LWN readers will, by now, be well familiar with the fact that the Fedora
universe is changing. There will be no more Fedora Core releases, and the
repository known as Fedora Extras is going away. In their place will be a
combined distribution known simply as Fedora, with the next release being
called Fedora 7. The Fedora community is busily trying to figure out
just what that release is going to look like.
Bill Nottingham posted a discussion
document on January 4. It keeps the previously-discussed
schedule, with the first test release happening on January 30 and
general availability of Fedora 7 on April 26. There's a long
list of objectives for
this release, some of which are:
- Improving the speed of the boot and shutdown processes. "While
Xerxes appreciates that he can grab a cup of coffee while waiting for
his Fedora system to boot, it becomes annoying when he is not actually
thirsty." There are a number of ideas on how this speedup can
be effected, none of which appear to involve switching to Upstart. There is talk of replacing
init, but nobody appears to own that task currently; it seems
unlikely to happen for Fedora 7.
- CodecBuddy
- a recognition that not all content can currently be found in free
formats. The idea is that the software would detect an attempt to
play a file in an unsupported format and respond with an educational session on
why free formats are better. Should the user not respond by
immediately deleting all MP3 files, CodecBuddy will offer a pointer to
available codecs whenever Red Hat Legal allows.
- Encrypted
filesystem support, though which encryption technology will be
used has not been decided yet.
- Fast
user switching - being able to move between different accounts
while retaining the current desktop status of each. Making this
feature work in a secure and robust way is not trivial.
- The creation of a desktop "spin" of the distribution. That leads to a
few related issues - see below.
- Firewire
support that actually works. "Requires rewriting the kernel
firewire stack. No biggie."
- Support for the KVM virtualization API. KVM appears to be the future
of Linux virtualization, so distributions will need to pick it up.
What will happen to Xen support is unclear; Xen is unpopular with some
of the Fedora folks, but is high on the Red Hat list.
- Support for the new parallel
ATA drivers, moving away from the old IDE subsystem. The PATA
drivers are an improvement, but they will cause drives to be renamed,
leading to potential system chaos. Fedora systems have used the
mount-by-label feature for some time, so most installed systems should
handle the change without trouble.
- The addition
of Nouveau, the reverse-engineered NVidia driver. Whether this
driver will be ready by the time Fedora 7 needs it remains to be
seen, however.
- Speeding up Yum and RPM. That, alone, should justify the cost of an
upgrade to Fedora 7.
There's much more on the list, but the above should be enough to give a
sense for what is going on. The Fedora developers would like to improve
their distribution in a number of significant ways, and in a very short
period of time.
Most of the desired changes are uncontroversial. The creation of a desktop
version of the distribution, however, has been the subject of a fair amount
of discussion. The Fedora distribution has traditionally been fairly
strongly tied to the GNOME desktop. As Fedora tries to expand its
community, though, there is a stronger set of voices calling for support of
a KDE version of Fedora as well. Nobody seems to oppose that idea, but
there is still a shortage of consensus on how it should be done.
As often seems to happen in community discussions, the Fedora developers
have gotten hung up on a relatively unimportant issue: naming. Current
plans call for the GNOME-based version of the distribution to be named
"Fedora Desktop," while the KDE-based version would be "Fedora KDE." The
KDE users, who were under the impression that they had a desktop too, think
that this naming goes against the idea of KDE being an equal citizen.
Others claim that "Fedora Desktop" is meant to be a combination of the
"best of breed" desktop software, most of which just happens to come from
the GNOME project. They hold out the possibility of a separate "Fedora
GNOME" version for GNOME purists; it would feature tools like AbiWord,
Gnumeric, and Epiphany, which currently have failed to qualify for the
"best of breed" designation. This idea doesn't seem to make the KDE
community feel much better.
Jeff Spaleta has posted a call for peace on
this issue, saying:
But more importantly in the near term. the fact that there is going to
be a KDE spin is a fundamentally important step in terms of opening
the process for community involvement. How about we, as engaged and
proactive community members, focus on making the technical side of
that happen. Whether the Desktop spin is called the Desktop spin or
the 'Office Professional Workforce of Doom' spin its trivially
unimportant compared to helping Rex get the KDE spin out the door.
On the technical side, the biggest disagreement would appear to be over
whether Firefox should be included. There has also been some discussion of
OpenOffice.org and Evolution. In each case, there seems to be some
tension between a "pure" KDE system and a desire to include applications
that some users are likely to want. Since the unwanted presence (or
absence) of any of these tools is relatively easy to correct after
installation, one assumes that a solution will be found that everybody is
able to live with.
This kind of discussion is not new in the free software community, but it
is relatively new to Fedora. As this distribution opens up and accepts
more input from outside of Red Hat, there is no doubt that it will get more
opinions as well. How these newcomers are accommodated will have a big
effect on how successful a more community-oriented Fedora will be. We should
see some concrete signs of how well the community is working sometime
around late April.
Comments (22 posted)
There is a wide variety of online role-playing games on the net.
Second Life is unique among them,
however, and not just for the lack of quests to fulfill or monsters to
kill. In the Second Life environment, "residents" can lease "property" and
create interesting artifacts through the use of a built-in scripting
language. The environment has proved free and powerful enough to bring
together hundreds of thousands of people, many of whom have engaged in
large-scale acts of world building. Second Life has shown what can happen
when the tools of creation are available to all, but it remains a
proprietary service running on proprietary software.
As of January 8, however, Second Life has become a little less proprietary.
Linden Lab, the company which owns Second Life, has announced the
release of the Second Life viewer application under version 2 of the
GPL. The viewer is the client which runs on the user's system; it is a
significant chunk of code. Its release should enable interested developers
to enhance the Second Life experience - and, perhaps, stabilize the Linux
client somewhat.
The way is not yet clear for an entirely free Second Life client, however,
as the released code depends on a number of libraries shipped in binary
form. Interestingly, many of those libraries (cURL, expat, Mesa,
ogg/vorbis, openssl, zlib, etc.) are free software; it is not clear why
Linden feels the need to ship its own copies of them. There are a couple
of proprietary libraries in there as well, however. Linden hopes to either
relicense or route around those libraries in the near future; a quick
glance by your editor suggests that this objective should not be too hard
to achieve. The Second Life client would appear to be almost free.
Those who would hack on the client code must sign a
contributor agreement [PDF] before contributing any changes back. This
agreement is essentially a copyright transfer; it allows Linden to do
anything it wants with the code. Linden offers
commercial licensing terms, so contributors should be sure that they
have no objections to that use of their code.
The freeing of this code is a good thing; it brings the free software world
that much closer to being a first-participant in the creation of
interesting virtual worlds. It is only a beginning, however. The bulk of
the logic which implements Second Life lives on the server side, and that
code remains proprietary. Imagine if the original WWW browsers had been
released into a world where a single company owned the only web server;
that is, to a first approximation, where we stand with Second Life at this
time. As long as this state of affairs persists, Second Life will remain
just another proprietary service.
Linden has some
grand visions for how Second Life could grow:
A lot of the Second Life development work currently in progress is
focused on building the Second Life Grid - a vision of a globally
interconnected grid with clients and servers published and managed
by different groups. Expect many changes and updates in the coming
months in support of this architecture.
Now that sounds like fun, but it will only reach its potential if
the server code is free. Linden continues to make noises - but no promises
- about freeing this code. The freeing of the client is a good start; it
shows that Linden is serious about involving the community. Releasing the
server code will require a rather larger leap of faith on Linden's part,
however; the server is where the company makes its money. Let's hope that
Linden can find a way to take that leap.
Comments (5 posted)
For whatever reason, there has recently been increase in the number of
corporate LWN subscribers who want to receive information by fax. Your
editor, having long seen facsimile as a sort of quaint technology for
people who don't have email access, has never kept a fax machine around;
there just hasn't been much call for it. Recently, however, wandering over
to the local mailbox outlet to send faxes has become somewhat tiresome -
and time consuming. The printer was showing signs of old age as well, so
it seemed it was time to get a new toy in the form of
one of those all-in-one devices which can print, scan, copy, and, yes, send
faxes.
A long stint as a system administrator was enough to teach your editor that
the management of printers ranks high on the list of Truly Obnoxious
Tasks. For whatever reason, making printers work properly has always been
painful, whether one is connecting a dot-matrix line printer to a VAX or a
contemporary inkjet to a Linux system. So your editor approached the task
with some trepidation, and with a fair amount of advance research. To this
end, the linuxprinting.org site, which was merged into the Free
Standards Group last year, remains an invaluable resource.
Your editor ended up with an HP OfficeJet device which performs all of the
required functions. It may yet be convinced to wash the dishes as well,
though it seems that feature is not yet well supported under Linux.
Everything else is, however. Printing Just Works. Scanning with xsane
Just Works. Overall, it is a very nice device, and making it work with
Linux was just about painless.
A great deal of credit is due to HP, which has made free drivers available
for its hardware. Thanks to this openness on HP's part, its hardware is
fully supported on Linux systems and can be used to its full potential.
That policy just resulted in another sale for HP, and, probably, many
others. It behooves us to be sure that HP hears that feedback from its
Linux customers. If manufacturers understand that supporting Linux means
more sales, they will support Linux.
Credit is also due to the HPLIP
project, which has packaged HP's drivers with a significant amount of
support code. HPLIP integrates well with CUPS, which has done a great deal to
civilize printing on free systems. Finally, the distributors have done a
lot of work to make the setup of new printers easy. All of this work has
transformed an administrator's job; when your editor thinks back to writing
lpd output filters for a new device, he feels an immediate need for a
strong drink. Now it has become necessary to find a new excuse for
drinking.
Congratulations to all of those who have managed to bring
about such an improvement over a few short years.
Comments (36 posted)
The seventh edition of
linux.conf.au
starts on January 15 in Sydney. Over the years, linux.conf.au has
become one of the most vibrant, interesting, and just plain fun free
software events on the planet.
This year's program looks
likely to continue the trend. LWN editor Jonathan Corbet is lucky enough
to be speaking at
the event; come and say "hi" if you're in the area.
Comments (1 posted)
Page editor: Jonathan Corbet
Security
January 10, 2007
This article was contributed by Jake Edge.
A new tool, 0trace, that can sometimes
peek through a firewall and provide information about the hosts and addresses
living behind it was recently
released. The tool itself is in a rough, proof-of-concept form,
but it can provide interesting results that are likely unexpected by
the network administrator. A bit of a look at how 0trace accomplishes
this feat requires a bit of firewall background as well.
Many firewalls use
Network
Address Translation (NAT) to multiplex multiple internal computers over
one external, routable, IP address. When an internal host makes a
connection to the outside world,
the NAT device rewrites the addresses in the packets so that the external
host believes it is talking to the firewall itself rather than the
actual host (which is typically in the private, unroutable IP space).
In order to do that, the NAT device records information about the connection:
the IP addresses for the internal and external hosts as well as port
information. It is this established connection table that 0trace exploits
in order to do its work.
The basic scheme is much the same as traceroute in that 0trace
sends packets with increasing time-to-live (TTL) values and listens to
the ICMP "time exceeded" responses to determine the hosts that the packet
has traversed. The difference is that 0trace uses an established connection
to piggyback its probes on. Because many NAT implementations do not closely
examine packets that are associated with an established connection, those
responses, even from internal hosts, are forwarded along.
Users of traceroute are familiar with the '*' character that gets
printed when there is no response from one of the hops; tracing a
route these days typically ends in a series of hops without a response
resulting in several rows of '* * *'. These are often
systems that are behind
firewalls which filter out the probe packets that
traceroute sends because they are not associated with a
connection that it knows about. The example in the announcement shows
0trace output from a scan of www.ebay.com with several internal IP addresses
past the point where the traceroute output stops.
In order to run 0trace, one must first establish a connection with the host
of interest. Using telnet to port 80 is one way to go about that;
once the connection is established, the 0trace shell script is run. That script
sets up a tcpdump to grab the traffic to and from the supplied
IP address and then waits. The user
must generate some traffic at this point and typing 'GET / HTTP/1.0'
(followed by one return) is a good way to do that. 0trace analyzes the
TCP packet dump to retrieve the sequence and ack numbers from the
conversation; the shell script then passes those off to the 0trace C program
(sendprobe). Using proper sequence/ack numbers from the established
connection further disguises the 0trace traffic as a legitimate part of
the conversation.
This technique is not new and the author, Michal Zalewski, credits a number
of other people in the announcement and ensuing thread, but this is likely
the first public implementation. The implementation is very dependent on
the exact format of tcpdump output and is rather fragile because
of that, but it is an interesting proof-of-concept. Zalewski invites
interested people to improve upon it. Using it against hosts without their
permission might be considered illegal in some jurisdictions; one should
exercise care before using it. It does
show a weakness in current NAT implementations that will likely need to be
addressed.
Comments (8 posted)
New vulnerabilities
avahi: denial of service
| Package(s): | avahi |
CVE #(s): | CVE-2006-6870
|
| Created: | January 5, 2007 |
Updated: | January 15, 2007 |
| Description: |
A flaw was discovered in Avahi's handling of compressed DNS packets. If
a specially crafted reply were received over the network, the Avahi
daemon would go into an infinite loop, causing a denial of service. |
| Alerts: |
|
Comments (none posted)
drupal: code injection
| Package(s): | drupal |
CVE #(s): | |
| Created: | January 10, 2007 |
Updated: | January 10, 2007 |
| Description: |
A failure to properly sanitize arguments allows an attacker to inject code into a Drupal system (advisory). There is also a denial of service vulnerability exploitable by users with the ability to post content on the site (advisory). |
| Alerts: |
|
Comments (none posted)
fetchmail: password disclosure and DOS
| Package(s): | fetchmail |
CVE #(s): | CVE-2006-5867
CVE-2006-5974
|
| Created: | January 10, 2007 |
Updated: | March 16, 2007 |
| Description: |
Fetchmail suffers from a password disclosure vulnerability due to a failure to use secure protocols (advisory) and a denial of service vulnerability (advisory). |
| Alerts: |
|
Comments (none posted)
geoip: path traversal
| Package(s): | geoip |
CVE #(s): | CVE-2007-0159
|
| Created: | January 10, 2007 |
Updated: | January 24, 2007 |
| Description: |
Geoip fails to do sanity checking on returned filenames, opening up a path traversal vulnerability. |
| Alerts: |
|
Comments (none posted)
kernel: multiple vulnerabilities
| Package(s): | kernel |
CVE #(s): | CVE-2006-5749
CVE-2006-4814
CVE-2006-6106
|
| Created: | January 5, 2007 |
Updated: | January 8, 2009 |
| Description: |
A security issue has been reported in Linux kernel due to an error in
drivers/isdn/i4l/isdn_ppp.c as the "isdn_ppp_ccp_reset_alloc_state()"
function never initializes an event timer before scheduling it with the
"add_timer()" function.
