claim to support) at least one standard. Video standards make
little sense for camera devices, which are not tied to any specific
regulatory regime. But there is no standard for "I'm a camera and can do
almost anything you want." So the V4L2 layer has a number of camera
drivers which claim to return PAL or NTSC data.
Inputs
A video acquisition application will start by enumerating the available inputs
with the VIDIOC_ENUMINPUT command. Within the V4L2 layer, that
command will be turned into a call to the driver's corresponding callback:
int (*vidioc_enum_input)(struct file *file, void *private_data,
struct v4l2_input *input);
In this call, file corresponds to the open video device, and
private_data is the private field set by the driver. The
input structure is where the real information is passed; it has
several fields of interest:
- __u32 index: the index number of the input the application is
interested in; this is the only field which will be set by user space.
Drivers should assign index numbers to inputs, starting at zero and
going up from there. An application wanting to know about all
available inputs will call VIDIOC_ENUMINPUT with index
numbers starting at zero and incrementing from there; once the driver
returns EINVAL the
application knows that it has exhausted the list. Input number zero
should exist for all input-capable devices.
- __u8 name[32]: the name of the input, as set by the
driver. In simple cases, it can simply be "Camera" or some such; if
the card has multiple inputs, the name used here should correspond to
what is printed by the connector.
- __u32 type: the type of input. There are currently only
two: V4L2_INPUT_TYPE_TUNER and
V4L2_INPUT_TYPE_CAMERA.
- __u32 audioset: describes which audio inputs can be associated
with this video input. Audio inputs are enumerated by index number
just like video inputs (we'll get to audio in another installment), but
not all combinations of audio and video can be selected. This field
is a bitmask with a bit set for each audio input which works
with the video input being enumerated. If no audio inputs are
supported, or if only a single input can be selected, the driver can
simply leave this field as zero.
- __u32 tuner: if this input is a tuner (type is set
to V4L2_INPUT_TYPE_TUNER), this field will contain an index
number corresponding to the tuner device. Enumeration and control of
tuners will be covered in a future installment too.
- v4l2_std_id std: describes which video standard(s) are
supported by the device.
- __u32 status: gives the status of the input. The full
set of flags can be found in the V4L2 documentation; in short,
each bit set in status describes a problem. These can
include no power, no signal, no synchronization lock, or the presence
of Macrovision, among other unfortunate events.
- __u32 reserved[4]: reserved fields. Drivers should set them
to zero.
Normally, the driver will set all of the fields above and return zero. If
index is outside the range of supported inputs, -EINVAL
should be returned instead; there is not much else that can go wrong in
this call.
When the application wants to change the current input, the driver will
receive a call to its vidioc_s_input() callback:
int (*vidioc_s_input) (struct file *file, void *private_data,
unsigned int index);
The index value has the same meaning as before - it identifies
which input is of interest. The driver should program the hardware to use
that input and return zero. Other possible return values are
-EINVAL (for a bogus index number) or -EIO (for hardware
trouble). Drivers should implement this callback even if they only support
a single input.
There is also a callback to query which input is currently active:
int (*vidioc_g_input) (struct file *file, void *private_data,
unsigned int *index);
Here, the driver sets *index to the index number of the currently
active input.
Outputs
The process for enumerating and selecting outputs is very similar to that
for inputs, so the description here will be a little more brief. The
callback for output enumeration looks like this:
int (*vidioc_enumoutput) (struct file *file, void *private_data
struct v4l2_output *output);
The fields of the v4l2_output structure are:
- __u32 index: the index value corresponding to the output.
This index works the same way as the input index: it starts at zero
and goes up from there.
- __u8 name[32]: the name of the output.
- __u32 type: the type of the output. The supported output
types are V4L2_OUTPUT_TYPE_MODULATOR for an analog TV
modulator, V4L2_OUTPUT_TYPE_ANALOG for basic analog video
output, and V4L2_OUTPUT_TYPE_ANALOGVGAOVERLAY for analog VGA
overlay devices.
- __u32 audioset: the set of audio outputs which can operate
with this video output.
- __u32 modulator: the index of the modulator associated with
this device (for those of type V4L2_OUTPUT_TYPE_MODULATOR).
- v4l2_std_id std: the video standards supported by this
output.
- __u32 reserved[4]: reserved fields, should be set to zero.
There are callbacks for getting and setting the current output setting;
they mirror the input callbacks:
int (*vidioc_g_output) (struct file *file, void *private_data,
unsigned int *index);
int (*vidioc_s_output) (struct file *file, void *private_data,
unsigned int index);
Any device which supports video output should have all three output
callbacks defined, even if there is only one possible output.
With these methods in place, a V4L2 application can determine which inputs
and outputs are available on a given device and choose between them. The
task of determining just what kind of video data flows through those inputs
and outputs is rather more complicated, however. The next installment in
this series will begin to look at video data formats and how to negotiate a
format with user space.
Comments (none posted)
Patches and updates
Kernel trees
Core kernel code
Development tools
Device drivers
Filesystems and block I/O
Janitorial
Memory management
Architecture-specific
Virtualization and containers
Miscellaneous
Page editor: Jonathan Corbet
Distributions
News and Editorials
In July of 1998 Gaël Duval sent LWN an
announcement for a new distribution
called Linux-Mandrake. It was based on Red Hat Linux 5.1 and KDE 1.0.
The current Mandriva Linux is a much evolved descendant of Linux-Mandrake
with influences from the acquisitions of Conectiva and Lycoris. Duval
continued to work on the distribution until Last March, when he was
laid off from Mandriva. Since then he's been
working on a new distribution,
Ulteo.
Like its predecessor Ulteo strives to be an easy to use desktop
distribution. The initial release of Ulteo
Sirius Alpha 1 features KDE 3.5.2. GNOME and XFCE desktops will be
available for the final release according to the roadmap.
Ulteo has borrowed heavily on Ubuntu/Kubuntu and Debian for this first
release. The Ulteo-kde
"Sirius" Alpha1 download is a single live CD with an install option,
like Ubuntu. The website contains a A community forum and wiki and general discussion
mailing lists are available in English, Spanish, French, German, Italian
and Polish. The development list is English only, so far.
From the About Ulteo
page:
Ulteo is a concept created by Gaël Duval, who has been deeply involved in
the Linux community for several years, as the creator of Mandrake Linux
(now "Mandriva Linux"), and co-founder of MandrakeSoft (now "Mandriva").
Much more than a new technology, Ulteo is a new concept intended to empower
people with a new and more simple way to use computers. More details of
Ulteo's concept will be released along with the first beta of the software.
Ulteo intends to contribute a portion of its profits to humanitarian and
ecological organizations. We believe that every company which benefits from
the market place should help fight against child malnutrition and current
ecological disasters.
After an afternoon of playing around on the live CD this distribution shows
quite a bit of potential. Congratulations to the Ulteo team for a great
first release.
