LWN.net Logo

Advertisement

Advanced thin client solution for Linux, based on Open Source. Mix Windows and Linux applications on the same desktop.

Advertise here

A report from SCALE 2008

By Jake Edge
February 13, 2008

Escaping the cold for 70 degree days in Los Angeles might be a reason for some—Colorado-based LWN Editors for example—but it clearly is not the reason that most folks choose to attend Southern California Linux Expo (SCALE). Many of the approximately 1400 attendees already live in the region, so it is the speakers, participants, and the expo floor that bring them in. I attended the sixth annual SCALE (SCALE 6x), just held, February 8-10 and it didn't take me very long to see why it continues to grow and prosper.

Advertisement

SCALE is a three day event, with two main conference days on Saturday and Sunday and a set of mini-conferences running in parallel on Friday. Each mini-conference covers a focused topic of interest to the community, with this year's topics examining Women in Open Source (WIOS), Open Source Software in Education (OSSIE), and Demonstrating Open Source Healthcare Solutions (DOHCS). It was a full day as each had eight or more hour-long sessions.

Allison Randal kicked off the WIOS track with a presentation aimed at encouraging more women to give presentations at conferences. Her talk, "The Art of Conference Presentations", was not particularly gender specific, of course. It covered the process of proposing, creating and giving talks to conferences. Randall's advice was cogent, from avoiding "cute" titles to establishing credibility via your biography without feeling like you are bragging. Her most important point was to not wait around until you are the perfect speaker, but to go out and start speaking; your voice and style will come with practice.

Over in the OSSIE track, Dan Anderson related his experiences teaching computer science concepts to middle and high school students over the last fourteen years. His approach is to use computing as a bridge between math, science, and technology. He discussed the process of creating, or trying to create, a stable curriculum in the face of rapid technological change. Because the hardware, operating systems, and languages all change quickly, his courses need to focus on concepts that are not specific to any of those. Over the years he has taught, the language used in the advanced placement course—dictated by the state CollegeBoard company—has gone from Pascal, through C++, and now uses Java, with some rumblings being heard about moving to Python. As he points out, "much of what a High School student learns about technology will be outdated by the time they graduate from college."

He uses How to Design Programs as the core text for his courses. It uses a graphical programming environment called DrScheme, which is based on Scheme, that allows different subsets of the language to be used based on the skill level of the student. Anderson has integrated various peripherals, like cameras and audio equipment, into the environment so that students can interact with the real world in interesting ways. His students work on projects like voice authentication and computer vision; this year's project is to recognize tic-tac-toe as drawn on a white board.

Other topics from OSSIE included a tutorial introduction to the moodle content management system (CMS) for online learning. Much like other CMS projects, moodle allows the creation of websites with various kinds of content—audio, video, images, and text—but organized as a course. It provides a framework and philosophy to guide the development of online classes. Students access the content via the web, completing tasks, taking quizzes, and participating in forums and chats with other students.

Charles Edge (no relation) spoke about the challenges of implementing directory services for educational institutions. One problem is that the term "directory services" cover a large amount of ground, from tracking users (both employees and students) to allowing single sign-on (SSO) into multiple machines and services throughout the school. The biggest challenge can be handling the sheer numbers of people to be tracked. Open source solutions do exist, OpenLDAP for storing the information, Kerberos for single sign-on and Simple Authentication and Security Layer (SASL) for extending the reach of the SSO into other services, but it is complex to configure and administer. For scalability and robustness in large installations, Edge suggests Microsoft's Active Directory, which was not a particularly popular opinion with the open source oriented audience.

The first day closed with a WIOS panel discussion, where six of the women presenting or showing at the conference discussed the issues facing women in open source. The discussion was informal and wide-ranging with a great deal of audience participation. Audience members asked questions as well as offered opinions and theories on why the participation of women is low and what can be done to make things better. No real conclusions were reached, as is usual for discussions of this topic; it is one of the more puzzling attributes of the free/open source community.

The animated and amusing Ubuntu community manager Jono Bacon gave a rousing keynote to start things off on Saturday. He tried to ensure that everyone was awake by leading a greeting in multiple languages (including Klingon). His main point was to describe the responsibilities of the various "factions" that jockey to determine the future of open source software—companies, distributions, and communities—trying to show that each has an important role. In fact, it is up to all constituents to ensure that the greater Linux ecosystem thrives and that each group works well with the others. It was all pretty much "motherhood and apple pie" stuff, but well described and illustrated—all with Chuck Norris to keep track of the score. Bacon did provide the quote of the show when he said that free software was "started by a guy with a beard who was pissed off at a printer."

[747 Cockpit simulation]

Saturday was also the first day that the expo floor was open. Some 80 booths were there, representing companies large and small as well as lots of free software projects. One of the more interesting booths contained a working simulator of a 747 cockpit. All of the instruments were driven from a realtime Linux box and the FlightGear flight simulator was used to generate the cockpit window view. The two machines communicated over the network and various laptops were able to view the flight from other perspectives by getting updates from the simulator. It was rather impressive.

[Telescope prototype]

The linuxastronomy.org project was also on hand with their telescope prototype. The telescope will be controlled via a Linux machine allowing it to be pointed at locations as specified by users. A Linux desktop application will send locations to the telescope over the internet, allowing it to be remotely controlled so that it can be installed in a mountaintop or other location with (relatively) little light pollution and good viewing conditions. In addition, the project was demonstrating many of the free astronomy programs available for Linux.

A mobile audio studio product, Indamixx, did not have a booth, but could be seen all over the show. The company loaned two of the UMPC-based devices to the conference which were used to do podcasts of interviews with speakers and attendees. The device runs Linux with Audacity and ardour along with other free software. The company has tweaked things to make it all work well and be easy to use on the device. It looks to be quite capable as well as easily portable.