The mincore function in the kernel does not properly lock access to user
space, which has unspecified impact and attack vectors, possibly related to
a deadlock.
Another vulnerability has been reported in Linux kernel caused by a
boundary error within the handling of incoming CAPI messages in
net/bluetooth/cmtp/capi.c. This can be exploited to overwrite certain
Kernel data structures. |
| Alerts: |
|
Comments (none posted)
krb5: uninitialized pointers
| Package(s): | krb5 |
CVE #(s): | CVE-2006-6143
CVE-2006-3084
|
| Created: | January 10, 2007 |
Updated: | July 7, 2010 |
| Description: |
The kdamind daemon can, in some situations, perform operations on uninitialized pointers. This bug could conceivably open up the system to a code execution attack by an unauthenticated remote attacker, but it appears to be difficult to exploit. See this advisory for details. |
| Alerts: |
|
Comments (1 posted)
openoffice.org: integer overflows
| Package(s): | openoffice.org |
CVE #(s): | CVE-2006-5870
|
| Created: | January 4, 2007 |
Updated: | January 13, 2007 |
| Description: |
The OpenOffice.org WMF file processor has several integer overflow bugs.
Maliciously crafted WMF files can be used to cause OpenOffice.org to
execute arbitrary code when the files are opened by a user. |
| Alerts: |
|
Comments (none posted)
proftpd: denial of service
| Package(s): | proftpd |
CVE #(s): | CVE-2005-4816
|
| Created: | January 10, 2007 |
Updated: | January 10, 2007 |
| Description: |
The proftpd FTP server is vulnerable to a denial of service attack when Radius authentication is in use. |
| Alerts: |
|
Comments (none posted)
wordpress: SQL injection
| Package(s): | wordpress |
CVE #(s): | |
| Created: | January 10, 2007 |
Updated: | January 10, 2007 |
| Description: |
Stefan Esser discovered an SQL injection vulnerability in wordpress exploitable through the use of different character sets. |
| Alerts: |
|
Comments (none posted)
X.org: integer overflows
| Package(s): | xorg, xorg-server |
CVE #(s): | CVE-2006-6101
CVE-2006-6102
CVE-2006-6103
|
| Created: | January 10, 2007 |
Updated: | March 8, 2007 |
| Description: |
A number of integer overflows have turned up in the X.org server. Some of these overflows involve calls to alloca(), and thus make corruption of the stack relatively easy. This vulnerability is exploitable by anybody who can make a connection to the server, meaning that it is a local root exploit in most settings. See this advisory for details. |
| Alerts: |
|
Comments (none posted)
Updated vulnerabilities
apache: cross-site scripting
| Package(s): | apache |
CVE #(s): | CVE-2006-3918
|
| Created: | August 9, 2006 |
Updated: | April 4, 2008 |
| Description: |
From the Red Hat advisory: "A bug was found in Apache where an invalid Expect header sent to the server
was returned to the user in an unescaped error message. This could
allow an attacker to perform a cross-site scripting attack if a victim was
tricked into connecting to a site and sending a carefully crafted Expect
header." |
| Alerts: |
|
Comments (none posted)
apache-mod_auth_kerb: off-by-one error
| Package(s): | apache-mod_auth_kerb |
CVE #(s): | CVE-2006-5989
|
| Created: | November 24, 2006 |
Updated: | January 23, 2007 |
| Description: |
An off-by-one error in the der_get_oid function in mod_auth_kerb 5.0 allows
remote attackers to cause a denial of service (crash) via a crafted
Kerberos message that triggers a heap-based buffer overflow in the
component array. |
| Alerts: |
|
Comments (none posted)
bind: denial of service
| Package(s): | bind |
CVE #(s): | CVE-2006-4095
CVE-2006-4096
|
| Created: | September 7, 2006 |
Updated: | February 1, 2007 |
| Description: |
Bind has two denial of service vulnerabilities.
Recursive servers queries for SIG records will trigger an assertion
failure if more than one RR set is returned.
An INSIST failure can be triggered by sending a large number of
recursive queries. |
| Alerts: |
|
Comments (none posted)
bugzilla: multiple vulnerabilities
| Package(s): | bugzilla |
CVE #(s): | CVE-2006-5453
CVE-2006-5454
CVE-2006-5455
|
| Created: | November 10, 2006 |
Updated: | August 28, 2007 |
| Description: |
Bugzilla has the following vulnerabilities:
Input data passed to various fields is not properly sanitized before
being passed back to users.
Users can gain unauthorized access to read attachment
descriptions while using diff mode.
HTTP GET and HTTP POST requests can be used to perform unauthorized
actions due to improper verification.
Input that is passed to showdependencygraph.cgi is not properly
sanitized before being returned to users. |
| Alerts: |
|
Comments (none posted)
busybox: insecure password generation
| Package(s): | busybox |
CVE #(s): | CVE-2006-1058
|
| Created: | May 5, 2006 |
Updated: | May 2, 2007 |
| Description: |
The BusyBox 1.1.1 passwd command does not use a proper salt when generating
passwords. This would create an instance where a brute force attack could
take very little time. |
| Alerts: |
|
Comments (2 posted)
bzip2: race condition and infinite loop
| Package(s): | bzip2 |
CVE #(s): | CAN-2005-0953
CAN-2005-1260
|
| Created: | May 17, 2005 |
Updated: | January 10, 2007 |
| Description: |
A race condition in bzip2 1.0.2 and earlier allows local users to modify
permissions of arbitrary files via a hard link attack on a file while it is
being decompressed, whose permissions are changed by bzip2 after the
decompression is complete. Also specially crafted bzip2 archives may cause
an infinite loop in the decompressor. |
| Alerts: |
|
Comments (2 posted)
cacti: multiple vulnerabilities
| Package(s): | cacti |
CVE #(s): | CVE-2006-6799
|
| Created: | January 1, 2007 |
Updated: | January 26, 2007 |
| Description: |
The network monitoring and graphing frontend Cacti has three vulnerabilities.
The cmd.php script allows command line usage and is also installed in a
web-accessible location. The cmd.php input is insufficiently sanitized,
a passed-in URL can be used to inject arbitrary SQL code.
The cmd.php script can be used by a remote attacker to execute arbitrary
shell commands via improperly sanitized results from SQL queries. |
| Alerts: |
|
Comments (none posted)
cpio: arbitrary code execution
| Package(s): | cpio |
CVE #(s): | CVE-2005-4268
|
| Created: | January 2, 2006 |
Updated: | March 17, 2010 |
| Description: |
Richard Harms discovered that cpio did not sufficiently validate file
properties when creating archives. Files with e. g. a very large size
caused a buffer overflow. By tricking a user or an automatic backup
system into putting a specially crafted file into a cpio archive, a
local attacker could probably exploit this to execute arbitrary code
with the privileges of the target user (which is likely root in an
automatic backup system). |
| Alerts: |
|
Comments (none posted)
vixie-cron: privilege escalation
| Package(s): | cron |
CVE #(s): | CVE-2006-2607
|
| Created: | May 31, 2006 |
Updated: | June 1, 2009 |
| Description: |
The Vixie cron daemon does not check the return code from setuid(); if that call can be made to fail, a local attacker may be able to execute commands as root. |
| Alerts: |
|
Comments (1 posted)
cscope: buffer overflows
| Package(s): | cscope |
CVE #(s): | CVE-2006-4262
|
| Created: | October 2, 2006 |
Updated: | June 16, 2009 |
| Description: |
Will Drewry of the Google Security Team discovered several buffer overflows
in cscope, a source browsing tool, which might lead to the execution of
arbitrary code. |
| Alerts: |
|
Comments (none posted)
cscope: buffer overflows
| Package(s): | cscope |
CVE #(s): | CVE-2004-2541
|
| Created: | May 22, 2006 |
Updated: | June 19, 2009 |
| Description: |
A buffer overflow in Cscope 15.5, and possibly multiple overflows, allows
remote attackers to execute arbitrary code via a C file with a long
#include line that is later browsed by the target. |
| Alerts: |
|
Comments (1 posted)
Cyrus-SASL: DIGEST-MD5 Pre-Authentication Denial of Service
| Package(s): | cyrus-sasl |
CVE #(s): | CVE-2006-1721
|
| Created: | April 21, 2006 |
Updated: | September 4, 2007 |
| Description: |
Cyrus-SASL contains an unspecified vulnerability in the DIGEST-MD5
process that could lead to a Denial of Service. An attacker could possibly
exploit this vulnerability by sending specially crafted data stream to the
Cyrus-SASL server, resulting in a Denial of Service even if the attacker is
not able to authenticate. |
| Alerts: |
|
Comments (none posted)
dbus: denial of service
| Package(s): | dbus |
CVE #(s): | CVE-2006-6107
|
| Created: | December 15, 2006 |
Updated: | February 12, 2007 |
| Description: |
Unspecified vulnerability in the match_rule_equal function in bus/signals.c
in D-Bus before 1.0.2 allows local applications to remove match rules for
other applications and cause a denial of service (lost process messages). |
| Alerts: |
|
Comments (none posted)
denyhosts: denial of service
| Package(s): | denyhosts |
CVE #(s): | CVE-2006-6301
|
| Created: | January 3, 2007 |
Updated: | January 3, 2007 |
| Description: |
A botched regular expression allows a remote attacker to add arbitrary hosts to the denyhosts blacklist, causing those hosts to be unable to make ssh connections to the target system. |
| Alerts: |
|
Comments (2 posted)
dovecot: index cache file handling error
| Package(s): | dovecot |
CVE #(s): | CVE-2006-5973
|
| Created: | November 29, 2006 |
Updated: | May 8, 2007 |
| Description: |
The dovecot IMAP server has an error in its index cache file handling code which could be exploited by an authenticated user to execute arbitrary code. Only servers with the (non-default) mmap_disable=yes option setting are vulnerable. |
| Alerts: |
|
Comments (none posted)
elinks: arbitrary file access
| Package(s): | elinks |
CVE #(s): | CVE-2006-5925
|
| Created: | November 16, 2006 |
Updated: | October 22, 2009 |
| Description: |
The elinks text-mode browser has an arbitrary file access vulnerability
in the Elinks SMB protocol handler. If a user can be tricked into
visiting a specially crafted web page, arbitrary files may be read or
written with the user's permissions. |
| Alerts: |
|
Comments (none posted)
elog: multiple vulnerabilities
| Package(s): | elog |
CVE #(s): | CVE-2006-5063
CVE-2006-5790
CVE-2006-5791
CVE-2006-6318
|
| Created: | December 28, 2006 |
Updated: | January 3, 2007 |
| Description: |
elog, a web-based electronic logbook has multiple vulnerabilities that
may lead to arbitrary code execution.
Log entry editing in HTML has a cross-site scripting vulnerability.
A number of format string vulnerabilities may be used for the execution of
arbitrary code. There are cross-site scripting vulnerabilities related to
the creation of new logbook entries.
There is insufficient error handling in config the file parsing that may be used for a denial of service attack. |
| Alerts: |
|
Comments (none posted)
ffmpeg: buffer overflows
| Package(s): | ffmpeg |
CVE #(s): | CVE-2006-4799
CVE-2006-4800
|
| Created: | September 14, 2006 |
Updated: | May 28, 2007 |
| Description: |
the AVI processing code in FFmpeg has a number of buffer overflow
vulnerabilities.
If an attacker can trick a user into loading a specially crafted
crafted AVI, arbitrary code can be executed with the user's privileges. |
| Alerts: |
|
Comments (2 posted)
Mozilla stuff: multiple vulnerabilities
Comments (none posted)
freeradius: several vulnerabilities
| Package(s): | freeradius |
CVE #(s): | CVE-2005-4745
CVE-2005-4746
|
| Created: | August 8, 2006 |
Updated: | April 24, 2007 |
| Description: |
Several remote vulnerabilities have been discovered in freeradius, a
high-performance RADIUS server, which may lead to SQL injection or denial
of service. |
| Alerts: |
|
Comments (none posted)
freetype: integer overflows
| Package(s): | freetype |
CVE #(s): | CVE-2006-0747
CVE-2006-1861
CVE-2006-2493
CVE-2006-2661
CVE-2006-3467
|
| Created: | June 8, 2006 |
Updated: | June 1, 2010 |
| Description: |
The FreeType library has several integer overflow vulnerabilities.
If a user can be tricked into installing a specially
crafted font file, arbitrary code can be executed with the privilege
of the user. |
| Alerts: |
|
Comments (none posted)
ftpd: privilege escalation
| Package(s): | ftpd |
CVE #(s): | CVE-2006-5778
|
| Created: | November 10, 2006 |
Updated: | February 14, 2007 |
| Description: |
Ftpd is vulnerable to a privilege escalation attack,
an incorrect seteuid() call can be used by an FTP user to gain
unauthorized access to files or directories. |
| Alerts: |
|
Comments (none posted)
gcc: file overwrite vulnerability
| Package(s): | gcc |
CVE #(s): | CVE-2006-3619
|
| Created: | September 6, 2006 |
Updated: | March 14, 2008 |
| Description: |
The fastjar utility found in the GNU compiler collection does not perform adequate file path checking, allowing the creation or overwriting of files outside of the current directory tree. |
| Alerts: |
|
Comments (none posted)
gdb: buffer overflow
| Package(s): | gdb |
CVE #(s): | CVE-2006-4146
|
| Created: | September 15, 2006 |
Updated: | June 12, 2007 |
| Description: |
A buffer overflow in dwarfread.c and dwarf2read.c debugging code in GNU
Debugger (GDB) 6.5 allows user-assisted attackers, or restricted users, to
execute arbitrary code via a crafted file with a location block
(DW_FORM_block) that contains a large number of operations. |
| Alerts: |
|
Comments (none posted)
gdm: improper file permissions
| Package(s): | gdm |
CVE #(s): | CVE-2006-1057
|
| Created: | April 19, 2006 |
Updated: | May 2, 2007 |
| Description: |
The .ICEauthority file may be created with the wrong ownership and permissions; gdm 2.14.2 fixes the problem. |
| Alerts: |
|
Comments (none posted)
gedit: format string vulnerability
| Package(s): | gedit |
CVE #(s): | CAN-2005-1686
|
| Created: | June 9, 2005 |
Updated: | February 5, 2009 |
| Description: |
A format string vulnerability has been discovered in gedit. Calling
the program with specially crafted file names caused a buffer
overflow, which could be exploited to execute arbitrary code with the
privileges of the gedit user. |
| Alerts: |
|
Comments (1 posted)
gnupg: stack overwrite
| Package(s): | gnupg |
CVE #(s): | CVE-2006-6235
|
| Created: | December 12, 2006 |
Updated: | March 13, 2007 |
| Description: |
A "stack overwrite" vulnerability in GnuPG (gpg) allows attackers to
execute arbitrary code via crafted OpenPGP packets that cause GnuPG to
dereference a function pointer from deallocated stack memory. |
| Alerts: |
|
Comments (3 posted)
grip: buffer overflow
| Package(s): | grip |
CVE #(s): | CAN-2005-0706
|
| Created: | March 10, 2005 |
Updated: | November 19, 2008 |
| Description: |
Grip, a CD ripper, has a buffer overflow vulnerability that can
occur when the CDDB server returns more than 16 matches. |
| Alerts: |
|
Comments (none posted)
gv: stack-based buffer overflow
| Package(s): | gv |
CVE #(s): | CVE-2006-5864
|
| Created: | November 20, 2006 |
Updated: | April 9, 2007 |
| Description: |
Stack-based buffer overflow in the ps_gettext function in ps.c for GNU gv
3.6.2, and possibly earlier versions, allows user-assisted attackers to
execute arbitrary code via a PostScript (PS) file with certain headers that
contain long comments, as demonstrated using the DocumentMedia header. |
| Alerts: |
|
Comments (none posted)
gzip: multiple vulnerabilities
| Package(s): | gzip |
CVE #(s): | CVE-2006-4334
CVE-2006-4335
CVE-2006-4336
CVE-2006-4337
CVE-2006-4338
|
| Created: | September 19, 2006 |
Updated: | January 20, 2010 |
| Description: |
Tavis Ormandy of the Google Security Team discovered two denial of service
flaws in the way gzip expanded archive files. If a victim expanded a
specially crafted archive, it could cause the gzip executable to hang or
crash.