Comments (4 posted)
New Releases
OpenPKG GmbH has announced the availability of OpenPKG Enterprise 1 to
business customers. "
Supported are all common hardware architectures
with ix86, AMD64 und SPARC processors and Unix derivates including FreeBSD,
GNU/Linux distributions und Sun Solaris. OpenPKG Enterprise 1 ships with
nearly 600 software packages, which especially contain the latest versions
of popular Open-Source Software components - including Apache, GCC, MySQL,
PostgreSQL, Samba, Perl, PHP, Python and many more."
Full Story (comments: none)
Last week we announced that openSUSE 10.2 was done. This announcement
(click below) looks at download information and where to get box sets.
Full Story (comments: none)
pure:dyne is a community effort maintained by media artists for media
artists. It is a customization of the dyne:II core for realtime audio and
video processing. It comes optimized for software such as Jack,
SuperCollider, Csound, Fluxus and of course Pure Data with a great
collection of externals (PDP, PiDiP, Gem, GridFlow, RRadical,
PixelTango...).
Full Story (comments: none)
Ulteo is the mysterious project being
pursued by Gaël Duval since he left Mandriva. This project has just
announced
its first alpha release. It appears to be a Debian-based distribution with
an emphasis on easy and automatic administration. "
What this means
is that for the next alpha release version, no installation will be
needed. Simply rebooting the system will be enough to get the new features
and bug fixes." The download mirror appear to not be up to the
current level of traffic, so waiting a while might be in order.
Comments (none posted)
Distribution News
The announcement has gone out: the distribution which will become Debian
"Etch" has been frozen. At this point, only fixes for bugs will be allowed
in as Etch gets closer to its release.
Full Story (comments: none)
Terra Soft has announced shipment of Yellow Dog Linux 5.0 DVD sets for
Playstation3. "
Available now from the Terra Soft online Store, the 2
DVD set includes more than 2000 packages for a complete desktop,
development, and server solution; a printed Guide to Installation, YDL
sticker, and flexible flier."
Full Story (comments: none)
The ubuntu-devel mailing list is being split into two lists, ubuntu-devel and
ubuntu-devel-discuss. If you are subscribed to ubuntu-devel today, you
probably also want to subscribe to ubuntu-devel-discuss. Click below for
details.
Full Story (comments: none)
New Distributions
DesktopLinux.com
covers the
inaugural release of Pioneer Linux. "
Pioneer Linux targets both new
and experienced Linux users, the project team said in the release
announcement. The product comes in two editions: as a freely downloadable
live and installation CD; and as a commercial boxed edition that includes
CrossOver Office and technical support."
Comments (none posted)
Distribution Newsletters
The
Fedora
Weekly News for December 11, 2006 covers Help Needed: Integration of
Fedora Directory Server, Fedora 7 Theme Needs Your Help!, Mozilla Corp. to
work more closely with Linux distributors, Zod LiveCD Beta Available, Linux
For You December 2006 Articles, Fedora Ambassador's Day Daily Blogs and
several other topics.
Comments (none posted)
The
Gentoo
Weekly Newsletter for the week of December 4, 2006 covers Gentoo Linux
on Playstation 3, SCALE 5X open registration, new user representative
elected and several other topics.
Comments (none posted)
The Ubuntu Weekly Newsletter for December 3, 2006 covers Ubuntu Open Week's
smashing success, Technalign and Ubuntu, LoCo news, upcoming meetings
(including the recently scheduled Community Council Meeting), the Kurdish
Ubuntu investigation, several X server-related specifications, and much more.
Full Story (comments: none)
The
DistroWatch
Weekly for December 11, 2006 is out. "
As hinted earlier, the new
openSUSE 10.2 was released on time. One of the most popular Linux
distributions on the market, the latest release appears solid and
reasonably bug-free, at least compared to version 10.1. We'll take a brief
look at the new release, comment on the project's association with Novell,
and provide a few handy resources for extending the product. Also in this
week's issue: Debian delays Etch, Ulteo releases Sirius, Mandriva prepares
a cooker snapshot, and PC-BSD reaches the final round of testing before its
updated stable release. Finally, don't miss the new commercial distribution
by Technalign: Pioneer Linux."
Comments (none posted)
Package updates
Updates for
Fedora Core 6:
autofs
(bug fixes),
autofs (rebuild due to
buildsystem failure),
m17n-db (bug fix),
bind (bug fixes),
dhcp (upgrade to ISC dhcp-3.0.5),
freeradius (bug fix),
openssh (bug fixes),
swig (update to 1.3.31),
vino (don't cause high cpu load),
pygtk2 (bug fix),
pycairo (update to 1.2.6),
gnome-pilot (update to 2.0.15),
gnome-pilot-conduits (update to 2.0.15),
nautilus-cd-burner (bug fixes),
beagle (update to 0.2.13),
screen (new version from upstream with IPv6
patch),
at (daylight-savings fix),
perl-Crypt-SSLeay (bug fixes),
xorg-x11-drv-tdfx (update to 1.3.0),
xorg-x11-drv-s3 (update to 0.5.0),
xorg-x11-server (bug fix),
grep (bug fixes),
parted (upgrade to GNU parted-1.8.1),
pyparted (upgrade to pyparted-1.8.1),
rdesktop (update to 1.5.0),
vte (update to 0.14.1),
ghostscript (update to 8.15.3),
squid (update to the latest upstream).
Updates for Fedora Core 5: nfs-utils
(bug fix), swig (update to 1.3.31), quagga (bug fix), perl-DBD-MySQL (update to latest upstream
version), parted (upgrade to GNU
parted-1.8.1), pyparted (upgrade to
pyparted-1.8.1).
Updates for Fedora Extras [5,6,devel]: ssmtp (security bugs fixed).
Comments (none posted)
Updates for
Mandriva Linux 2007.0:
powermanga (bug fix),
tomboy (bug fix for gnome-sharp2 on x86_64).
Updates for Mandriva Corporate Server 4.0: phpmyadmin (update fixes bugs and security
issues), php-eaccelerator (upgrade to 0.9.5
final), logrotate (bug fixes), glibc (sync kernel and userspace tools, x86_64
bug fix).
Comments (none posted)
Updates for
rPath Linux 1:
setup
(add programs to /etc/shells),
rmake (bug
fixes and enhancements).
Comments (none posted)
Updates for
Trustix Secure Linux 3.0:
kernel (new upstream version).
Comments (none posted)
Updates for
Ubuntu 6.10:
openoffice.org (bug fixes),
gnome-vfs2 (monitor loop patch),
xorg (upload to edgy-updates),
gnome-system-tools (crasher fix),
gimp (gettext domain patch),
gtk+2.0 (grid_lines fix),
gnome-games (fix to mahjong difficult mode
score storing),
libgnomeprintui
(translation fix),
wlassistant (bug fixes),
kdebase (upload to edgy-updates),
vino (fix password free patch),
vino (work with nokia 770 patch),
udev (include firmware_helper in initramfs),
control-center (bug fixes),
mdadm (bug fixes),
kopete (bug fix).
Updates for Ubuntu 6.06 LTS: gcl
(bug fix), maxima (upload to
dapper-updates).
Comments (none posted)
Newsletters and articles of interest
Linux.com
looks at
securing a distribution. "
There's no dearth of Linux distributions
to choose from. With so many to choose from, one might think it's as easy
as picking up the Linux kernel, throwing in a few applications, setting up
repositories, making ISOs and you've got a shiny new Linux distro. Well,
there's more to a Linux distro than assembling applications and making sure
everything works. A lot of time and effort, at least for major distros, is
spent on making the distribution secure and getting updates out in a timely
fashion."
Comments (none posted)
tectonic
covers
tuXlab GNU/Linux, a new distribution based on Edubuntu and Xubuntu, from
Inkululeko Technologies. "
Inkululeko's Jonathon Carter says "the
goal of the tuXlab operating system is to provide a user friendly, support
friendly, localised, feature rich environment for schools. It forms part of
the tuXlab model, which aims to develop a sustainable open source ICT model
for the education- and development sector." tuXlab has been used
extensively in the Shuttleworth-backed schools Linux project originating in
the Western Cape but until now has not been available as a product. Carter
says that it was the Foundation's policy not to fund software development
internally, but that it is now possible to release and support tuXlab
software since it is managed by Inkululeko Technologies, which provides
Linux services to the education, development and commercial
sectors."
Comments (none posted)
DesktopLinux.com
looks at the
Gentoo PS3 Linux installation procedure. "
Gentoo Linux's project
team has published information -- contained in its weekly online newsletter
-- on how to load and use its popular distro on the new Sony Playstation 3,
which is all the rage among gamers at the moment." A full set of
instructions and general compatibility notes, is available
here.
Comments (none posted)
Behind Ubuntu
interviews Ben
Collins. "
What are you working on for feisty? In regards
to the kernel, I'm working to improve our hardware support and
stability. We're finally ramping up our kernel team, and I'm hoping this
gives me more time to work on bugs and new features."
Comments (none posted)
Distribution reviews
DesktopLinux
takes a look
at openSUSE 10.2. "
This latest community Linux distribution from
Novell, SUSE, and friends is based on a 2.6.18.2 Linux kernel. Users can
choose between the KDE 3.5.5 or GNOME 2.16.1 desktop environments, both of
which run on top of the X.Org 7.2rc2 windowing system."
Comments (none posted)
Linux.com
reviews
Mandriva Flash. "
Mandriva Flash is a 2GB Dane-Elec USB key loaded
with Mandriva Linux 2007. It gets points for style: the key is an
attractive deep blue surrounded by a sturdy metal fence that leaves room on
both ends to attach the key to a lanyard or keychain. The release notes say
that the operating system and related files only take up half the space on
the USB drive, leaving 1GB for my own files. This little powerhouse packs a
lot of punch, once you get it up and running."
Comments (none posted)
Linux.com
reviews
openSUSE 10.2. "
First impressions are important, and openSUSE 10.2
made a strong enough impression with me that I may be making openSUSE 10.2
my new desktop OS. I installed openSUSE 10.2 RC1 soon after its release in
late November, and I've been kicking the tires on the final release since
it was made public last Thursday. Here's my report."
Comments (none posted)
Page editor: Rebecca Sobol
Development
The
Center for Advanced Media--Prague (CAMP),
known for its
Campsite
multi-lingual news publishing system, is developing free software
for use in media under the Campware name:
Campware is dedicated to develop, distribute, support and implement useful tools for independent news media in emerging democracies. All Campware software is released as open source and under the GNU General Public License.
The various Campware projects are being worked on by an international
group of
software developers and the projects are funded by the
Media Development Loan Fund.
One of the major projects from Campware is the Campcaster radio station
automation system. Version 1.1 "Freetown" of Campcaster was recently
released:
Campcaster helps you run your radio station. Do automated broadcasting and live studio playout in one system: schedule your broadcasts from the comfort of your own home with the Campcaster Web component, or do dynamic live shows with the Campcaster Studio desktop application.
What's the big deal about this release? We'll cut to the chase: Campcaster 1.1 is the first release that is stable and feature-complete enough to be used in production systems.
The Campcaster 1.1
press release has more
information on Campcaster and how it is being used. The initial project
funding has been provided by the
Open Society Institute.
Campcaster 1.1, code-named Freetown, was built with conditions in
difficult environments such as Sierra Leone in mind, such as limited
Internet availability. But Campcaster's relevance is not limited to the
developing world: stations in the developed world are starting to adapt
the system to their own needs. For example, Vienna, Austria's Radio
Orange is adapting Campcaster's playout system to work with its existing
digital archive, while in Hungary, a network of independent radio
stations is integrating Campcaster's storage server into its IKRA
project, a website engine for radio stations.
The major Campcaster features include:
- Designed to work on the Debian and Ubuntu distributions.
- Includes both GUI and web-based interfaces.
- Station program material is archived in a central repository.
- Supports Internet-based virtual radio stations with program sharing capabilities.
- The web-based interface allows for remote station management.
- Allows manually controlled playback of sound files and playlists.
- Includes an automatic playback system for running playlists at future times.
- Playlists can be nested within other playlists.
- The Gstreamer multimedia framework is used playback.
- Includes a search-based backup system for making archives of material.
- Includes a scratchpad interface for documenting recently played material.
- Supports multi-lingual operation through the use of Unicode.
- Has no restrictions on multiple instance uses of the software.
- Has an open and extensible architecture based on XML-RPC APIs.
The online
manual
explains the use of Campcaster in more detail and the
screenshots show the software in action.
For those who wish to try out Campcaster, the
Installation and Setup cheat sheet has prerequisite and installation
information. The software is available for download
here.
Comments (none posted)
System Applications
Audio Projects
Version 0.9.79 of Rivendell, a radio station automation system, is out
with a new SoundPanel button pause feature and a database schema bug fix.
Full Story (comments: none)
Database Software
Version 5.1.14 Beta of the MySQL DBMS is out with a long list of changes.
"
We are proud to present to you the MySQL Server 5.1.14 Beta
release, a new Beta version of the popular open source database.
Bear in mind that this is a beta release, and as any other pre-production
release, caution should be taken when installing on production level
systems or systems with critical data."
Full Story (comments: none)
The December 10, 2006 edition of the PostgreSQL Weekly News
is online with the latest PostgreSQL DBMS articles and resources.
Full Story (comments: none)
Libraries
Version 0.1i of
RFIDIOt, an open-source Python RFID library, is out. Changes include new support for FDX-B and
EM4x02 tags as well as an updated GUI for e-passports.
Full Story (comments: none)
Version 0.3 of Tftpy, a Python TFTP Library,
has been announced.
"
This release adds variable block sizes, and general option support,
implementing RFCs 2347 and 2348. This is accessible in the TftpClient class
via the options dict, or in the sample client via the --blocksize option."
Comments (none posted)
Web Site Development
Version 1.8.1 of the Midgard web development platform has been released.
"
Midgard 1.8.1 release includes major features' enchancements:
preview for new integrated replication functionality,
compatibility with 64bit systems and major fixes."