Tavis Ormandy of the Google Security Team discovered several code execution
flaws in the way gzip expanded archive files. If a victim expanded a
specially crafted archive, it could cause the gzip executable to crash or
execute arbitrary code. |
| Alerts: |
|
Comments (1 posted)
gzip: arbitrary command execution
| Package(s): | gzip |
CVE #(s): | CAN-2005-0758
|
| Created: | August 1, 2005 |
Updated: | January 10, 2007 |
| Description: |
zgrep in gzip before 1.3.5 does not handle shell metacharacters like '|'
and '&' properly when they occurred in input file names. This could be
exploited to execute arbitrary commands with user privileges if zgrep is
run in an untrusted directory with specially crafted file names. |
| Alerts: |
|
Comments (2 posted)
imagemagick: buffer overflows
| Package(s): | imagemagick |
CVE #(s): | CVE-2006-5868
|
| Created: | November 28, 2006 |
Updated: | February 16, 2007 |
| Description: |
Daniel Kobras discovered multiple buffer overflows in ImageMagick's SGI
file format decoder. By tricking a user or an automated system into
processing a specially crafted SGI image, this could be exploited to
execute arbitrary code with the user's privileges. |
| Alerts: |
|
Comments (1 posted)
ImageMagick: buffer overflows
| Package(s): | ImageMagick |
CVE #(s): | CVE-2006-5456
|
| Created: | October 31, 2006 |
Updated: | March 8, 2007 |
| Description: |
Multiple buffer overflows in GraphicsMagick before 1.1.7 and ImageMagick
6.0.7 allow user-assisted attackers to cause a denial of service and
possibly execute execute arbitrary code via (1) a DCM image that is not
properly handled by the ReadDCMImage function in coders/dcm.c, or (2) a
PALM image that is not properly handled by the ReadPALMImage function in
coders/palm.c. |
| Alerts: |
|
Comments (2 posted)
imlib2: arbitrary code execution
| Package(s): | imlib2 |
CVE #(s): | CVE-2006-4806
CVE-2006-4807
CVE-2006-4808
CVE-2006-4809
|
| Created: | November 6, 2006 |
Updated: | August 13, 2007 |
| Description: |
M. Joonas Pihlaja discovered that imlib2 did not sufficiently verify the
validity of ARGB, JPG, LBM, PNG, PNM, TGA, and TIFF images. If a user
were tricked into viewing or processing a specially crafted image with
an application that uses imlib2, the flaws could be exploited to execute
arbitrary code with the user's privileges. |
| Alerts: |
|
Comments (none posted)
kdegraphics: stack overflow
| Package(s): | kdegraphics |
CVE #(s): | CVE-2006-6297
|
| Created: | December 12, 2006 |
Updated: | January 13, 2007 |
| Description: |
A stack overflow in the KFILE JPEG (kfile_jpeg) plugin in kdegraphics3, as
used by konqueror, digikam, and other KDE image browsers, allows remote
attackers to cause a denial of service (stack consumption) via a crafted
EXIF section in a JPEG file, which results in an infinite recursion. |
| Alerts: |
|
Comments (none posted)
kdelibs: integer overflow
| Package(s): | kdelibs |
CVE #(s): | CVE-2006-4811
|
| Created: | October 18, 2006 |
Updated: | March 5, 2007 |
| Description: |
The KDE khtml library can pass untrusted parameters into Qt, allowing a hostile user to trigger an integer overflow there and execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
kdelibs: kate backup file permission leak
| Package(s): | kdelibs kate kwrite |
CVE #(s): | CAN-2005-1920
|
| Created: | July 19, 2005 |
Updated: | September 21, 2010 |
| Description: |
Kate / Kwrite, as shipped with KDE 3.2.x up to including 3.4.0, creates a file backup before saving a modified file. These backup files are created with default permissions, even if the original file had more strict permissions set. See this advisory for more information. |
| Alerts: |
|
Comments (1 posted)
kernel: denial of service
| Package(s): | kernel |
CVE #(s): | CVE-2006-4623
|
| Created: | October 18, 2006 |
Updated: | November 14, 2007 |
| Description: |
The kernel DVB layer can be caused to crash with maliciously-formatted unidirectional lightweight encapsulation (ULE) data. |
| Alerts: |
|
Comments (none posted)
kernel: bridging code buffer overflow
| Package(s): | kernel |
CVE #(s): | CVE-2006-5751
|
| Created: | December 6, 2006 |
Updated: | January 3, 2007 |
| Description: |
A buffer overflow in the bridging code in kernels through 2.6.18.3 can lead to a denial of service or potential code execution. The 2.6.18.4 kernel contains the fix. |
| Alerts: |
|
Comments (none posted)
kernel: denial of service
| Package(s): | kernel |
CVE #(s): | CVE-2006-4535
CVE-2006-4538
|
| Created: | September 18, 2006 |
Updated: | January 5, 2009 |
| Description: |
Sridhar Samudrala discovered a local denial of service vulnerability
in the handling of SCTP sockets. By opening such a socket with a
special SO_LINGER value, a local attacker could exploit this to crash
the kernel. (CVE-2006-4535)
Kirill Korotaev discovered that the ELF loader on the ia64 and sparc
platforms did not sufficiently verify the memory layout. By attempting
to execute a specially crafted executable, a local user could exploit
this to crash the kernel. (CVE-2006-4538) |
| Alerts: |
|
Comments (none posted)
kernel: denial of service
| Package(s): | kernel |
CVE #(s): | CVE-2006-4572
CVE-2006-4997
|
| Created: | November 6, 2006 |
Updated: | January 17, 2007 |
| Description: |
Some vulnerabilities were discovered in the Linux 2.6 kernel:
There are possibly exploitable bugs in the netfilter for IPv6 code.
(CVE-2006-4572)
The ATM subsystem of the Linux kernel could allow a remote attacker to
cause a Denial of Service (panic) via unknown vectors that cause the ATM
subsystem to access the memory of socket buffers after they are freed.
(CVE-2006-4997) |
| Alerts: |
|
Comments (none posted)
kernel: denial of service by memory consumption
| Package(s): | kernel |
CVE #(s): | CVE-2006-2936
|
| Created: | July 17, 2006 |
Updated: | November 14, 2007 |
| Description: |
The ftdi_sio driver (usb/serial/ftdi_sio.c) in Linux kernel 2.6.x up to
2.6.17, and possibly later versions, allows local users to cause a denial
of service (memory consumption) by writing more data to the serial port
than the driver can handle, which causes the data to be queued. |
| Alerts: |
|
Comments (none posted)
kernel: denial of service
| Package(s): | kernel |
CVE #(s): | CVE-2006-5757
|
| Created: | November 13, 2006 |
Updated: | November 14, 2007 |
| Description: |
From the MOKB-05-11-2006
advisory: "The ISO9660 filesystem handling code of the Linux
2.6.x kernel fails to properly handle corrupted data structures, leading to
an exploitable denial of service condition. This particular vulnerability
seems to be caused by a race condition and a signedness issue. When
performing a read operation on a corrupted ISO9660 fs stream, the
isofs_get_blocks() function will enter an infinite loop when
__find_get_block_slow() callback from sb_getblk() fails ("due to various
races between file io on the block device and getblk")." |
| Alerts: |
|
Comments (none posted)
kernel: denial of service
| Package(s): | kernel |
CVE #(s): | CVE-2006-2935
CVE-2006-4145
CVE-2006-3745
|
| Created: | September 1, 2006 |
Updated: | July 30, 2008 |
| Description: |
Previous versions of the kernel package are subject to several
vulnerabilities. Certain malformed UDF filesystems can cause the system to
crash (denial of service). Malformed CDROM firmware or USB storage devices
(such as USB keys) could cause system crash (denial of service), and if
they were intentionally malformed, can cause arbitrary code to run with
elevated privileges. In addition, the SCTP protocol is subject to a remote
system crash (denial of service) attack. |
| Alerts: |
|
Comments (none posted)
koffice: integer overflow
| Package(s): | koffice |
CVE #(s): | CVE-2006-6120
|
| Created: | November 30, 2006 |
Updated: | February 20, 2007 |
| Description: |
The KOffice office suite has an integer overflow
vulnerability. If an attacker can trick a user into opening a
specially crafted PowerPoint (PPT) file, KOffice can be caused to crash or
possibly execute arbitrary code with the user's privileges. |
| Alerts: |
|
Comments (none posted)
krb5: local privilege escalation
| Package(s): | krb5 |
CVE #(s): | CVE-2006-3083
|
| Created: | August 9, 2006 |
Updated: | July 7, 2010 |
| Description: |
Some kerberos applications fail to check the results of setuid() calls, with the result that, if that call fails, they could continue to execute as root after thinking they had switched to a nonprivileged user. A local attacker who can cause these calls to fail (through resource exhaustion, presumably) could exploit this bug to gain root privileges. |
| Alerts: |
|
Comments (none posted)
libgadu: memory alignment bug
| Package(s): | libgadu |
CVE #(s): | CAN-2005-2370
|
| Created: | July 29, 2005 |
Updated: | June 25, 2007 |
| Description: |
Szymon Zygmunt and Michal Bartoszkiewicz discovered a memory alignment
error in libgadu (from ekg, console Gadu Gadu client, an instant
messaging program) which is included in gaim, a multi-protocol instant
messaging client, as well. This can not be exploited on the x86
architecture but on others, e.g. on Sparc and lead to a bus error,
in other words a denial of service.
|
| Alerts: |
|
Comments (none posted)
libgd2: denial of service
| Package(s): | libgd2 |
CVE #(s): | CVE-2006-2906
|
| Created: | June 14, 2006 |
Updated: | January 16, 2007 |
| Description: |
Certain GIF images can cause libgd2 to go into an infinite loop, adversely affecting the performance of image processing applications. |
| Alerts: |
|
Comments (none posted)
libgsf: heap buffer overflow
| Package(s): | libgsf |
CVE #(s): | CVE-2006-4514
|
| Created: | November 30, 2006 |
Updated: | January 11, 2007 |
| Description: |
The GNOME library libgsf, which is used for writing structured file
formats, has a heap buffer overflow that can be exploited for the
purpose of executing arbitrary code. |
| Alerts: |
|
Comments (none posted)
libmodplug: boundary errors
| Package(s): | libmodplug |
CVE #(s): | CVE-2006-4192
|
| Created: | December 11, 2006 |
Updated: | May 4, 2011 |
| Description: |
Luigi Auriemma has reported various boundary errors in load_it.cpp and
a boundary error in the "CSoundFile::ReadSample()" function in
sndfile.cpp. A remote attacker can entice a user to read crafted modules
or ITP files, which may trigger a buffer overflow resulting in the
execution of arbitrary code with the privileges of the user running the
application. |
| Alerts: |
|
Comments (none posted)
libpng: buffer overflow
| Package(s): | libpng |
CVE #(s): | CVE-2006-3334
|
| Created: | July 19, 2006 |
Updated: | December 15, 2008 |
| Description: |
In pngrutil.c, the function png_decompress_chunk() allocates
insufficient space for an error message, potentially overwriting stack
data, leading to a buffer overflow. |
| Alerts: |
|
Comments (none posted)
libpng: heap based buffer overflow
| Package(s): | libpng |
CVE #(s): | CVE-2006-0481
|
| Created: | February 13, 2006 |
Updated: | December 15, 2008 |
| Description: |
A heap based buffer overflow bug was found in the way libpng strips alpha
channels from a PNG image. An attacker could create a carefully crafted PNG
image file in such a way that it could cause an application linked with
libpng to crash or execute arbitrary code when the file is opened by a
victim. |
| Alerts: |
|
Comments (1 posted)
libtiff: buffer overflow
| Package(s): | libtiff |
CVE #(s): | CVE-2006-2193
|
| Created: | June 15, 2006 |
Updated: | September 1, 2008 |
| Description: |
The t2p_write_pdf_string function in libtiff 3.8.2 and earlier is vulnerable
to a buffer overflow. Attackers can use a TIFF file with UTF-8 characters
in the DocumentName tag to overflow a buffer, causing a denial of service,
and possibly the execution of arbitrary code. |
| Alerts: |
|
Comments (none posted)
libvncserver: authentication bypass
| Package(s): | libvncserver |
CVE #(s): | CVE-2006-2450
|
| Created: | August 4, 2006 |
Updated: | March 19, 2007 |
| Description: |
LibVNCServer fails to properly validate protocol types effectively
letting users decide what protocol to use, such as "Type 1 - None".
LibVNCServer will accept this security type, even if it is not offered
by the server. |
| Alerts: |
|
Comments (none posted)
libxml2 - arbitrary code execution
| Package(s): | libxml2 |
CVE #(s): | CAN-2004-0110
|
| Created: | February 26, 2004 |
Updated: | August 19, 2009 |
| Description: |
Yuuichi Teranishi discovered a flaw in libxml2 versions prior to 2.6.6.