Full Story (comments: none)
The django project notes some
comparisons of web development platforms.
"
Web framework comparisons are inevitable, and they've been showing up more and more often.
A couple of weeks ago, Alan Green and Ben Askins put together a "RailsVsDjango" report, and they presented their findings at the Open Source Developers' Conference in Melbourne, Australia.
In the latest batch, both from the last 24 hours, we've got a relatively flame-baitish comparison of Django and Rails, along with a much more constructive comparison."
Comments (none posted)
The November 16-30, 2006 edition of
Zope News
is out with the latest Zope web development platform news.
Comments (none posted)
Miscellaneous
Release R1 of the Linux-ready Firmware Developer Kit has been announced.
"
In this release many bugs have been fixed and several
key enhancements have been done to help the ease of use of the kit, and
several new tests have been added.
The Linux-ready Firmware Developer Kit is a tool to test how well Linux
works together with the firmware (BIOS or EFI) of your machine, and is
designed for use by both firmware development teams and Linux kernel
hackers to prevent and diagnose firmware bugs."
Full Story (comments: none)
Desktop Applications
Audio Applications
KDE.News
has announced
the third issue of the
Amarok Weekly News.
"
Third issue of Amarok Weekly News talks about cross-desktop media player cooperation, cool new additions to Amarok, and refreshed artwork.
And again, it also includes useful tips."
Comments (none posted)
Data Visualization
Version 5.7.1 of
PLplot,
a library of functions for making scientific plots, is out.
The
release notes state:
"
This is a routine development release of PLplot. It represents the ongoing
efforts of the community to improve the PLplot plotting package. Development
releases in the 5.7.x series will be available every few months. The next full
release will be 5.8.0."
Comments (none posted)
Desktop Environments
The following new GNOME software has been announced this week:
You can find more new GNOME software releases at
gnomefiles.org.
Comments (none posted)
The following new KDE software has been announced this week:
You can find more new KDE software releases at
kde-apps.org.
Comments (none posted)
The December 10, 2006 edition of the
KDE Commit-Digest has been
announced.
The content summary says:
"
The beginnings of Sega Genesis/Megadrive support in Gamefu. kdegames improvements continue with porting and gameplay work in KBackGammon. OpenDocument master page support in Okular. 'Idle time' detection comes to the 'powermanager' module of the Guidance system utilies. MIDI format support in KTabEdit. The new histogram graphing functionality of Strigi continues to be refined. Following Akonadi, NEPOMUK starts to utilise the power of Strigi. WHATWG audio objects supported in KHTML through Phonon. Appointment printing work in KOrganizer. Kross scripting infiltrates KWord."
Comments (none posted)
The following new Xorg software has been announced this week:
More information can be found on the
X.Org Foundation wiki.
Comments (none posted)
Electronics
Version 20061205 of
Covered,
a Verilog electronic simulation language code coverage analysis tool,
is out with the following changes:
"
A few updates to the core code to properly support VPI usage were necessary which is why this is not a stable release. At this point, regressions are fully passing with Icarus Verilog, Cver and VCS in both dumpfile and VPI modes of operation -- an important milestone for the upcoming 0.5 stable release. There is still additional testing of existing functionality that needs to be done as well as finishing the GUI documentation support using the new HelpSystem documentation reader utility before I would consider Covered ready for a new stable release."
Comments (none posted)
Version 0.9 of
eispice,
a clone of the Berkley Spice 3 Simulation Engine,
has been announced. Changes include:
"
Added a self-extracting Windows installation binary to the download page. - Added a prototype PyB Python defined Behavioral Model. - Transitioned from using the obsolete Numeric library to the new Numpy library. - Added nested sub-circuit support."
Comments (none posted)
Financial Applications
Version 2.0.3 of GnuCash, a money management application, has been released.
"
Personal and small business accounting in GNU/Linux will be
easier and better after today's release of GnuCash 2.0.3.
This release of the free, open source accounting program improves on the
generational advances in the last version. GnuCash 2.0 is based on
state-of-the-art gtk2 GUI technology. Developers worked hard to
integrate the Gnome Human Interface Guidelines (HIG) for a consistent
behaviour and look-and-feel for the whole Desktop."
Full Story (comments: none)
Games
Version 1.8 of
Pygame,
a Python-based game development platform, is scheduled for release on
December 15.
"
Following a period of beta, and RC releases Pygame 1.8 will be released at 2006/12/15 10:00:36.873456 AEST! "
Comments (none posted)
GUI Packages
Trolltech
has released Qt 4.2.2.
"
Trolltech today announced the release of Qt 4.2.2, the latest version of its leading framework for high performance cross-platform application development; and Qtopia Core 4.2.2, the leading application framework for single-application devices powered by embedded Linux. Qt and Qtopia Core 4.2.2, which include a wide range of bug fixes and optimizations, were released today to customers and the open source community."
Comments (none posted)
Version 2.8.0 of
wxWidgets,
a cross-platform GUI toolkit, is out.
"
The wxWidgets team is pleased to announce a major new release. Compared with the last stable series (2.6), 2.8.0 adds wxAUI (an advanced user interface library for docking and other functionality), wxRichTextCtrl, wxComboCtrl, wxOwnerDrawnComboBox, wxTreebook, various picker controls such as wxColourPickerCtrl, wxHyperlinkCtrl, partial right-to-left language support, support for Core Graphics on Mac OS X, tar archive support, and more."
Comments (none posted)
Interoperability
Version 0.9.27 of Wine
has been announced.
Changes include:
Better support for noexec kernels, Better Dwarf support in dbghelp,
Several Winsock fixes, Various code cleanups and Lots of bug fixes.
Comments (none posted)
Medical Applications
LinuxMedNews
mentions
an effort to port
Synapse Electronic Medical Record to Linux.
"
Alpha builds are now available to play with (Libc6). Synapse EMR is a GUI rich free EMR on Win32. See here Lots of things not working yet, but the basic GUI comes up. Still to work on printing, print preview etc. Only 50% thru reading Linux for Dummies so once I finish that I'll have more ideas on how to complete this project!"
Comments (none posted)
Music Applications
Version 0.95 of CLAM, is a C++ framework for doing research and
application development in audio and music, is out.
"
Most important in this release is NetworkEditor 0.4, with a radically
reworked UI based on Qt4.2, lots of work on stability and usability, and
new visual-prototyping features.
You can visually prototype standalone apps (or audio plugins):
Edit audio networks with NetworkEditor, then edit its UI using Qt Designer
and CLAM widgets plugins. Finally, Prototyper let you run the audio network
with its UI."
Full Story (comments: none)
Initial release version 0.00.2 of pnpd is available.
"
pnpd is a new computer music system. it's based on a dataflow syntax,
that is closely related to pd or max/msp, although it introduces some
new concepts. at the moment, it doesn't contain a graphic user
interface, but a text-based patcher language. it can be controlled via
osc and support audio i/o via portaudio, the dsp backend is highly
optimized for performance, especially for cpus supporting sse
instructions."
Full Story (comments: none)
Office Suites
OpenOffice.org 2.1 is out; click below for details and download
information.
"
The presentations application, Impress, now supports
multiple monitors, with the presenter choosing where to display the
presentation. The Calc spreadsheet has an improved HTML export
capability, using styles to better recreate in a browser the
appearance of the original spreadsheet. The database application,
Base, has a number of enhancements, including improved support for
Microsoft's Access product. The popular Quickstarter is now available
for GNU/Linux users as a GTK application."
Full Story (comments: none)
Web Browsers
The Alpha 1 of Gran Paradiso
has been announced.
"
Gran Paradiso Alpha 1, an early developer milestone based on the Gecko 1.9
branch, has been released. Gran Paradiso, a mountain group located in Italy,
is also the project codename for Firefox 3. There are no significant user
interface changes. Core layout and rendering changes include use of Cairo as
the default graphics library, use of Cocoa Widgets for MAC OSX builds and new
SVG elements."
Comments (none posted)
Miscellaneous
Stable version 0.6 of ISO Master
has been announced.
"
ISO Master is a graphical editor for ISO images with support for ISO9660, RockRidge, and Joliet file names. It is useful for extracting, deleting, or adding files and directories to or from an ISO image. It is based on the bkisofs and GTK2 libraries."
Comments (none posted)
Version 0.9 of MeshLab
has been announced, it features new filtering tools and improved obj
file handling.
"
MeshLab is a GPL portable and extendible system for the processing and
editing of unstructured 3D triangular meshes. The system is aimed to help the
processing of the typical not-so-small meshes arising in 3D scanning,
providing a set of tools for editing, cleaning, healing, repairing,
inspecting, rendering and converting this kind of meshes."
Comments (none posted)
Languages and Tools
Caml
The December 12, 2006 edition of the Caml Weekly News is online.
Topics include: updated godi package for wyrd, Creating wrappers for
C libraries, A Question About Types and Inlining, APC, IMT, IceDock and
OCaml D-Bus 0.01.
Full Story (comments: none)
Haskell
The December 12, 2006 edition of the
Haskell Weekly News
is online. Lots of new, practical Haskell libraries released this week, including support for ogg sound file parsing, a new user interface library, ftp clients and servers, database bindings as well as config files and logging.
Comments (none posted)
Perl
The December 3-9, 2006 edition of
This week on the Perl 6 mailing lists
has been published. Take a look for the latest Perl 6 developments.
Comments (none posted)
Python
Version 1.1.6 final of the python imaging library
has been announced.
"
PIL 1.1.6 final is 1.1.6b2 plus some portability fixes, and threading support for the Sane extension."
Comments (none posted)
The python-dev Summary is out with coverage of the python-dev mailing
list for the period of November 16-30, 2006.
Full Story (comments: none)
The December 11, 2006 edition of the Python-URL! is online with
a new collection of Python article links.
Full Story (comments: none)
The minutes from the November 13, 2006 Python Software Foundation
board meeting have been posted.
Comments (none posted)
Tcl/Tk
The December 12, 2006 edition of Dr. Dobb's Tcl-URL! is online with new
Tcl/Tk articles and resources.
Full Story (comments: none)
XML
Version 1.0.1 of 4Suite XML, a Python library for XML processing,
has been announced.
"
Thanks to all the testers, there are a number of important fixes and
improvements
since 1.0, and we recommend upgrade from all previous versions."
Comments (none posted)
chromatic
reviews Perl's XML::Atom on O'Reilly.
"
I recently needed to filter and process some Atom feeds. I know enough XML that I could process them with my own SAX filter, but this seemed like a better opportunity to use the XML::Atom module. Fortunately, it was very easy."
Comments (none posted)
Alexander Boldakov, Maxim Grinev, Kirill Lisovsky
discuss Mixed Content Processing on O'Reilly's XML.com.
"
Document-oriented XML usually has highly irregular structure in which elements might be mixed in unknown way. Processing such XML requires advanced data-driven facilities: push-style processing enriched with transformation rules and side-effect-free updates. In this article we emphasize such facilities in three XML-native languages: XQuery, XSLT, and OmniMark; and analyze applicability of these languages and their combinations to document-oriented XML processing."
Comments (none posted)
Build Tools
Version 0.7.5 of BuildBot
has been announced.
"
The BuildBot is a system to automate the
compile/test cycle required by most software projects to validate code
changes. It builds and tests the tree each time a change is committed,
providing status updates through a web page or other protocols."
Comments (none posted)
Test Suites
Version 0.7.0 of the Linux Desktop Testing Project (LDTP),
a test automation framework and tool collection for testing the
Linux Desktop, is out.
"
This release features number of important
breakthroughs in LDTP as well as in the field of Test Automation. This release note covers a brief
introduction on LDTP followed by the list of new features and major bug fixes which makes this new
version of LDTP the best of the breed. Useful references have been included at the end of this
article for those who wish to hack / use LDTP."
Full Story (comments: none)
Version Control
Version 0.9.2 of
Mercurial,
a source control management (SCM) system, has been released. This
version adds a number of new features and extensions.
Full Story (comments: none)
Miscellaneous
John Mazzitelli
discusses I18N messages and logging on O'Reilly.
"
Sick of internationalizing by making your own code take responsibility for
finding and using ResourceBundles? The i18nlog project offers an
annotations-based way to simplify your internationalization tasks and even
allow you to internationalize your logging. John Mazzitelli explains why
this is a good idea."
Comments (none posted)
Niall Kennedy has posted a
weblog entry about Guido van Rossum's Mondrian project.
"
Guido van Rossum unveiled his first Google project, Mondrian, tonight during a Python tech talk at the Google campus in Mountain View. Mondrian is a web-based code review system built on top of a Perforce and BigTable backend with a Python-powered front-end. Mondrian is a pretty impressive system and is currently in use across Google."
Comments (none posted)
Page editor: Forrest Cook
Linux in the news
Recommended Reading
ZDNet
follows the battle around the OpenDocument Format (ODF) and
Microsoft Office Open XML document formats.
"
Jeff Kaplan, the founder and director of Open ePolicy Group, which advocates for the use of "open technologies" in government, said that governments are seizing upon Microsoft alternatives out of self-interest.
"Governments are leading to move to ODF because they want control over data and to break their data lock-in. They see it as a matter of sovereignty, and they are uncomfortable with continued dependency on one company," Kaplan said. He added that the expected Ecma standard certification of Office Open XML will increase confusion in the marketplace."
Comments (8 posted)
Groklaw has
an
article by Georg Greve of the Free Software Foundation Europe on
OpenXML adoption. "
German is an interesting language, and many of
its words have made it into English. Novell's recent deal with Microsoft is
begging to add another one: Danaergeschenk. The term translates to "Gift by
the Danaer" and has the same roots as "Greeks bearing gifts," which goes
back to the siege of Troy. Novell's Danaergeschenk to the world is the
recent announcement to implement OpenXML support in OpenOffice.org."