When fetching a remote resource via FTP or HTTP, libxml2 uses special
parsing routines. These routines can overflow a buffer if passed a very
long URL. If an attacker is able to find an application using libxml2 that
parses remote resources and allows them to influence the URL, then this
flaw could be used to execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
libxml2: multiple buffer overflows
| Package(s): | libxml2 |
CVE #(s): | CAN-2004-0989
|
| Created: | October 28, 2004 |
Updated: | August 19, 2009 |
| Description: |
libxml2 prior to version 2.6.14 has multiple buffer overflow
vulnerabilities, if a local user passes a specially crafted
FTP URL, arbitrary code may be executed. |
| Alerts: |
|
Comments (none posted)
linux-restricted-modules: nVidia driver vulnerability
| Package(s): | linux-restricted-modules |
CVE #(s): | CVE-2006-5379
|
| Created: | November 6, 2006 |
Updated: | January 11, 2007 |
| Description: |
Derek Abdine discovered that the NVIDIA Xorg driver did not correctly
verify the size of buffers used to render text glyphs. When displaying
very long strings of text, the Xorg server would crash. If a user were
tricked into viewing a specially crafted series of glyphs, this flaw
could be exploited to run arbitrary code with root privileges. |
| Alerts: |
|
Comments (none posted)
lynx: arbitrary command execution
| Package(s): | lynx |
CVE #(s): | CVE-2005-2929
|
| Created: | November 14, 2005 |
Updated: | September 14, 2009 |
| Description: |
An arbitrary command execute bug was found in the lynx "lynxcgi:" URI
handler. An attacker could create a web page redirecting to a malicious URL
which could execute arbitrary code as the user running lynx. |
| Alerts: |
|
Comments (none posted)
mono: source disclosure attack
| Package(s): | mono |
CVE #(s): | CVE-2006-6104
|
| Created: | December 21, 2006 |
Updated: | January 17, 2007 |
| Description: |
The Mono ASP.NET server XSP has a source disclosure attack vulnerability.
A malicious user can use this to acquire the source code of a server-side
application. |
| Alerts: |
|
Comments (none posted)
mysql: format string bug
| Package(s): | mysql |
CVE #(s): | CVE-2006-3469
|
| Created: | July 21, 2006 |
Updated: | July 30, 2008 |
| Description: |
Jean-David Maillefer discovered a format string bug in the
date_format() function's error reporting. By calling the function with
invalid arguments, an authenticated user could exploit this to crash
the server. |
| Alerts: |
|
Comments (none posted)
MySQL: privilege violations
| Package(s): | mysql |
CVE #(s): | CVE-2006-4031
CVE-2006-4226
|
| Created: | August 25, 2006 |
Updated: | July 30, 2008 |
| Description: |
MySQL 4.1 before 4.1.21 and 5.0 before 5.0.24 allows a local user to access
a table through a previously created MERGE table, even after the user's
privileges are revoked for the original table, which might violate intended
security policy (CVE-2006-4031).
MySQL 4.1 before 4.1.21, 5.0 before 5.0.25, and 5.1 before 5.1.12, when run
on case-sensitive filesystems, allows remote authenticated users to create
or access a database when the database name differs only in case from a
database for which they have permissions (CVE-2006-4226). |
| Alerts: |
|
Comments (none posted)
MySQL: logging bypass
| Package(s): | mysql |
CVE #(s): | CVE-2006-0903
|
| Created: | April 4, 2006 |
Updated: | May 21, 2008 |
| Description: |
MySQL 5.0.18 and earlier allows local users to bypass logging mechanisms
via SQL queries that contain the NULL character, which are not properly
handled by the mysql_real_query function. NOTE: this issue was originally
reported for the mysql_query function, but the vendor states that since
mysql_query expects a null character, this is not an issue for mysql_query. |
| Alerts: |
|
Comments (2 posted)
nbd: arbitrary code execution
| Package(s): | nbd |
CVE #(s): | CVE-2005-3534
|
| Created: | January 6, 2006 |
Updated: | March 7, 2011 |
| Description: |
Kurt Fitzner discovered that the NBD (network block device) server did not
correctly verify the maximum size of request packets. By sending specially
crafted large request packets, a remote attacker who is allowed to access
the server could exploit this to execute arbitrary code with root
privileges. |
| Alerts: |
|
Comments (none posted)
ncompress: buffer underflow
| Package(s): | ncompress |
CVE #(s): | CVE-2006-1168
|
| Created: | August 10, 2006 |
Updated: | February 21, 2012 |
| Description: |
The ncompress compression utility has a missing boundary check.
A local user can use a maliciously created file to cause a
a .bss buffer underflow. |
| Alerts: |
|
Comments (none posted)
openldap: security bypass
| Package(s): | openldap |
CVE #(s): | CVE-2006-4600
|
| Created: | September 29, 2006 |
Updated: | June 12, 2007 |
| Description: |
slapd in OpenLDAP before 2.3.25 allows remote authenticated users with
selfwrite Access Control List (ACL) privileges to modify arbitrary
Distinguished Names (DN). |
| Alerts: |
|
Comments (none posted)
openoffice.org: several vulnerabilities
| Package(s): | openoffice.org |
CVE #(s): | CVE-2006-2198
CVE-2006-2199
CVE-2006-3117
|
| Created: | June 30, 2006 |
Updated: | January 4, 2007 |
| Description: |
Several vulnerabilities have been discovered in OpenOffice.org, a free
office suite.
- It turned out to be possible to embed arbitrary BASIC macros in
documents in a way that OpenOffice.org does not see them but executes them
anyway without any user interaction. (CVE-2006-2198)
- It is possible to evade the Java sandbox with specially crafted Java
applets. (CVE-2006-2199)
- Loading malformed XML documents can cause buffer overflows and cause a
denial of service or execute arbitrary code. (CVE-2006-3117)
|
| Alerts: |
|
Comments (none posted)
openser: buffer overflow
| Package(s): | openser |
CVE #(s): | |
| Created: | December 26, 2006 |
Updated: | January 3, 2007 |
| Description: |
A buffer overflow was discovered in the
"parse_expression" function of the "permissions" module of the SIP router
OpenSER, versions up to and including 1.1.0. The OpenSER "permissions"
module is used to determine if a SIP call has appropriate permission to be
established. The "parse_expression" function is used during parsing of the
modules local allow/deny configuration files. |
| Alerts: |
|
Comments (none posted)
OpenSSH: denial of service
| Package(s): | openssh |
CVE #(s): | CVE-2006-4925
CVE-2006-5052
|
| Created: | October 6, 2006 |
Updated: | November 15, 2007 |
| Description: |
packet.c in ssh in OpenSSH allows remote attackers to cause a denial of
service (crash) by sending an invalid protocol sequence with
USERAUTH_SUCCESS before NEWKEYS, which causes newkeys[mode] to be NULL.
An unspecified vulnerability in portable OpenSSH before 4.4, when running
on some platforms, allows remote attackers to determine the validity of
usernames via unknown vectors involving a GSSAPI "authentication abort." |
| Alerts: |
|
Comments (none posted)
openssh: privilege separation issue
| Package(s): | openssh |
CVE #(s): | CVE-2006-5794
|
| Created: | November 8, 2006 |
Updated: | April 5, 2007 |
| Description: |
From the OpenSSH 4.5 announcement: "Fix a bug in the sshd privilege separation monitor that weakened its
verification of successful authentication. This bug is not known to
be exploitable in the absence of additional vulnerabilities." |
| Alerts: |
|
Comments (none posted)
openssh: remote denial of service
| Package(s): | openssh |
CVE #(s): | CVE-2006-4924
CVE-2006-5051
|
| Created: | September 27, 2006 |
Updated: | September 17, 2008 |
| Description: |
Openssh 4.4 fixes some
security issues, including a pre-authentication denial of service, an
unsafe signal hander and on portable OpenSSH a GSSAPI authentication abort
could be used to determine the validity of usernames on some platforms. |
| Alerts: |
|
Comments (none posted)
php: several vulnerabilities
| Package(s): | php |
CVE #(s): | CVE-2006-4481
CVE-2006-4484
CVE-2006-4485
|
| Created: | September 8, 2006 |
Updated: | June 13, 2008 |
| Description: |
The file_exists and imap_reopen functions in PHP before 5.1.5 do not check
for the safe_mode and open_basedir settings, which allows local users to
bypass the settings (CVE-2006-4481).
A buffer overflow in the LWZReadByte function in ext/gd/libgd/gd_gif_in.c
in the GD extension in PHP before 5.1.5 allows remote attackers to have an
unknown impact via a GIF file with input_code_size greater than
MAX_LWZ_BITS, which triggers an overflow when initializing the table array
(CVE-2006-4484).
The stripos function in PHP before 5.1.5 has unknown impact and attack
vectors related to an out-of-bounds read (CVE-2006-4485). |
| Alerts: |
|
Comments (1 posted)
php: buffer overflows
| Package(s): | php |
CVE #(s): | CVE-2006-5465
|
| Created: | November 3, 2006 |
Updated: | January 18, 2010 |
| Description: |
The Hardened-PHP Project discovered buffer overflows in
htmlentities/htmlspecialchars internal routines to the PHP Project. Of
course the whole purpose of these functions is to be filled with user
input. (The overflow can only be when UTF-8 is used) |
| Alerts: |
|
Comments (none posted)
phpbb2: missing input sanitizing
| Package(s): | phpbb2 |
CVE #(s): | CVE-2006-1896
|
| Created: | May 22, 2006 |
Updated: | February 11, 2008 |
| Description: |
It was discovered that phpbb2, a web based bulletin board, insufficiently
sanitizes values passed to the "Font Color 3" setting, which might lead to
the execution of injected code by admin users. |
| Alerts: |
|
Comments (none posted)
phpbb2: multiple vulnerabilities
| Package(s): | phpbb2 |
CVE #(s): | CVE-2005-3310
CVE-2005-3415
CVE-2005-3416
CVE-2005-3417
CVE-2005-3418
CVE-2005-3419
CVE-2005-3420
CVE-2005-3536
CVE-2005-3537
|
| Created: | December 22, 2005 |
Updated: | February 11, 2008 |
| Description: |
The phpbb2 web forum has a number of vulnerabilities including:
a web script injection problem, a protection mechanism bypass, a
security check bypass, a remote global variable bypass, cross site
scripting vulnerabilities, an SQL injection vulnerability,
a remote regular expression modification problem, missing input
sanitizing, and a missing request validation problem. |
| Alerts: |
|
Comments (none posted)
postgresql: SQL injection
| Package(s): | postgresql |
CVE #(s): | CVE-2006-2313
CVE-2006-2314
|
| Created: | May 24, 2006 |
Updated: | June 6, 2007 |
| Description: |
The PostgreSQL team has put out a set of "urgent updates" (in the form of the 7.3.15, 7.4.13, 8.0.8, and 8.1.4 releases) closing a
newly-discovered set of SQL injection issues. Details about the problem
can be found on the
technical information page; in short: multi-byte encodings can be used
to defeat normal string sanitizing techniques. The update fixes one problem
related to invalid multi-byte characters, but punts on another by simply
disallowing the old, unsafe technique of escaping single quotes with a
backslash. |
| Alerts: |
|
Comments (1 posted)
proftpd: denial of service
| Package(s): | proftpd |
CVE #(s): | CVE-2006-5815
|
| Created: | November 17, 2006 |
Updated: | January 24, 2007 |
| Description: |
A denial of service (DoS) vulnerability exists in the FTP server ProFTPD, up
to and including version 1.3.0. The flaw is due to both a potential bus
error and a definitive buffer overflow in the code which determines the FTP
command buffer size limit. The vulnerability can be exploited only if the
"CommandBufferSize" directive is explicitly used in the server
configuration. |
| Alerts: |
|
Comments (none posted)
proftpd: stack-based buffer overflow
| Package(s): | proftpd |
CVE #(s): | CVE-2006-6563
|
| Created: | December 18, 2006 |
Updated: | February 14, 2007 |
| Description: |
A vulnerability exists in the FTP server ProFTPD, versions up to and
including 1.3.0a. The vulnerability is caused by a stack-based buffer
overflow in the "pr_ctrls_recv_request" function of the "Controls"
feature. This is an optional feature of ProFTPD server which is by default
disabled in OpenPKG and probably other distributions. |
| Alerts: |
|
Comments (1 posted)
quake: buffer overflow
| Package(s): | quake3-bin |
CVE #(s): | CVE-2006-2236
|
| Created: | May 10, 2006 |
Updated: | January 12, 2009 |
| Description: |
Games based on the Quake 3 engine are vulnerable to a buffer overflow exploitable by a hostile game server. |
| Alerts: |
|
Comments (none posted)
rpm: arbitrary code execution
| Package(s): | rpm |
CVE #(s): | CVE-2006-5466
|
| Created: | November 6, 2006 |
Updated: | August 28, 2007 |
| Description: |
An error was found in the RPM library's handling of query reports. In
some locales, certain RPM packages would cause the library to crash. If
a user was tricked into querying a specially crafted RPM package, the
flaw could be exploited to execute arbitrary code with the user's
privileges. |
| Alerts: |
|
Comments (none posted)
shadow-utils: mailbox creation vulnerability
| Package(s): | shadow-utils |
CVE #(s): | CVE-2006-1174
|
| Created: | May 25, 2006 |
Updated: | June 12, 2007 |
| Description: |
The useradd tool from the shadow-utils package has a potential security
problem. When a new user's mailbox is created, the permissions are
set to random garbage from the stack, potentially allowing the
file to be read or written during the time before fchmod() is called. |
| Alerts: |
|
Comments (none posted)
squirrelmail: multiple cross-site scripting vulnerabilities
| Package(s): | squirrelmail |
CVE #(s): | CVE-2006-6142
|
| Created: | December 11, 2006 |
Updated: | January 31, 2007 |
| Description: |
Multiple cross-site scripting (XSS) vulnerabilities in SquirrelMail 1.4.0
through 1.4.9 allow remote attackers to inject arbitrary web script or HTML
via the mailto parameter in webmail.php, the session and delete_draft
parameters in compose.php, and unspecified vectors involving "a shortcoming
in the magicHTML filter." |
| Alerts: |
|
Comments (none posted)
unzip: long file name buffer overflow
| Package(s): | unzip |
CVE #(s): | CVE-2005-4667
|
| Created: | February 6, 2006 |
Updated: | May 2, 2007 |
| Description: |
A buffer overflow in UnZip 5.50 and earlier allows local users to execute
arbitrary code via a long filename command line argument. NOTE: since the
overflow occurs in a non-setuid program, there are not many scenarios under
which it poses a vulnerability, unless unzip is passed long arguments when
it is invoked from other programs. |
| Alerts: |
|
Comments (1 posted)
virusscan: DT_RPATH vulnerability
| Package(s): | virusscan |
CVE #(s): | CVE-2006-6474
|
| Created: | December 14, 2006 |
Updated: | January 3, 2007 |
| Description: |
McAfee VirusScan for Linux has an insecure DT_RPATH vulnerability
that may allow a remote attacker to execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
w3c-libwww: possible stack overflow
| Package(s): | w3c-libwww |
CVE #(s): | CVE-2005-3183
|
| Created: | October 14, 2005 |
Updated: | May 2, 2007 |
| Description: |
xtensive testing of libwww's handling of multipart/byteranges content from
HTTP/1.1 servers revealed multiple logical flaws and bugs in
Library/src/HTBound.c |
| Alerts: |
|
Comments (1 posted)
w3m: denial of service
| Package(s): | w3m |
CVE #(s): | |
| Created: | December 28, 2006 |
Updated: | January 15, 2007 |
| Description: |
The W3M textual web browser has a format string vulnerability.