Comments (25 posted)
Seymour Papert, a long-time AI researcher and one of the inspirations
behind the One Laptop Per Child program, has been hit by a motorcycle and
badly injured in Vietnam. This
Boston.com
story has some more information. Best wishes.
Comments (2 posted)
Trade Shows and Conferences
DesktopLinux.com
covers the
Desktop Architects Meeting. "
Over the past week, some of the Linux
desktop's foremost developers gathered together in Portland, Oregon at the
OSDL (Open Source Development Labs) Desktop Architects Meeting to work
further on bringing order to the Linux desktop. According to John Cherry,
the OSDL's Desktop Linux initiative manager, there was a good turnout of
about 45 developers from the community, including major Linux vendors such
as Novell and Red Hat, and ISVs (independent software vendors) like Google
and Adobe."
Comments (4 posted)
Linux.com
reports
from the 20th Large Installation System Administration (LISA) conference.
"
The 20th Large Installation System Administration (LISA) conference
continued Wednesday with the LISA award ceremony, a keynote by none other
than Cory Doctorow, noted sci-fi author, former Electronic Frontier
Foundation (EFF) employee, and consumer privacy advocate, and a slew of
technical sessions. Of specific interest to systems administrators (the
audience LISA seeks to attract) was that Tobias Oetiker and Dave Rand won
the SAGE Outstanding Achievement award for their work on MRTG and
RRDTool."
Comments (none posted)
Companies
Linux Journal's Nicholas Petreley
discusses
vendor lock-in and Microsoft Vista.
"
I can't urge you strongly enough to read the article entitled How Vista Lets Microsoft Lock Users In. It details how Microsoft has built into Vista the "trusted computing" ability to lock down Office files via DRM such that no unauthorized document reader will be able to decrypt and read them. This is perhaps one of the biggest hidden weapons Microsoft has in its arsenal that could sabotage Linux and OpenOffice.org if Microsoft succeeds in its attempt to plug SUSE and all Novell's "interoperability" bonuses.
Think of this, if you will, as the Tivoization of Office files, only with
malicious intent."
Comments (10 posted)
Robin 'Roblimo' Miller has a
humorous
account of a recent trip to the Microsoft corporate headquarters.
"
I spent December seventh, eighth, and ninth in Seattle as
Microsoft's guest. Microsoft flew me there from Florida at its expense,
put me up in a nice hotel, provided decent food, and comped me and four
other invitees to this "special conference" with presentations about the
marvels of Vista and other recent or upcoming Microsoft products. They
didn't quite play the old Beatles song "Love Me Do" in the background, but
it was the event's unstated theme. And, as a free bonus, Microsoft gave me
a free Zune to pass on to a developer who wants to put Linux on it or make
a utility that will allow it to interact with a PC running Linux."
Comments (12 posted)
Linux at Work
Roberto Sedycias, IT Consultant for PoloMercantil has
written
an article on the use of open source software for the electronic
auction site www.polomercantil.com.br. "
As we started the project of
the electronic auction www.polomercantil.com.br, we knew that the
proprietary software costs would be too high for our financial
resources. Our only option then was to make use of Open Source Code
softwares."
Comments (none posted)
Interviews
Groklaw
interviews Jerry Rosenthal of the Open Invention Network. "
What would an OIN defense look like? Typically, our first action would be to contact the organization that is claiming patent infringement. Our goal would be to have a conversation where we allow them to license our IP in return for a license to their patents. If necessary, we might demonstrate how their products might infringe on our patents. Legal proceedings for patent infringement would be our last resort. While we can adequately handle the latter, our goal is to build the Linux ecosystem with the former."
Comments (none posted)
Free Software Magazine
interviews
Fred Trotter, editor of
LinuxMedNews. "
Recently
Medsphere, supposedly an "Open Source" Medical Software Company, has sued
its founders Scott and Steve Shreeve. Why? Medsphere claims that the
Shreeves illegally released Medsphere software to Sourceforge. An "Open
Source" Software company is suing its founders for releasing code under a
free license... that's a bit like Ford suing its employees for making
cars. Recently Fred Trotter has come forward with evidence that he claims
makes the Medsphere lawsuit baseless. Read on for an email interview with
Fred Trotter regarding who did what in the Medsphere lawsuit, and why every
free software developer should care about what is happening to the
Shreeves."
Comments (2 posted)
NetworkWorld
talks
with Vyatta execs about the Open Flexible Router. "
Open source
router company Vyatta debuted earlier this year with a Red Hat-style
alternative to Cisco and Juniper offerings: the Open Flexible Router, an
open source-based WAN router and firewall stack, freely downloadable, with
service and support offerings available for purchase. Since then the
company has generated buzz in the network industry, while releasing
products such as a pre-installed appliance-like version on Dell
servers. Vyatta CEO Kelly Herrell and chief strategy officer Dave Roberts
recently told Network World Senior Editor Phil Hochmuth what Vyatta is, and
is not, and what it hopes to become. (The following is an edited
transcript.)" (Thanks to Peter Link)
Comments (8 posted)
Resources
Paul Virijevich
introduces FDS in a Linux.com article.
"
Directory services play a vital part in today's networks by helping administrators manage network users and resources. Until recently, the only choice for deploying a secure and easy-to-use open source directory server was OpenLDAP. While it gets the job done, it lacks the polish of commercial alternatives. Now Fedora Directory Server (FDS), Red Hat's open source LDAP server, makes setting up an enterprise directory server on Linux simple."
Comments (none posted)
Reviews
Tectonic (South Africa)
takes a look at the Campcaster suite for radio station automation. "
'Campcaster provides features that used to be only available in extremely expensive commercial radio systems,' says Sava Tatić, Managing Director of the Media Development Loan Fund's Center for Advanced Media, Prague (CAMP), which coordinates the Campware Initiative. 'We believe there is a strong north-south aspect to using and extending Campcaster,' Tatić says. 'Every time a station in North America or Europe adapts and extends Campcaster, stations in places like Sierra Leone benefit.'."
Comments (none posted)
Miscellaneous
Linux.com
looks at a
security project that has used the Coverity bug checker to perform
security audits on open source software. "
It's been nearly a year
since the US Department of Homeland Security (DHS) announced the
"vulnerability discovery and remediation open source hardening project," a
$1.24 million, three-year grant through its research and development arm,
the Directorate for Science and Technology. Now, the security project is
entering its research phase."
Comments (14 posted)
Bruce Byfield
follows the progress of the LinuxBIOS project.
"
Throughout the project's history, support from chip manufacturers and OEMs has been mixed. When the project started, Minnich remembers, information from Intel was readily available. Now, information about Intel chips is closely guarded, and the company prefers to promote its mixed source Extensible Firmware Interface (EFI) as the next generation of chip technology. By contrast, Advanced Micro Devices (AMD) was slow to support LinuxBIOS, but is now a major contributor to the project. Among OEMs, supporters include Acer, Advancetech, SIS, Momentum Computer, and Newisys. The project also works closely with OpenBIOS, a project with similar aims.
Currently, Richard Smith, BIOS release manager for OLPC, says, "There are about 30 chipsets in the [repository] tree with various degrees of completion. The AMD boards are supported particularly well.""
Comments (7 posted)
Linux.com
reports
that the Mozilla Foundation has agreed to make changes to its development and
distribution processes that will accommodate the needs of Linux
distributors. "
The sheer number of changes made independently by the
distros made merging patches upstream difficult, if not impossible, and led
to secondary problems like debates over usage of the Mozilla
trademark. Furthermore, the current Mozilla policy is to accept only
security fixes for stable code branches. Since many distros must continue
to support older Firefox releases shipping with their own long-term-support
releases, even patches that provide major stability fixes would not
propagate upstream."
Comments (none posted)
Page editor: Forrest Cook
Announcements
Non-Commercial announcements
The Free Software Foundation has sent out a press release announcing that
has pledged $60,000 to the
Free Ryzom
Campaign. This campaign is seeking to purchase and free the Ryzom
multiplayer game, the owner of which is currently in bankruptcy court
(LWN
covered this
campaign last week). "
The Free Ryzom campaign represents a unique opportunity for the free
software movement and the emerging free gaming field. A fully free
MMORPG (massively multiplayer online roleplaying game) engine and
client/server architecture would allow the development of a myriad of
universes, each one evolving its own philosophy and unique content - but
sharing in general technical improvements." According to the
release, this pledge lets the campaign raise its bid to €200,000.
Full Story (comments: 7)
Ecma International has
approved
Office Open XML Formats as an Ecma standard and voted to submit the new
standards to the International Organization for Standardization (ISO) for
consideration as an ISO standard through the fast-track process.
Comments (43 posted)
KDE.News
reports that
Sirius Corporation has become a Supporting Member of the
KDE project.
"
Sirius' commitment to KDE is our second supporting membership and follows Canonical's recent patronage of the project. Sirius and KDE are joint participants in SQO-OSS, an EU-funded project that assesses the quality of Open Source code."
Comments (none posted)
Commercial announcements
Adaptive Planning has announced the release of
Adaptive Planning Express Edition 3.0.
"
Adaptive Planning Express Edition delivers a full set of
capabilities for collaborative budgeting and forecasting. Featuring
improvements in global navigation, formula management, data administration,
and performance, Version 3.0 provides business users in Finance and other
departments with a no-fee enterprise solution that makes it easier than ever
before to move beyond spreadsheets for managing budgeting and ongoing
re-forecasting and analysis."
Full Story (comments: none)
Collax has announced a new version of Collax Security Gateway.
"
Collax today announced expanded bandwidth management of the
Collax Security Gateway. The UTM solution in Version 4.0.10 prioritizes and guarantees bandwidths
in Virtual Private Networks; giving Voice-over-IP (VoIP), and other critical business applications
such as ERP systems, priority in the VPN tunnel."
Full Story (comments: none)
Covalent has added Terracotta Clustering capabilities to its
Enterprise Ready Server product.
"
Covalent Technologies, a leading supplier of complete
enterprise open source solutions , today announced that it is bundling Terracottas clustering
technology with Covalents Enterprise Ready Server, the most widely distributed Web infrastructure
framework in Fortune 500 enterprises that combines the Apache Web server, Apache Tomcat Application
Server, and related modules into a single, certified build. Enterprises gain scalability, as
clustering with Terracotta makes Apache Tomcat scale almost 10X better than Tomcat on its own and
surpasses the scalability of the majority of commercial application servers currently available."
Full Story (comments: none)
Fortify Software Inc. and FindBugs have
announced the launch of the
Java Open Review (JOR) Project.
"
The goal of the JOR Project is to boost the security and quality of
open source software written in Java, one of the fastest growing
programming languages used by open source software developers. Fortify and
FindBugs are providing the review to help open source software project
owners identify and fix quality and security errors quickly -- before they
affect the performance of the software or pose a security risk to users."
Comments (none posted)
Intalio has announced plans to release their Intalio|BPMS Community Edition
under an amended version of the Mozilla Public License.
"
Intalio|BPMS Community Edition includes an Eclipse-based business process design tool that supports
the Business Process Modeling Notation (BPMN). It also generates executable processes using the
Business Process Execution Language (BPEL), a BPEL execution engine that can be deployed on top of
any J2EE application server, and a workflow framework that supports the BPEL4People model developed by IBM and SAP.
Users of the Open Source Intalio|BPMS Community Edition can later on upgrade to Intalio|BPMS
Enterprise Edition through a yearly subscription plan."
Full Story (comments: none)
Novell has
a
press release showing customer support for the company's deal with
Microsoft. "
Nearly all respondents agree with improving
interoperability, having products that work well together, and having tools
that make it easier to manage mixed Windows(R) and Linux environments. The
survey, jointly commissioned by Novell and Microsoft, was conducted by
Penn, Schoen & Berland Associates Inc., a respected independent market
research firm."
Comments (14 posted)
Open-Xchange Inc. has
announced a partnership and support agreement with MySQL AB.
"
Open-Xchange will add MySQL support to its Linux based collaboration
solution, Open-Xchange Server. Both companies will work to ensure optimized
interaction between MySQL databases and Open-Xchange groupware
functionality for joint customers."
Comments (none posted)
rPath
has announced its selection by Newbury Networks for work on
Newbury's wireless LAN location appliance.
"
Newbury provides real-time location tracking solutions through its patented location-based technology.
Using Newburys 802.11 device tracking capabilities, the Newbury Location Appliance accurately and precisely locates Wi-Fi devices while enabling a host of enterprise applications such as asset tracking, voice, security and network provisioning. Using rBuilder, the development process for Newbury was reduced to a matter of weeks versus months."
Comments (none posted)
Sun Microsystems, Inc. has
announced
the availability of Java Platform Standard Edition 6 (Java SE 6).
"
The Java SE 6 release is the result of over two years of
industry-wide development involving open review, weekly builds and
extensive collaboration between Sun engineers and over 330 external
developers. Developers interested in getting started immediately with the
Java SE 6 release can leverage the new NetBeans(TM) Integrated Development
Environment (IDE) 5.5, which fully supports all the latest features of the
Java SE 6 platform."
Comments (28 posted)
Terra Soft will be selling PLAYSTATION3 game boxes installed
with Yellow Dog Linux.
"
Terra Soft is now accepting pre-orders for the PLAYSTATION®3 with Yellow Dog
Linux pre-installed, offering both the GameOS and Yellow Dog Linux at boot.
More than a gamebox, the PLAYSTATION®3 with the multi-core Cell microprocessor
was designed by Sony Computer Entertainment to function as a personal
computer. Yellow Dog Linux offers this functionality with greater than 2000
applications, everything needed for a personal computer, Cell workstation, or
light-duty cluster node."
Full Story (comments: none)
TimeSys has announced the appointment of Joseph J. Raffa as Interim CEO
by the board of directors.