If the run-time options -dump or -backend are used, W3M can be made to
crash if certain escape sequences occur in the Common Name of a web site
X.509 certificate. |
| Alerts: |
|
Comments (none posted)
xine-lib: buffer overflow
| Package(s): | xine-lib |
CVE #(s): | CVE-2006-6172
|
| Created: | December 5, 2006 |
Updated: | June 5, 2007 |
| Description: |
A buffer overflow was discovered in the Real Media input plugin in
xine-lib. If a user were tricked into loading a specially crafted stream
from a malicious server, the attacker could execute arbitrary code with the
user's privileges. |
| Alerts: |
|
Comments (none posted)
xine-lib: buffer overflow
| Package(s): | xine-lib |
CVE #(s): | CVE-2006-1664
|
| Created: | April 27, 2006 |
Updated: | February 27, 2008 |
| Description: |
xine-lib does an improper input data boundary check on
MPEG streams. A specially crafted MPEG file can be
created that can cause arbitrary code execution when the
file is accessed. |
| Alerts: |
|
Comments (none posted)
xine-ui: format string vulnerabilities
| Package(s): | xine-ui |
CVE #(s): | CVE-2006-2230
|
| Created: | June 9, 2006 |
Updated: | January 24, 2007 |
| Description: |
Several format string vulnerabilities have been discovered in xine-ui,
the user interface of the xine video player, which may cause a denial
of service. |
| Alerts: |
|
Comments (none posted)
xinit: race condition
| Package(s): | xinit |
CVE #(s): | CVE-2006-5214
|
| Created: | October 17, 2006 |
Updated: | August 9, 2007 |
| Description: |
A race condition allows local users to see error messages generated during
another user's X session. This could allow potentially sensitive
information to be leaked. |
| Alerts: |
|
Comments (1 posted)
X.org: local privilege escalations
| Package(s): | xorg-x11 |
CVE #(s): | CVE-2006-4447
|
| Created: | August 28, 2006 |
Updated: | April 30, 2007 |
| Description: |
Several X.org libraries and X.org itself contain system calls to
set*uid() functions, without checking their result. Local users could
deliberately exceed their assigned resource limits and elevate their
privileges after an unsuccessful set*uid() system call. This requires
resource limits to be enabled on the machine. |
| Alerts: |
|
Comments (none posted)
X.Org: buffer overflow
| Package(s): | xorg-x11-server xorg-x11 |
CVE #(s): | CVE-2006-1526
|
| Created: | May 3, 2006 |
Updated: | January 10, 2007 |
| Description: |
There is a buffer overflow in the Xrender extension of the X.Org server; any process which is able to connect to the server may be able to exploit this overflow to run arbitrary code. Since the X server runs as root on most systems, this vulnerability could be exploited to gain root access. See the X.Org advisory for more information. |
| Alerts: |
|
Comments (none posted)
xpdf: buffer overflow
| Package(s): | xpdf |
CVE #(s): | CAN-2005-0064
|
| Created: | January 19, 2005 |
Updated: | March 15, 2007 |
| Description: |
iDEFENSE has found yet another xpdf buffer overflow; see this advisory for details. |
| Alerts: |
|
Comments (1 posted)
Page editor: Jonathan Corbet
Kernel development
Brief items
The current 2.6 prepatch is 2.6.20-rc4,
released on January 6.
Says Linus: "
There's absolutely nothing interesting here, unless you
want to play with KVM, or happened to be bitten by the bug with really old
versions of the linker that made parts of entry.S just go away."
About 100 patches have been merged into the mainline git repository since
-rc4, as of this writing. They are fixes, mostly in the architecture,
ALSA, and networking subsystems.
The current -mm tree is 2.6.20-rc3-mm1. Recent changes
to -mm include a bunch of KVM work (see below), another set of workqueue
API changes, and the virtualization of struct user.
The current stable 2.6 kernel is 2.6.19.2, released on January 10. It
contains a long list of fixes, including the fix for the file corruption
problem and several with security implications.
For older kernels: 2.6.16.38-rc1 was released on
January 9 with a long list of fixes - many of which are
security-related.
Comments (none posted)
Kernel development news
Kernel.org is the main repository for
the Linux kernel source, numerous development trees, and a great deal of
associated material. It also offers mirroring for some other Linux-related
projects - distribution CD images, for example. Users of kernel.org have
occasionally noticed that the service is rather slow. Kernel tree releases
are a long time in making it to the front page, and the mirror network
tends to lag behind. This important part of the kernel's development
infrastructure, it seems, is not keeping up with demand.
Discussion on the mailing lists reveal that the kernel.org servers (there
are two of them) often run with load averages in the range of 2-300. So
it's not entirely surprising that they are not always quite as responsive
as one would like. There is talk of adding servers, but there is also a
sense that the current servers should be able to keep up with the load. So
the developers have been looking into what is going on.
The problem seems to originate with git. Kernel.org hosts quite a few git
repositories and a version of the gitweb system as well - though gitweb is
often disabled when the load gets too high. The git-related problems, in
turn, come down to the speed with which Linux can read directories. According to kernel.org administrator H. Peter
Anvin:
During extremely high load, it appears that what slows kernel.org down more
than anything else is the time that each individual getdents() call takes.
When I've looked this I've observed times from 200 ms to almost 2 seconds!
Since an unpacked *OR* unpruned git tree adds 256 directories to a cleanly
packed tree, you can do the math yourself.
Clearly, something is not quite right with the handling of large
filesystems under heavy load. Part of the problem may be that Linux is not
dedicating enough memory to caching directories in this situation, but the
real problems are elsewhere. It turns out that:
- The getdents() system call, used to read a directory, is, according to Linus, one of the most
expensive in Linux. The locking is such that only one process can be
reading a given directory at any given time. If that process must
wait for disk I/O, it sleeps holding the inode semaphore and blocks
all other readers - even if some of the others could work with parts
of the directory which are already in memory.
- No readahead is done on directories, so each block must be read, one
by one, with the whole process stopping and waiting for I/O each time.
- To make things worse, while the ext3 filesystem tries hard to lay out
files contiguously on the disk, it does not make the same effort with
directories. So the chances are good that a multi-block directory
will be scattered on the disk, forcing a seek for each read and
defeating any track caching the drive may be doing.
It has been reported that the third of the above-listed problems can be
addressed by moving to XFS, which
does a better job at keeping directories together. Kernel.org could make such
a switch - at the cost of about a week's downtime for each server. So one
should not expect it to happen overnight.
The first priority for improving the situation is, most likely, the
implementation of some sort of directory readahead. That change would cut
the amount of time spent waiting for directory I/O and, crucially, would
require no change to existing filesystems - not even a backup and restore -
to get better performance. An early readahead patch has been circulated,
but this issue looks complex enough that a few iterations of careful work
will be required to arrive at a real solution. So look for something to
show up in the 2.6.21 time frame.
Comments (14 posted)
The KVM patch set was
covered
here briefly last October. In short, KVM allows for (relatively)
simple support of virtualized clients on recent processors. On a CPU with
Intel's or AMD's hardware virtualization support, a hypervisor can open
/dev/kvm and, through a series of
ioctl() calls, create
virtualized processors and launch guest systems on them. Compared to a full
paravirtualization system like Xen, KVM is relatively small and
straightforward; that is one of the reasons why KVM went in to 2.6.20,
while Xen remains on the outside.
While KVM is in the mainline, it is not exactly in a finished state yet,
and it may see significant changes before and after the 2.6.20 release.
One current
problem has to do with the implementation of "shadow page tables," which
does not perform as well as one would like. The solution is conceptually
straightforward - at least, once one understands what shadow page tables
do.
A page table, of course, is a mapping from a virtual address to the
associated physical address (or a flag that said mapping does not currently
exist). A virtualized operating system is given a range of "physical"
memory to work with, and it implements its own page tables to map between
its virtual address spaces and that memory range. But the guest's
"physical" memory is a virtual range administered by the host; guests do
not deal directly with "bare metal" memory. The result is that there are
actually two sets of page tables between a virtual address space on a
virtualized guest and the real, physical memory it maps to. The guest can
set up one level of translation, but only the host can manage the mapping
between the guest's "physical" memory and the real thing.
This situation is handled by way of shadow page tables. The virtualized
client thinks it is maintaining its own page tables, but the
processor does not actually use them. Instead, the host system implements
a "shadow" table which mirror's the guest's table, but which maps guest
virtual addresses directly to physical addresses. The shadow table starts
out empty; every page fault on the guest then results in the filling in of
the appropriate shadow entry. Once the guest has faulted in the pages it
needs, it
will be able to run at native speed with no further hypervisor attention
required.
With the version of KVM found in 2.6.20-rc4, that happy situation tends not
to last for very long, though. Once the guest performs a context switch,
the painfully-built shadow page table is dumped and a new one is started.
Changing the shadow table is required, since the process running after the
context switch will have a different set of address mappings. But, when
the previous process gets back into the CPU, it would be nice if its shadow
page tables were there waiting for it.
The shadow page table caching
patch posted by Avi Kivity does just that. Rather than just dump the
shadow table, it sets that table aside so that it can be loaded again the
next time it's needed. The idea seems simple, but the implementation
requires a 33-part patch - there are a lot of details to take care of.
Much of the trouble comes from the fact that the host cannot always tell
for sure when the guest has made a page table entry change. As a result,
guest page tables must be write-protected. Whenever the guest makes a
change, it will trap into the hypervisor, which can complete the change and
update the shadow table accordingly.
To make the write-protect mechanism work, the caching patch must add a
reverse-mapping mechanism to allow it to trace faults back to the page
table(s) of interest. There is also an interesting situation where,
occasionally, a page will stop being used as a page table without the host
system knowing about it. To detect that situation, the KVM code looks for
overly-frequent or misaligned writes, either of which indicates
(heuristically) that the function of the page has changed.
The 2.6.20 kernel is in a relatively late stage of development, with the
final release expected later this month. Even so, Avi would like to see
this large change merged now. Ingo Molnar concurs, saying:
I have tested the new MMU changes quite extensively and they are
converging nicely. It brings down context-switch costs by a factor
of 10 and more, even for microbenchmarks: instead of throwing away
the full shadow pagetable hierarchy we have worked so hard to
construct this patchset allows the intelligent caching of shadow
pagetables. The effect is human-visible as well - the system got
visibly snappier
Since the KVM code is new for 2.6.20, changes within it cannot cause
regressions for anybody. So this sort of feature addition is likely to be
allowed, even this late in the development cycle.
Ingo has been busy on this front, announcing a patch entitled KVM paravirtualization for
Linux. It is a set of patches which allows a Linux guest to run under
KVM. It is a paravirtualization solution, though, rather than full
virtualization: the guest system knows that it is running as a virtual
guest. Paravirtualization should not be strictly necessary with hardware
virtualization support, but a paravirtualized kernel can take some
shortcuts which speed things up considerably. With these patches and the
full set of KVM patches, Ingo is able to get benchmark results which are
surprisingly close to native hardware speeds, and at least an order of
magnitude faster than running under Qemu.
This patch is, in fact, the current form of the paravirt_ops concept. With
paravirt_ops, low-level, hardware-specific operations are hidden behind a
structure full of member functions. This paravirt_ops structure, by
default, contains functions which operate on the hardware directly. Those
functions can be replaced, however, by alternatives which operate through a
hypervisor. Ingo's patch replaces a relatively small set of operations -
mostly those involved with the maintenance of page tables.
There was one interesting complaint which come out of Ingo's patch - even
though Ingo's new code is not really the problem. The
paravirt_ops structure is exported to modules, making it possible
for loadable modules to work properly with hypervisors. But there are many
operations in paravirt_ops which have never been made available to
modules in the past. So paravirt_ops represents a significant
widening of the module interface. Ingo responded with a patch which
splits paravirt_ops into two structures, only one of which
(paravirt_mod_ops) is exported to modules. It seems that the
preferred approach, however, will be to create
wrapper functions around the operations deemed suitable for modules and
export those. That minimizes the intrusiveness of the patch and keeps the
paravirt_ops structure out of module reach.
One remaining nagging little detail with the KVM subsystem is what the
interface to user space will look like. Avi Kivity has noted that the API currently
found in the mainline kernel has a number of shortcomings and will need
some changes; many of those, it appears, are likely to show up in 2.6.21.
The proposed API is still heavy on ioctl() calls, which does not
sit well with all developers, but no alternatives have been proposed. This
is a discussion which is likely to continue for some time yet.
Perhaps the most interesting outcome of all this, however, is how KVM is
gaining momentum as the virtualization approach of choice - at least for
contemporary and future hardware. One can almost see the interest in Xen
(for example) fading; KVM comes across as a much simpler, more maintainable
way to support full and paravirtualization. The community seems to be
converging on KVM as the low-level virtualization interface;
commercial vendors of higher-level products will want to adapt to this
interface if they want their products to be supported in the future.
Comments (6 posted)
A longstanding (and long unsupported in Linux) filesystem concept is that
of a union filesystem. In brief, a union filesystem is a logical
combination of two or more other filesystems to create the illusion of a
single filesystem with the contents of all the others.
As an example, imagine that a user wanted to mount a distribution DVD full
of packages. It would be nice to be able to add updated packages to close
today's security holes, but the DVD is a read-only medium. The solution
is a union filesystem. A system administrator can take a writable
filesystem and join it with the read-only DVD, creating a writable
filesystem with the contents of both. If the user then adds packages, they
will go into the writable filesystem, which can be smaller than would be
needed if it were to hold the entire contents.
The unionfs patch posted by
Josef Sipek provides this capability. With unionfs in place, the system
administrator could construct the union with a command sequence like:
mount -r /dev/dvd /mnt/media/dvd
mount /dev/hdb1 /mnt/media/dvd-overlay
mount -t unionfs \
-o dirs=/mnt/media/dvd-overlay=rw:/mnt/media/dvd=ro \
/writable-dvd
The first two lines just mount the DVD and the writable partition as normal
filesystems. The final command then joins them into a single union, mounted
on /writable-dvd. Each "branch" of a union has a priority,
determined by the order in which they are given in the dirs=
option. When a file is looked up, the branches are searched in priority
order, with the first occurrence found being returned to the user. If an
attempt is made to write a read-only file, that file will be copied into
the highest-priority writable branch and written there.
As one might imagine, there is a fair amount of complexity required to make
all of this actually work. Joining together filesystem hierarchies,
copying files between them, and inserting "whiteouts" to mask files deleted
from read-only branches are just a few of the challenges which must be
met. The unionfs code seems to handle most of them well, providing
convincing Unix semantics in the joined filesystem.