"
Mr. Raffa replaces former
TimeSys president and CEO, Larry Weidman, who recently left the
company to pursue personal interests. Mr. Raffa currently serves on
the board of directors at TimeSys. In this interim role, Mr. Raffa
will direct and oversee company strategy and sales activities as
TimeSys continues to support its successful and innovative
LinuxLink(TM) web-based resource for embedded Linux developers. He
will also lead the company's active search for a permanent CEO."
Full Story (comments: none)
New Books
No Starch Press has published the book
Code Craft: The Practice of Writing Excellent Code by Pete Goodliffe.
Full Story (comments: none)
O'Reilly has published the book
MySQL Cookbook, Second Edition by Paul Dubois.
Full Story (comments: none)
Resources
The Asia-Pacific Development Information Programme has put together a
report entitled "Breaking Barriers: The Potential of Free and Open Source
Software for Sustainable Human Development"; it is a set of 14 case studies
taken from all over the world. It's downloadable as
a 1MB
PDF file.
Comments (3 posted)
The December 11, 2006 edition of the FSFE Newsletter is out with
the latest Free Software Foundation Europe news.
Full Story (comments: none)
Contests and Awards
KDE.News
reports on a prize draw for
translation work on KPhotoAlbum.
"
KPhotoAlbum has entered string freeze for its new release, and author Jesper
Pedersen is offering a prize draw for those who complete the translation.
Individuals and teams with 100% of the strings translated will be entered into
the draw for $100 to take place on hogmanay alongside the new release."
Comments (none posted)
The SAGE Outstanding Achievement Award 2006 has been given to
Tobias Oetiker and Dave Rand, the authors of MRTG and RRDtool.
"
The Swiss Open Source Software developer Tobias Oetiker together
with Dave Rand receives the 2006 SAGE Outstanding Achievement Award for
the creation of the Open Source Software tools MRTG and RRDtool. In their
commendation, SAGE points out:
"Before the creation of these tools, the only people that could reap
the benefits of long-term, historical statistics gathering were
people with multimillion dollar budgets. MRTG and RRDtool
democratized, and therefore popularized, historical data
collection. As a result, network utilization planning has gone from
being guesswork to a fine art."
Full Story (comments: none)
Calls for Presentations
A Call for Papers and Music has gone out for the Linux Audio Conference
2007.
"
This is the second call for papers for the 5th Linux Audio Developers
Conference (LAC2007). This is a reminder since some people might not
have received the last call or might just have forgotten about the
deadlines by now (08 Jan 2007 : Deadline for submission of papers,
worshops, tutorials, demos, hands on demos and music)."
LAC2007 takes place at the TU-Berlin, in Germany on March 22-25, 2007.
Full Story (comments: none)
A call for papers and attendance has gone out for the
2007 Xorg Developer's Conference.
"
The next X Developer's Conference is scheduled on February 7-9, 2007.
The location is not yet firm, but we are looking at two possible
locations. One is in Santa Clara, CA, and the other is in Menlo Park, CA."
Full Story (comments: none)
Upcoming Events
The PyPy Leysin Winter Sports Sprint
has been announced, it will take place on January 8-14, 2007.
"
The next PyPy sprint will be in Leysin, Switzerland, for the fourth
time. This sprint will be the final public sprint of our EU-funded
period, and a kick-off for the final work on the upcoming PyPy 1.0
release (scheduled for mid-February).
The sprint is the last chance for students looking for a "summer" job
with PyPy this winter! If you have a proposal and would like to
work with us in the mountains please send it in before 15th December".
Comments (none posted)
Events: December 21, 2006 to February 19, 2007
The following event listing is taken from the
LWN.net Calendar.
| Date(s) | Event | Location |
December 27 December 30 |
23rd Chaos Communication Congress 2006 |
Berlin, Germany, |
January 11 January 12 |
Foundations of Open Media Software |
Sydney, Australia |
January 15 January 20 |
linux.conf.au 2007 |
Sydney, Australia, |
January 20 January 26 |
Cell Hack-a-thon |
Loveland, CO, USA |
January 23 January 26 |
Open Source Meets Business |
Nürnberg, Germany |
| January 24 |
European Patent Conference |
Brussels, Belgium |
January 30 February 1 |
Solutions Linux Expo |
Paris, France |
February 1 February 2 |
LinuxDays Luxembourg |
Luxembourg, Luxembourg |
| February 2 |
FUDCon Boston 2007 |
Boston, MA, USA |
February 7 February 9 |
Free Software World Conference 3.0 |
Badajoz, Spain |
February 7 February 9 |
Xorg Developer's Conference |
Santa Clara, CA, USA |
| February 9 |
Women In Open Source |
Los Angeles, USA |
| February 9 |
Open Source Health Care Summit |
Los Angeles, USA |
February 10 February 11 |
2007 Southern California Linux Expo |
Los Angeles, USA |
February 12 February 13 |
Vancouver PHP Conference |
Vancouver, BC, Canada |
February 12 February 13 |
Linux Storage and Filesystem Workshop |
San Jose, CA, USA |
February 12 February 16 |
Ruby on Rails Bootcamp Training |
Atlanta, USA |
February 12 February 15 |
3GSM World Congress 2007 |
Barcelona, Spain |
February 14 February 15 |
LinuxWorld OpenSolutions Summit |
New York, NY, USA |
| February 15 |
TiE Open Source Summit |
Pittsburgh, PA, USA |
| February 16 |
The Ubucon New York |
New York, NY, USA |
If your event does not appear here, please
tell us about it.
Audio and Video programs
LinuxMedNews
mentions
the availability of a video keynote address from Eben Moglen's 2006 Seattle Plone Conference keynote.
"
Eben Moglen: '...Software can
prevent software from being owned. Software itself can lift the software tax.
That's where we are at this moment. On that cusp. In this neighborhood, at
this moment, the richest and most deeply funded monopoly in the history of
the world is beginning to fail...the very engineering limits of trying to
make software that you own work as well as software that the community
produces are becoming apparent...'"
Comments (none posted)
Page editor: Forrest Cook
Letters to the editor
| From: |
| gralex-AT-free.fr |
| To: |
| letters-AT-lwn.net |
| Subject: |
| Benefits of software freedom |
| Date: |
| Fri, 08 Dec 2006 15:21:48 +0100 |
Dear LWN,
I've been reading with interest the GNOME Foundation board election article and
the statements from the candidates for the positions. However, I felt I
couldn't disagree more on the views of one of them: Joachim Noreiko. You quote
him as saying:
"What freedoms exactly? The computer users I know can't code. What are they
going to with the source code they have the freedom to modify?"
That is absolutely wrong. It's like stating that if you're not a journalist, you
don't benefit from freedom of press. I'm not a coder, but I benefit greatly from
free software. In the same way that I benefit from high-quality articles in the
newspapers I read because the journalists can do their job freely. The
developers who work on free software are free to develop as they wish and
benefit from each other's openness and the end-product is good, thus benefiting
everyone.
And there's also the added benefit that because the development process is open,
I can learn from it and all the best practices that can be applied to software
development. So I can get involved at my own level.
Regards,
Alexandre
Comments (6 posted)
Page editor: Jonathan Corbet