Reviewers immediately jumped on one exception, which was noted in the
documentation:
Modifying a Unionfs branch directly, while the union is mounted, is
currently unsupported. Any such change can cause Unionfs to oops,
or stay silent and even RESULT IN DATA LOSS.
What this means is that it is dangerous to mess directly with the
filesystems which have been joined into a union mount. Andrew Morton
pointed out that, as user-friendly interfaces go, this one is a little on
the rough side. Since bind mounts don't have this problem, he asked, why
should unionfs present such a trap to its users? Josef responded:
Bind mounts are a purely VFS level construct. Unionfs is, as the name
implies, a filesystem. Last year at OLS, it seemed that a lot of people
agreed that unioning is neither purely a fs construct, nor purely a vfs
construct.
That, in turn, led to some fairly definitive statements that unionfs
should be implemented at the virtual filesystem level. Without
that, it's not clear that it will ever be possible to keep the namespace
coherent in the face of modifications at all levels of the union. So it
seems clear that, to truly gain the approval of the kernel developers,
unionfs needs a rewrite. Andrew Morton has been heard to wonder if the current version should
be merged anyway in the hopes that it would help inspire that rewrite to
happen. No decisions have been made as of this writing, so it's far from
clear whether Linux will have unionfs support in the near future or not.
Comments (12 posted)
Patches and updates
Kernel trees
Core kernel code
Development tools
Device drivers
Documentation
Filesystems and block I/O
Memory management
Security-related
Virtualization and containers
Page editor: Jonathan Corbet
Distributions
January 10, 2007
This article was contributed by Donnie Berkholz
The
Linux Terminal Server Project (LTSP)
makes it easy to set up Linux-based thin clients. It packages up all the
necessary software and adds custom-written scripts and packages to make the
whole process incredibly easy. But the world of LTSP is changing.
Project MueKow
(pronounced "Moo-Cow") is a complete rethink on how to handle the creation and
distribution of LTSP. In the current 4.x series, the project builds and
packages essentially form an entire Linux distribution. Developers Jim McQuillan
and Scott Balneaves realized this doesn't make sense because they only add
value to a small proportion of packages—5% would be
optimistic. Everything else is simply an additional burden that detracts from
the time they can spend on the project's real focus. And from a user and
distribution perspective, all those packages outside of the distribution's
package management create more opportunities for outdated packages, security
holes, and other fun problems. MueKow will become LTSP-5.
Four months ago, LWN briefly
referred to a story about the future of LTSP, which inspired your author
to start a native Gentoo port. What makes Gentoo a solid platform for LTSP?
Its source-based nature gives it a number of benefits. Not only can one
infamously customize the optimization flags with which packages are compiled,
but one can also decide which features to include and which to exclude. For
example, one can choose to leave out Kerberos support in Gentoo. In a binary
distribution, packages may link against and depend upon Kerberos
unconditionally. With diskless clients, including unnecessary features raises
the number and size of files that must be transported across the network. This
problem gets increasingly severe as one scales up to more clients. Once the
Gentoo port is done, the automated client builder will take care of removing
unneeded cruft.
Many people use Gentoo not because it is source-based but because of the power
and flexibility of the package manager, portage. One feature that makes
portage powerful for embedded setups and diskless clients is its
ability to install packages into an arbitrary chroot without requiring that
the package manager itself be installed there. A simple command such as
`ROOT="/opt/ltsp" emerge packagename` will install that package, all of its
run-time (not build-time) dependencies, and package metadata to
/opt/ltsp. Software installed in a chroot can later be easily updated or
uninstalled using similar commands. This integration of the client chroot with
the server installation may be unique to Gentoo.
For a distribution to qualify as LTSP-compliant, the LTSP project
defined a set of
requirements:
- Netboot thin clients with PXE and Etherboot
- Local devices with a FUSE filesystem called LTSPFS
- Network-transparent sound and video
- Screen scripts, including XDMCP, ldm/sdm, rdesktop, telnet, shell
- Boot thin clients with 32MB memory or more
- Use LTSP tools such as getltscfg
- Pass VCI (Vendor Class Identifier) string from the client to the server (in initramfs)
- Transparent pass-through printing
- Network swap using methods such as NBD, iSCSI or NFS
- Configurable location of the LTSP chroot tree
- Control per-client options with a single file, lts.conf
A native LTSP port fulfills the LTSP-5 requirements by adding LTSP-specific
packages, porting the automated client builder's distribution-specific
plugins, and writing the needed init scripts. Those three steps pretty well
take care of the distribution's role in fulfilling the LTSP-5
requirements. The rest is a matter of server configuration. As the packaging
and init script porting are fairly trivial once you understand an individual
distribution's quirks, we will spend most of our time discussing the client
builder. Adding LTSP-specific packages amounts to making a map of the packages
installed on an LTSP-4 system, determining which are installed by default, and
adding a metapackage to pull in the rest. Many distributions will not have
much to port in the init scripts, but Gentoo has a BSD-style, dependency-based
initialization process for which the LTSP init scripts will require
significant rewriting.
To build a client environment, one runs a script called ltsp-build-client. It
creates the chroot, installs the client packages and sets up reasonable
defaults. The LTSP client-root builder is a fine piece of work. It's entirely
written in shell, and its core is beautifully created so one can simply drop
in a new shell-script
plugin and have it instantly start working. Each distribution has its own
directory for plugins in /usr/share/ltsp/plugins/ltsp-build-client, as a
number of tasks are expected to be distribution-specific, but there is a
common directory for those few distribution-neutral tasks. Files in the
distribution directories can override common files with the same name, and
they can use files from another distribution. This is particularly useful in
the case of related distributions such as Ubuntu and Debian, both of which
already have mostly working LTSP-5 ports. In addition to distribution-level
overrides, system administrators can install their own overrides of
distribution plugins in /etc/ltsp/plugins/ltsp-build-client.
LTSP has no shortage of interesting projects, such as enhancing support for
local devices and selectively running applications on the client rather than
the server. To get involved or learn more, join the #ltsp channel on
irc.freenode.net or visit the home page.
Comments (8 posted)
New Releases
Release 2.1 of Endian Firewall
is available.
"
Endian Firewall is a "turn-key" linux security distribution that turns every system into a full-featured security appliance. The software has been designed with "usability in mind" and is very easy to install, use and manage, without losing its flexibility.
This new release contains many improvements, bugfixes and upgrades."
Comments (none posted)
Distribution News
The Debian Project has announced that Debian 3.0 ("woody") has been put out
to pasture, and is no longer carried by the project's mirror network. "
After four and a half years this marks the final end of life for
GNU/Linux 3.0. This distribution has been superseded by Debian
GNU/Linux 3.1 (codename 'sarge') which the Debian project has released
on June 6th, 2005. Security support for woody has therefore ended
already in June 2006, one year after the release of sarge."
Full Story (comments: none)
XaraLX, a
general purpose graphics program, has been removed from all
releases of Fedora Extras.
"
We have taken this drastic step as we have been made aware that
it is in violation of Fedora Policies. While the application has been
released as GPL, it contains a Static Library that is still proprietary and available in binary form only.
There is a note in the source tarball stating that at some future time the
library will also be released under the GPL. When that happens we will
welcome XaraLX back as a package."
Full Story (comments: none)
Mike McGrath has been appointed as the new Fedora Infrastructure Leader.
"
Mike has been a contributor to the Fedora Project for quite a
while now, especially the Fedora Infrastructure group, and I'm personally very glad
that we were able to hire from within for this job. There are never as
many job openings as I wish there were, but when we do have openings in
Fedora it is my intention that we will look to fill them from within our
community first.
Mike won't be starting 100% until February, but in the sense that he is
already involved deeply in Fedora Infrastructure, and it's just a matter
of him ramping up his time over the next few weeks."
Full Story (comments: none)
Distribution Newsletters
The
January 8
Fedora Weekly News is out. Topics include a claim of one million
unique Fedora Core 6 installations, FUDCon, and the proposed
Fedora 7 schedule.
Comments (none posted)
The
Gentoo
Weekly Newsletter for December 25, 2006 is out. This is a short holiday
edition.
Comments (none posted)
The January 1, 2007 edition of the Gentoo Weekly Newsletter is online
with the latest Gentoo distribution news.
Full Story (comments: none)
Linux Wizard presents
Cooker : The Inside Man IV, featuring the latest Mandriva news.
Comments (none posted)
The January 7 issue of the Ubuntu Weekly News is out. Topics covered this
week include the latest Kubuntu developer meeting, secure use of the Ubuntu
IRC channels, and the most recent changes to the upcoming "Feisty"
distribution.
Full Story (comments: 7)
Package updates
Updates for
Fedora Core 6:
pygtk (packaging error fix),
pam (bug fixes),
tar (new man page),
apr-util (bug fixes),
fonts-indic (various improvements),
fonts-sinhala (bug fixes),
fonts-arabic (bug fixes),
selinux-policy (bug fixes),
system-config-printer (bug fixes),
binutils (bug fixes),
cyrus-sasl (bug fixes),
agg (sync with final 2.4 release),
dovecot (reenabled GSSAPI),
evolution (bug fixes),
gnome-python2 (bug fixes),
gawk (bug fixes),
vnc (bug fix),
dbus (bug fix),
setup (bug fixes).
Updates for Fedora Core 5:
pygtk (packaging error fix),
seamonkey (release bump),
yelp (rebuild),
epiphany (rebuild),
devhelp (rebuild),
eclipse (rebuild),
avahi (security and bug fixes),
xterm (bug fixes).
Comments (none posted)
Updates for
Mandriva Linux 2007.0:
samba (bug fixes),
kdeutils (ark fix),
mesa (bug fix),
postfix and cyrus-sasl (bug fixes).
Comments (none posted)
Updates for
rPath:
conary (maintenance release).
Comments (none posted)
Updates for
Trustix Secure Linux 2.2 & 3.0:
bind, logwatch, perl-dbd-pg (bug fixes).
Comments (none posted)
Updates for
Ubuntu 6.10:
glibc (bug fix),
ubiquity (bug fixes).
Updates for Ubuntu 6.06-LTS:
glibc (bug fix).
Comments (none posted)
Newsletters and articles of interest
Howtoforge has published
a tutorial on creating a Debian/Ubuntu mirror site.
"
This tutorial shows how to create a Debian/Ubuntu mirror for your local
network with the tool apt-mirror. Having a local Debian/Ubuntu mirror is
good if you have to install multiple systems in your local network because
then all needed packages can be downloaded over the fast LAN connection,
thus saving your internet bandwidth."
Comments (1 posted)
Page editor: Forrest Cook
Development
LIRC,
the Linux Infrared Remote Control project interfaces common IR remote
controls to a Linux system.
It is being produced by
this group
of developers.
The software's description states:
The most important part of LIRC is the lircd daemon that will decode IR signals received by the device drivers and provide the information on a socket. It will also accept commands for IR signals to be sent if the hardware supports this. The second daemon program called lircmd will connect to lircd and translate the decoded IR signals to mouse movements. You can e.g. configure X to use your remote control as an input device.
The user space applications will allow you to control your computer with your remote control. You can send X events to applications, start programs and much more on just one button press. The possible applications are obvious: Infra-red mouse, remote control for your TV tuner card or CD-ROM, shutdown by remote, program your VCR and/or satellite tuner with your computer, etc. I've heard that MP3 players are also quite popular these days.
The
list of supported devices shows the hardware that will work with LIRC,
this includes audio, TV card, MIDI, Bluetooth and USB interfaces,
TV cards, some radio remote controls and even a few PDAs.
For the hardware hacker, documentation
is available for constructing a number of
serial port receivers,
serial port transmitters and a bidirectional
parallel port interface.
Colin McGregor has put together a
Linux Journal HOWTO
article on building an LIRC interface.
The LIRC
FAQ and HOWTOs
document has both hardware and software build/install information and the
online manual
explains how the system works in detail.
LIRC is used by a number of higher level projects such as the
Rhythmbox and
XMMS
music players, the
PulseAudio sound server,
Fluendo's
Elisa Media Center and the
MythTV PVR project.
Version 0.8.1 of LIRC was recently announced, the previous release
came out about a year ago.
Changes include new support for USB-UIRT, transmitter support for
newer versions of the Windows Media Center transceiver and
support for the Iguanaworks USB IR Transceiver.
If you want to add an IR remote control to your favorite Linux project,
take a look at LIRC.
The LIRC software is available for download
here.
Comments (7 posted)
System Applications
Database Software
Version 1.5.4 of the
Firebird DBMS is
available.
"
This sub-release introduces a number of bug fixes backported from the Firebird 2.0.x branches. These test builds are available for Windows and Linux 32-bit platforms."
Comments (none posted)
Version 5.0.33 of MySQL Community Server has been announced.
"
MySQL Community Server 5.0.33, a new version of the popular Open
Source Database Management System, has been released. The release is now
available in source form from our download pages at"
Full Story (comments: none)
PostgreSQL versions 8.1.6 and 8.2.1 have been announced.
"
Releases 8.1.6 and 8.2.1 fix a number of error issues with versions 8.1 and
8.2, including several issues that can cause unexpected aborts in 8.2.
Further, all versions have been updated for the new Australian and Canadian
daylight-saving time rules."
Full Story (comments: none)
The January 7, 2007 edition of the PostgreSQL Weekly News
is online with the latest PostgreSQL DBMS articles and resources.
Full Story (comments: none)
Version 1.9 of PyDbLite
has been announced.
"
PyDbLite is a small, fast, pure-Python, in-memory database
management program.
The database object supports the iterator protocol, so that requests
can be expressed with list comprehensions or generator expressions
instead of SQL."
Comments (none posted)
Version 3.3.9 of
SQLite, a light weight DBMS, is out.
"
Version 3.3.9 fixes bugs that can lead to database corruption under obsure and difficult to reproduce circumstances. See DatabaseCorruption in the wiki for details. This release also add the new sqlite3_prepare_v2() API and includes important bug fixes in the command-line shell and enhancements to the query optimizer. Upgrading is recommended."
Comments (1 posted)
Mail Software
Release 4.66 of the
exim mail transfer agent is out.
"
This is a bug fix and features release in the 4.xx series of releases - see the download pages. Documentation was updated for 4.66."
Comments (none posted)
Snapshot 20070107 of the
Postfix
mail transfer agent is out. Changes include
"
Cleanup: eliminate the Linux/Solaris "wait for accept()"
stage from the queue manager to delivery agent protocol.
This alone achieves 99.99% of the Linux/Solaris speed up
from the preceding change. The pending connection pipeline
takes care of the rest. Tested on Linux kernels dating
back to 2.0.27 (that's more than 10 years ago)."
Comments (none posted)
Desktop Applications
Audio Applications
Version 2.0 beta 10 of
Ardour,
a multi-track audio recording system, has been released.
"
Hot off the winter presses for a new year comes 2.0 beta 10 source release. For Mac OS X users here is the universal binary. We plan for beta 11 to be the last set of code changes before we switch to the release candidate pattern, so get your bug reports in to the tracker ASAP."
Comments (none posted)
Version 0.3.1 of Das_watchdog is out with several new features.
"
Whenever a program locks up the machine, das_watchdog will temporarily
sets all realtime process to non-realtime for 8 seconds. You will get an
xmessage window up on the screen whenever that happens."
Full Story (comments: none)
Version 0.62 of
ewa has been
announced.
"
Ewa (East-West Audio) is a GPL server program that dynamically adds intros and outros to mp3s on the basis of user-defined rules. With ewa, internet audio publishers can periodically rotate the promotional content in their mp3 downloads without remastering."
Comments (none posted)
Version 2 of jack_mixer is out with a new meter scale, documentation
improvements and bug fixes.
"
jack_mixer is GTK (2.x) JACK audio mixer with look similar to it`s
hardware counterparts. It has lot of useful features, apart from being
able to mix multiple JACK audio streams."
Full Story (comments: none)
Business Applications
Version 3.05 of webERP, a suite of accounting modules for business
administration,
has been announced.
"
This is the first release for just over a year and incorporates all the development over that period including:
Weighted Average Inventory Costing - previously only standard costing was available, Integrated SQL report writer - exports to CSV as well as producing PDF reports, Wiki integration option - to provide the basis for a structured company knowledge-base and numerous enhancements, options and bug fixes."
Comments (none posted)
Desktop Environments
The following new GNOME software has been announced this week:
You can find more new GNOME software releases at
gnomefiles.org.
Comments (none posted)
The following new KDE software has been announced this week:
You can find more new KDE software releases at
kde-apps.org.
Comments (none posted)
KDE.News
looks forward to KDE 4, and KWord 2.0 in particular. "
All manner of objects are being converted to the new Flake library, for instance KFormula elements, so you can insert nicely rendered math into your documents without any trouble. This support could make KWord as exciting to use for page layouts as KPresenter, as you are no longer restricted to dull, square document shapes. These changes should enable KWord 2 to behave as a respectable basic desktop publishing application."
Comments (none posted)
The , 2007 edition of the
KDE Commit-Digest has been
announced.
The content summary says:
"
Sonnet, the natural language checker,
continues to develop and can now discriminate between more than 70 different
languages. More work on the "konsole-split-view" branch to add split/merge
functionality to the KDE 4 console. Support for filesystem labels in the
"mountconfig" Guidance configuration module. Large developments in the
"mailtransport" KDE-PIM work to enable code sharing between users of the
common "emailing" action. Support for background text colours in
Konversation. Further work in the "Papillon" MSN Messenger connection
library, with support for Xtraz status and notifications in Kopete. Gradient
editing tool introduced across KOffice. Better support for PDF presentation
files in Okular. Improved AI in the recently-imported game KSquares.
"Sublime", the new user interface library for KDevelop 4 is imported into KDE
SVN. The initial code for KRunner, the KDE 4 replacement for the "Run
Command" dialog, is imported into KDE SVN. The RSS Konqueror sidebar plugin
is removed from KDE SVN, along with dcoprss and librss, which will both be
replaced by libsyndication in KDE 4."
Comments (2 posted)
The following new Xorg software has been announced this week:
More information can be found on the
X.Org Foundation wiki.
Comments (none posted)
Educational Software
Version 0.4.0 of
Kanatest,
a Japanese kana (Hiragana and Katakana) simple flashcard tool, is out.
Changes include:
Kanatest now uses fonts instead of images for kanas,
Kana chart has been added, New and powerful statistics,
Enhanced options, A new logo and icon and
Completely rewritten code and a lot of gui improvements.
Comments (none posted)
Games
Version 1.6 of Open Yahtzee
has been announced.
"
Open Yahtzee is a full featured Yahtzee game. Open Yahtzee is written in
wxWidgets and is cross-platform. Open Yahtzee 1.6 features couple of
enhancements to the game play such as the ability to undo moves such as
accidental scoring (you can't undo rolling dices of course). Another new
feature is a new icon set for the program and ability to check for updates
via the web."
Comments (none posted)
Interoperability
Version 0.9.29 of Wine
has been announced.
Changes include:
"
More work on the new Direct3D state management,
Debugger support for Mac OS, Many OLE fixes and improvements, Audio input support on Mac OS and Lots of bug fixes."
Comments (none posted)
Video Applications
Version 0.9.8.2 of
LiVES
is available.
"
LiVES began in 2002 as the Linux Video Editing System. Since it now runs on more operating systems, LiVES is a Video Editing System. It is designed to be simple to use, yet powerful. It is small in size, yet it has many advanced features." See the
CHANGELOG file for details on this version.
Comments (none posted)
Miscellaneous
Stable version 0.2 of
od2txt,
"
A simple (and stupid) converter from OpenDocument Text to plain text", has been announced.
Comments (none posted)
Languages and Tools
Assembly Language
Stable version 0.9.22 of
AsmIDE is out.
"
This release includes a new debugger, source code generator, disassembler, updated reference tool, library expansion and numerous other changes.
AsmIDE is a collection of program to support assembler development on Linux. It runs in a terminal and the library supports terminal programs."
Comments (none posted)
C
Mark Mitchell has written a
GCC 4.1.2 Status Report.
"
I've decided to focus next on GCC 4.1.2. After GCC 4.1.2, I will focus
on GCC 4.2.0. At this point, I expect GCC 4.3 to remain in Stage 1 for
some time, while we work on GCC 4.1.2 and GCC 4.2.0."
Comments (none posted)
Caml
The January 9, 2007 edition of the Caml Weekly News
is out with new Caml language articles.
Full Story (comments: none)
Groovy
Version 1.0 of Groovy
has been announced.
"
Groovy is a dynamic language for the JVM that integrates seamlessly with the Java platform.
It offers a Java-like syntax, with language features inspired by Smalltalk, Python or Ruby, and lets your reuse all your Java libraries and protect the investment you made in Java skills, tools or application servers.
Groovy can be used for various purposes, from adhoc shell scripting leveraging Java APIs, to full-blown web applications built on Spring and Hibernate through the Grails web framework.
It can also be integrated very easily in your applications to externalize business logic, create Domain-Specific Languages, or to provide templating capabilities, and much more.
A lot of passion and energy has been put in this new version after two release candidates that have been tested against real-world projects: on a mission-critical insurance application, on the XWiki 2nd generation wiki engine, as well as on the RIFE framework and through the Spring 2.0 scripting integration."
Comments (none posted)
Haskell
The January 09, 2007, edition of the
Haskell Weekly News is online. This week sees the release of more libraries and applications for the new year, and the Haskell Hackathon gets underway!
Comments (none posted)
Java
The Gnu Compiler for Java (GCJ) project has put out a new
news report.
"
We've merged the gcj-eclipse branch to svn trunk. The merge changes gcj to use the Eclipse compiler as a front end, enabling all 1.5 language features. This merge also brings in a new, generics-enabled version of Classpath, including some new tools. This new code will appear in GCC 4.3."
Comments (none posted)
Mark Petrovic
discusses Java security issues in an O'Reilly article.
"
Java security manager policy files are powerful and flexible, but rather
grueling and error-prone to write by hand. In this article Mark Petrovic
employs a novel approach: a development-time SecurityManager that logs your
applications' calls and builds a suitable policy file."
Comments (15 posted)
Lisp
Version 1.0.1 of Steel Bank Common Lisp (SBCL) has been announced.
"
This version
supports the new platform FreeBSD/x86-64, adds more debugging
information to compiled code, improves profiling and performance, and
more."
Full Story (comments: none)
Python
David Mertz
works with Python decorators in an IBM developerWorks article.
"
Python made metaprogramming possible, but each Python version has added slightly different -- and not quite compatible -- wrinkles to the way you accomplish metaprogramming tricks. Playing with first-class function objects has long been around, as have techniques for peaking and poking at magic attributes. With version 2.2, Python grew a custom metaclass mechanism that went a long way, but at the cost of melting users' brains. More recently, with version 2.4, Python has grown "decorators," which are the newest -- and by far the most user-friendly way, so far -- to perform most metaprogramming."
Comments (none posted)
Ruby
Pat Eyler
discusses abandoned projects in his On Ruby blog.
"
To me, running a project is both an opportunity and a responsibility. In starting several projects, I've taken on an obligation to the community, and if I just abandon a project I'm not fulfilling that obligation. (To me, while "Free as in speech" is more important than "Free as in beer", "Free as in puppies" is pretty important too.)
I'd like it to be clear that I want my project taken over and maintained. The immediate parallel that comes to mind is a Living Will."
Comments (none posted)
O'Reilly presents
part two of the series Rolling with Ruby on Rails Revisited
by Bill Walton and Curt Hibbs.
"
Was it really two years ago when Curt Hibbs introduced Ruby on Rails to the
world at large? In that time, Rails has grown up a lot. Curt and Bill Walton
revisit the original tutorial to bring it up to date and show off how much
easier it is to get started with the powerful Ruby on Rails web framework."
Comments (none posted)
Tcl/Tk
The January 9, 2007 edition of the Tcl-URL! is online with new
Tcl/Tk articles and resources.
Full Story (comments: none)
XML
Simon St. Laurent
discusses the state of XQuery on O'Reilly's XML.com.
"
XQuery has pretty much always been about more than XML. For years, vendors have shown diagrams where XQuery provided a central cloud connecting all kinds of relational databases and XML databases -- and whatever else might be lying around -- into a single lovely XML stream.
Connections with relational databases have been a key justification for XQuery's support of the W3C XML Schema type system and its heavily typed processing model. XQuery isn't meant to replace SQL, but it can certainly complement it, especially when relational databases are already supporting reporting results as XML."
Comments (none posted)
Libraries
Version 0.1k of RFIDIOt, the RFID open source library, is out.
"
Over the Christmas break I did quite a bit of work on the code and have
added a hardware abstraction layer that allows support for readers other
than the ACG, and to test it I've added limited support for the Frosch
Hitag reader. New features in this release:
Program Hitag2 to EM4x02 / Unique,
Reset Hitag2 to default state (Frosch only),
Read German passports and
Various tidy-ups and improvements."
Full Story (comments: none)
Version 0.9.7.2 of Urwid, a command line user interface library for
Python, is out.
"
This maintenance release significantly improves the performance of
Urwid when run in UTF-8 mode. A UTF-8 input handling bug was also
fixed."
Full Story (comments: none)
Page editor: Forrest Cook
Linux in the news
Recommended Reading
InternetNews.com
describes proposed legislation to be introduced by representative John Sununu which would prevent the U.S. Federal Communications Commission from imposing technology mandates - like the broadcast flag. "
'Whether well-intentioned or not, the FCC has no business interfering in private industry to satisfy select special interests or to impose its own views,' Sununu said in a statement. 'My legislation will ensure that decisions about the design and development of products and services to meet FCC rules are made by technology experts, not government regulators.'"
Comments (10 posted)
Groklaw
has fun with Novell's latest filings in its suit against the SCO Group. "
Now that Novell has been permitted to analyze the Agreements, it is apparent why SCO was hesitant to produce them: they are direct evidence of SCOs wrongdoing. SCOs breach of its fiduciary duty to fully inform Novell concerning the royalties it collected from Sun and Microsoft, when requested, can be no defense to Novells request for preliminary relief."
Comments (8 posted)
Companies
Business Review Online
covers plans by MySQL AB to delay the move to the GPLv3 license.
"
Heres an announcement that almost got drowned out by festive cheer: MySQL has changed the license it uses for its open source database management system to avoid being forced to move to the forthcoming GPL v3.
Kaj Arno, MySQL VP of community relations, revealed the license change on his blog, on December 22, noting that the license for MySQL 5.0 and 5.1 had changed from "GPLv2 or later" to "GPLv2 only". As he explained, this was in order to make it an option, not an obligation for the company to move to GPLv3."
(Thanks to Francesco P. Lovergine.)
Comments (13 posted)
Linux Adoption
SDA India
reports on plans for a large deployment of Linux systems in
Chennai, India.
"
In line with many A one European cities moving towards open source technology like Amsterdam, the southern India city of Chennai is also moving towards Linux. The state of Tamil Nadu, is deploying 32,600 Linux desktop systems and training 30,000 government officials. Forty-three open source-based servers are also on the way to support key Government applications."
Comments (none posted)
Interviews
KDE.News
has announced
the latest
interview
in the People Behind KDE series.
"
In a brand new series of People Behind KDE we meet a coder from the KDE
heartland, Germany who enables us to communicate with the global developer
community through Konversation. Someone who is not satisfied with a static
terminal window, tonight's star of People Behind KDE is Eike Hein."
Comments (none posted)
Resources
Ubuntu Geek presents
a tutorial on using Drivel under the Ubuntu distribution.
"
Drivel is a GNOME client for working with online journals, also known as weblogs or simply blogs. It retains a simple and elegant design while providing many powerful features."
Comments (none posted)
Ken Simpson and Stas Bekman
discuss a survey of the most popular mail server programs on the net,
open-source software dominates the arena.
"
This summer, the sales staff at MailChannels came to the dev team with an urgent request: "Can you tell us which companies are running Sendmail? If we could know that, it would be so much easier to sell our Sendmail-compatible product."
For those of us who understand the SMTP protocol, the answer was, of course, a resounding "Yes." Most mail servers announce their identity when you connect to them on TCP port 25. The dev team decided that this was a summer science project they just had to get on top of. We even gave the science project a name: PingedIn, and we hope to provide more dynamic content on our skeletal website."
Comments (13 posted)
Sean Walberg
explores UNIX process creation in an IBM developerWorks article.
"
Examine the life cycle of a process so that you can relate what you see happening on your system to what's going on within the kernel. System administrators must know how processes are created and destroyed within the UNIX® environment in order to understand how the system fits together and how to manage misbehaving processes. Similarly, developers must understand the UNIX processes model in order to write solid applications that run unattended and won't cause problems for system administrators."
Comments (none posted)
Linux.com
looks at the
process of getting some money back after buying a new computer with
Microsoft Windows pre-installed. "
If you buy a computer, you often
pay for Microsoft Windows even if you didn't ask for it and aren't going to
use it. This article shows you how to return your unused Windows license
and get your money back, freeing yourself from the Windows tax. I recently
purchased a new laptop computer from Dell. As a GNU/Linux user and believer
in Free Software, I knew from the start that I wasn't going to run
Microsoft Windows. Unfortunately, Dell didn't offer this laptop with Ubuntu
or a no-OS option, so I tried getting my Windows refund from Dell after the
purchase."
Comments (12 posted)
Reviews
Linux.com
reviews the Exaile music player application. "
Exaile is similar to Amarok, but it's based on GTK+ (the GIMP Toolkit), the same GUI toolkit GNOME uses, and thus it loads almost instantly on GNOME and integrates nicely with it. The first impression the program makes is that it's a clone of Amarok, at least from an interface point of view; if you're an Amarok user, you'll feel right at home."
Comments (23 posted)
Linux-Watch
looks at NuFW. "
Where NuFW steers away from commonplace firewalls is by bringing the notion of user identity to the firewall's security rules. With most firewalls, the rules on what network ports are enabled or disabled is determined by the computer's network address... With NuFW, the firewall permissions follow an authenticated user instead of a PC's address."
Comments (16 posted)
Linux.com
looks at
Streamtuner. "
Streamtuner is a point-and-click GUI browser for the
thousands of Internet radio streams available today. It lets you play
streams and manage your favorites in a single window -- like a Linux tuner
for Internet radio. Streamtuner has a GTK 2.0 interface and is published
under the revised BSD license. It lets you use plugins to browse and search
popular portals including SHOUTcast and Icecast."
Comments (none posted)
Joe 'Zonker' Brockmeier
reviews
a number of text-based email clients in a Linux.com article.
"
Lately, I've been pining for the simplicity of a text email client. Though Sylpheed has been a reliable workhorse, I decided to survey today's text email clients to see if I should go back to reading email in an xterm. I tested Pine, Cone, Mutt, and nmh to see if any of them were up to the task. For my use, Mutt came out on top, but Pine is also a reasonable alternative if you don't mind the licensing.
In compiling my list of test candidates, I tried to be as complete as possible while including packages that are still maintained and require less than heroic efforts to obtain and use."
Comments (15 posted)
Page editor: Forrest Cook
Announcements
Non-Commercial announcements
The old domain used by the AGNULA project (which works on audio-oriented
Linux distributions) has been abruptly grabbed by an unrelated third party
and used to host yet another spam blog. The project is working on changing
this state of affairs; in the mean time, however, the site has move to
agnula.info.
Full Story (comments: 6)
David A. Wheeler has sent in news regarding a video driver email campaign:
"
Lobby4linux is stirring up a lobbying campaign to NVIDIA and ATI
to support FLOSS 3D drivers."
Full Story (comments: 2)
Commercial announcements
Version 6 of CrossOver for Mac and Linux is out.
"
Users of Intel based Mac systems can now seamlessly run many
Windows applications on their Mac without needing a Windows license.
Supported applications include Outlook, Visio, Project, Quicken, Steam based games
such as Half Life 2, and many more.
For Linux users, we have added support for Outlook 2003, World of Warcraft,
a range of Steam based games such as Half-Life 2, and a number of other
applications. Additionally, CrossOver 6 represents another major step
forward in the evolution of Wine, so most users will find substantial
improvements in the overall compatibility and behavior of CrossOver
as compared to version 5."
Full Story (comments: 3)
Open Country and Turbolinux have announced a partnership.
"
Open Country, a next-generation systems management software
company, today announced it has entered into a partnership agreement with Turbolinux, Inc., a
global provider of Linux-based solutions, to deliver powerful end-to-end management capabilities
for Turbolinuxs Chinese customers. Under the terms of the agreement, a customized Mandarin
version of Open Country's Universal Systems Management Suite will be bundled with Turbolinux
Server 10.5 for the Chinese market."
Full Story (comments: none)
Rumor has it that some telephone products have been announced this week. A
little more quietly, it was announced that the Linux-based (and open)
OpenMoko phone would
begin to ship in February, though widespread availability will probably
take a little longer. There's also some details on the final hardware
configuration, click below for the full text.
Full Story (comments: 9)
Linden Labs has
announced that it
has released the code for its "viewer" application as open source.
"
The Second Life Viewer is used by subscribers or 'Residents' to
access the virtual world's Grid. Freely-downloadable from the Second Life
website, the Viewer software enables Residents to control their in-world
avatars, interact with each other via Instant Message, create content, buy
and sell objects, access multimedia content and to navigate around the
virtual environment." One has to dig a bit, but the
associated FAQ
states that the GPL is being used, "
as well as a separate license for
entities that wish to reserve the ability to create proprietary extensions
for the viewer." (Thanks to Francesco Lovergine).
Comments (10 posted)
Storix, Inc. has
announced the launch of Storix System Backup Administrator
version 6 for Linux and AIX.
"
SBAdmin is designed for daily backup
management, as well as Adaptable System Recovery (ASR), providing the
flexibility to migrate systems to different hardware or to provision new
systems. This ability, coupled with the free annual maintenance offered by
the company to its customers, significantly reduces the user's TCO and
increases productivity by minimizing downtime."
Comments (none posted)
Nokia has
announced the availability of the N800, the much-rumored upgrade of the Linux-based 770 tablet. "
Building on the success of the Nokia 770 Internet Tablet, the Nokia
N800 introduces faster performance, full screen finger qwerty keyboard,
easier continuous connections through Wi-Fi or via Bluetooth phone,
integrated web camera as well as a new elegant design." There is
a page with some photos available.
Comments (27 posted)
Resources
Opteros has announced the release of an "Open Source Catalog," designed to
help companies decide which projects are "enterprise ready." Actually
downloading the report requires registration, but it's under a Creative
Commons license, so we've made
a copy available [PDF].
There are some interesting
conclusions (qmail is said to be more enterprise-ready than postfix or
sendmail, despite scoring lower in the "community" and "functionality"
categories), but it still might serve as a useful starting point for people
trying to choose free software.
Full Story (comments: 12)
Contests and Awards
KDE.News
has announced
the
Qt Centre Programming Contest 2007.
"
Qt community site Qt Centre is celebrating its first anniversary with a
programming contest. The contest is open until the end of May and the winner
is the best Qt 4 or Qtopia application or component in one of several
categories. Great prizes to be won include a MacBook and two Qtopia
Greenphones. The contest is sponsored by Basyskom, froglogic, ICS, KDAB and
Trolltech."
Comments (none posted)
Novell, Inc. has
announced the winning of a technical award by the
SUSE Linux Enterprise Desktop 10.
"
Novell
today announced its SUSE(R) Linux Enterprise Desktop 10 has earned a 2007
InfoWorld Technology of the Year Award, being named "Best Linux Desktop."
According to InfoWorld, "Novell's revamped desktop Linux* distribution
combines professional fit and finish with unique usability features not
available from other vendors... A class act, [SUSE Linux Enterprise
Desktop] 10 gives business users new reason to consider Linux for
enterprise desktops.""
Comments (none posted)
Event Reports
Ciaran O'Riordan has posted
a
transcript of Richard Stallman's talk on free software in Zagreb last
March. It is, he says, the first transcript of a general RMS talk since
1986. The
1986
transcript is also available for anybody who would like to see what's
changed over the last twenty years.
Comments (2 posted)
Calls for Presentations
aKademy 2007 will be held in
Glasgow, Scotland from June 30 to
July 7. KDE 4 will clearly be a big topic at this gathering.
The call for papers has gone out; click below for the details. Abstracts
are due by February 14.
Full Story (comments: none)
KDE.News has posted a
call for participation
for the upcoming FOSDEM conference.
"
These annual meetings are organised by volunteers, free of charge and generally recognised as one of the most productive gatherings available on the European stage. This year it will be held on the weekend of 24/25th February 2007 on the ULB Campus Solbosh in Brussels, Belgium.
We are now looking for KDE contributors to talk about what they are working on. Talks in previous years have included PyKDE, Krita, KDE Marketing, KDevelop and Context Linked Desktops. We want to hear from all parts of KDE in the devroom, so do not think your area of work is too insignificant."
Comments (none posted)
A call for papers has been posted for the Recent Advances in
Intrusion Detection 2007 conference (RAID 2007). The event takes place in
Gold Coast, Queensland, Australia on September 5-7, 2007,
papers are due by March 31.
Full Story (comments: none)
A call for sessions has been posted for the Red Hat Summit 2007.
The event takes place in San Diego, CA on May 9-11, 2007,
submissions are due by January 19.
Full Story (comments: none)
Upcoming Events
Terra Soft Solutions has announced the first Cell processor "hack-a-thon".
The event takes place in Loveland, Colorado on January 20-26, 2007.
"
Glen Otero, Ph.D., Chief Scientist at Terra Soft describes this week long
event as, "A gathering of researchers from all over the globe who wish to
port science and engineering applications to the Cell processor and create
the initial knowledge base of Cell-optimized code. Code authors have the
option to release code through the newly formed HPC Consortium, making it
available to researchers everywhere."
Full Story (comments: none)
An update report has been sent out for DebConf7, which will take place in
Edinburgh, Scotland on June 17-23, 2007.
Regarding registration for sponsored accommodation:
"
We need this information now to make financial estimates. In
particular, we would like to calculate how much money we can allocate to
travel sponsorship.
Even if you are not applying for travel sponsorship, we suggest you
organise travel soon. For example, for those coming from Europe some
budget airlines recently opened booking for flights that are currently
very cheap, and will increase in price over the next few months."
Also, the event submission deadline is January 31.
Full Story (comments: none)
New speakers have been announced for the O'Reilly Emerging Telephony Conference.
"
The program schedule is nearly final for
ETel, the OÂReilly Emerging Telephony Conference. A cross-section of noted
industry experts will be leading more than 50 sessions and hands-on
workshops designed to capture the trends of the evolving telecom industry
and provide the means to navigate the communication opportunities ahead.
ETel 2007 is scheduled for February 27 through March 1, 2007 in
Burlingame, California."
Full Story (comments: none)
The Django weblog
mentions some Django web development system events at PyCon 2007.
"
On Feb 22nd (the tutorial day) I (Jacob) will be teaching back-to-back three-hour Django tutorials. The morning tutorial is an introduction to Django designed for anyone interested in getting started with Django.
After lunch, I'll move on to an advanced Django tutorial, covering a lot of what goes on under the hood. Anyone who knows Django and wants to dig deeper should really enjoy this one. You can, of course, sign up for both."
Comments (none posted)
The Python Software Foundation
has announced the availability of funding for PyCon 2007 attendees.
"
The Python Software Foundation has allocated some funds to help people attend PyCon 2007. If you'd like to come to PyCon but can't afford it, maybe the PSF can help you." Funding requests are due by January 19.
Comments (none posted)
The Linux Users' Group of Davis will hold the next Linux Installfest
workshop in Davis, CA on Saturday, January 20, 2007.
Full Story (comments: none)
Events: January 18, 2007 to March 19, 2007
The following event listing is taken from the
LWN.net Calendar.
| Date(s) | Event | Location |
January 15 January 20 |
linux.conf.au 2007 |
Sydney, Australia, |
January 20 January 26 |
Cell Hack-a-thon |
Loveland, CO, USA |
January 23 January 26 |
Open Source Meets Business |
Nürnberg, Germany |
| January 24 |
European Patent Conference |
Brussels, Belgium |
January 30 February 1 |
Solutions Linux Expo |
Paris, France |
February 1 February 2 |
LinuxDays Luxembourg |
Luxembourg, Luxembourg |
| February 2 |
FUDCon Boston 2007 |
Boston, MA, USA |
February 7 February 9 |
Free Software World Conference 3.0 |
Badajoz, Spain |
February 7 February 9 |
Xorg Developer's Conference |
Santa Clara, CA, USA |
| February 9 |
Women In Open Source |
Los Angeles, USA |
| February 9 |
Open Source Health Care Summit |
Los Angeles, USA |
February 10 February 11 |
2007 Southern California Linux Expo |
Los Angeles, USA |
February 12 February 13 |
Vancouver PHP Conference |
Vancouver, BC, Canada |
February 12 February 13 |
Linux Storage and Filesystem Workshop |
San Jose, CA, USA |
February 12 February 16 |
Ruby on Rails Bootcamp Training |
Atlanta, USA |
February 12 February 15 |
3GSM World Congress 2007 |
Barcelona, Spain |
February 14 February 15 |
LinuxWorld OpenSolutions Summit |
New York, NY, USA |
| February 15 |
TiE Open Source Summit |
Pittsburgh, PA, USA |
| February 16 |
The Ubucon New York |
New York, NY, USA |
February 19 February 23 |
DebianEDU DevCamp |
Soissons, France |
| February 22 |
PyCon Tutorial Day |
Addison, Texas, |
| February 22 |
CELF Japan Linux Technical Jamboree #13 |
Tokyo, Japan |
February 22 February 24 |
OpenMind 2007 |
San Giorgio a Cremano, Naples, Italy |
February 23 February 25 |
PyCon 2007 |
Addison, Texas, |
| February 23 |
PHP Conference UK 2007 |
London, England |
February 24 February 25 |
Free and Open Source Software Developers' European Meeting |
Brussels, Belgium |
February 24 February 25 |
Java/DevJam/2007/Fosdem |
Brussels, Belgium |
February 26 March 1 |
PyCon Sprints |
Addison, Texas, |
February 26 March 2 |
PHP5 Bootcamp Training at the Big Nerd Ranch |
Atlanta, Georgia, USA |
February 27 March 1 |
O'Reilly Emerging Telephony Conference |
San Francisco, CA, |
February 27 March 2 |
EUSecWest Applied Security Conference |
London, UK |
February 28 March 2 |
Network and Distributed System Security Symposium |
San Diego, CA, USA |
March 2 March 3 |
LinuxForum 2007 |
Copenhagen, Denmark |
March 3 March 8 |
O'Reilly Emerging Technology Conference |
San Diego, CA, USA |
March 5 March 8 |
EclipseCon 2007 |
Santa Clara, CA, USA |
March 5 March 6 |
Karlsruhe Workshop on Software Radios |
Karlsruhe, Germany |
March 8 March 10 |
2007 Open Source Think Tank |
Napa, CA, USA |
March 10 March 13 |
Camp 5 Advanced Zope3 Training |
Charlotte, North Carolina, USA |
March 12 March 16 |
QCon |
London, England |
March 12 March 16 |
Third Annual Security Enhanced Linux Symposium |
Baltimore, US |
March 12 March 14 |
BOSSA Conference |
Porto de Galinhas, Brazil |
March 13 March 14 |
The Linux Foundation Japan Symposium |
Tokyo, Japan |
March 14 March 16 |
PHP Quebec Conference |
Montreal, Canada |
March 14 March 17 |
Barbeque Sprint for Plone3 |
Charlotte, North Carolina, USA |
March 15 March 21 |
CeBIT computer fair |
Hannover, Germany |
March 16 March 17 |
MountainWest RubyConf |
Salt Lake City, USA |
March 18 March 23 |
Novell BrainShare 2007 |
Salt Lake City, Utah, USA |
If your event does not appear here, please
tell us about it.
Audio and Video programs
O'Reilly presents
an interview with Bruce Chizen in audio and video formats.
"
Adobe CEO Bruce Chizen talked with Web 2.0 Summit program chair Tim O'Reilly
about the ubiquity of Flash and PDF, and the fine line that his company walks
between open standards and open source. They talked about everything from
eBooks and Apollo to competing with Microsoft. This episode is sponsored by
the Intel Software Partner Program."
Comments (none posted)
Page editor: Forrest Cook