In another interesting talk, David Maxwell of Coverity gave an update on their project to scan free software for security holes. The US Department of Homeland Security gave Coverity a grant to work with free software projects to use the Coverity Prevent static code analysis tool (once known as the "Stanford Checker") on the code. The scan project has found over 7,000 defects in around a hundred free software projects since its inception. Maxwell is the Open Source Strategist for Coverity; he is looking for more projects to participate. He is encouraging any free/open source software project to get in touch with him to get signed up for the program.

Projects that join get their code scanned with a report being generated on the Coverity website for project members to view. The projects can then fix any of the issues that are actually bugs, mark others as "not a bug", and resubmit the code. The Coverity system will check the latest code out of their source code repository and check it again. Once all issues that the tool finds are handled, the project can move up to a higher "rung on the scan ladder" which will allow them to be scanned by more recent versions of the Coverity tool.

Bdale Garbee had perhaps the geekiest talk of the show on Saturday afternoon with "Open Avionics for Model Rockets". Garbee gave an overview of the hobby, which has gone far beyond the Estes rockets that many of us dabbled with in our youth. These rockets can go to 10,000 feet and above; just how high they go is one of the questions that led folks to start outfitting them with instruments. Deploying the recovery system—typically a parachute—at apogee is very desirable and a barometric sensor with a little bit of logic tied to the ejection charge can do just that. Unfortunately, all of the commercially available options for these systems are completely closed; even the protocol to talk to the device is not released by the manufacturers.

Garbee decided to once again combine one of his hobbies with open source to design and build an open device. Both the hardware and software will be released under free licenses (GPL and Open Hardware License); he had version 0.1 of the hardware (missing the accelerometer due to a problem in the board layout) with him at the show. The AltusMetrum system also has an onboard barometric sensor and will be able to support things like GPS devices and radio transmitters—so that lost rockets do not stay lost. Garbee expects to flight test the board and design version 0.2 of the hardware over the coming months.

Sunday's keynote, by Stormy Peters of OpenLogic was entitled "Would you do it again for free?". Peters looked at whether external rewards, usually money, affect the motivation of open source developers; in particular, if the pay stops, will the project work stop as well? She cited four separate "studies" (including two that weren't intended as studies) that seemed to show that adding a reward, or penalty, can sometimes have a counter-intuitive effect (see an entry in her weblog for more information).

Peters came to no firm conclusions about what the long-term effects of paying open source developers would be, but there are some mitigating factors that seem to provide hope that developers would continue if the paychecks stopped. When a payment or reward is in line with expectations for doing a particular task, it is much less demotivating. Also, if the payment is for working on the project, not tied to a specific goal or milestone, it is also less of a problem. Both of those are typically the case with folks who are paid—40% of open source developers are, according to Peters—for their work in the community.

After a last wander through the show floor, I was able to catch a few minutes of the talk given by Ken Gilmer and Angel Roman of Bug Labs describing their modular embedded Linux gadget building system. The system consists of a core module along with various plug-in devices: camera, motion detector, GPS, etc. that can be combined into a single Java programmable device. Many additional peripheral modules are planned. The software that runs on the device is free and Bug Labs has a community site to share application code; they are clearly hoping that they can foster a community of users and developers.

As can be seen, SCALE offers a wide variety of technical content in a well organized and fun conference. It has grown beyond the capacity of the Airport Westin where it has been held for the last few years; expect a new, bigger venue somewhere in LA next year. Over the last few years, SCALE has drawn from more areas of the southwest US in moving from a small, local conference to a regional one. If things continue, in another few years it may grow into a national conference; one can only hope that if that happens, it will continue to be as well run and interesting as it is today.

Comments (12 posted)

LCA: Two talks on the state of X

By Jonathan Corbet
February 8, 2008
The X window system is the kernel of the desktop Linux experience; if X does not work well, nothing built on top of it will work well either. Despite its crucial role, X suffered from relative neglect for a number of years before being revitalized by the X.org project. Two talks at linux.conf.au covered the current state of the X window system and where we can expect things to go in the near future.

Keith Packard is a fixture at Linux-related events, so it was no surprise to see him turn up at LCA. His talk covered X at a relatively high, feature-oriented level. There is a lot going on with X, to say the least. Keith started, though, with the announcement that Intel had released complete documentation for some of its video chips - a welcome move, beyond any doubt.

There are a lot of things that X.org is shooting for in the near future. The desktop should be fully composited, allowing software layers to provide all sorts of interesting effects. There should be no tearing (the briefly inconsistent windows which result from partial updates). We need integrated 2D and 3D graphics - a goal which is complicated by the fact that the 2D and 3D APIs do not talk to each other. A flicker-free boot (where the X server starts early and never restarts) is on most [Keith Packard] distributors' wishlist. Other desired features include fast and secure user switching, "hotplug everywhere," reduced power consumption, and a reduction in the (massive) amount of code which runs with root privileges.

So where do things stand now? 2D graphics and textured video work well. Overlaid video (where video data is sent directly to the frame buffer - a performance technique used by some video playback applications) does not work with compositing, though. 3D graphics does not always work that well either; Keith put up the classic example of glxgears running while the window manager is doing the "desktops on a cube" routine - the 3D application runs outside of the normal composite mechanism and so cannot be rotated with all the other windows.

On the tearing front, only 3D graphics supports no-tearing operations now. Avoiding tearing is really just a matter of waiting for the video retrace before making changes, but the 2D API lacks support for that.

The integration of APIs is an area requiring some work still. One problem is that Xv (video) output cannot be drawn offscreen - again, a problem for compositing. Some applications still use overlays, which really just have no place on the contemporary desktop. It is impossible to do 3D graphics to or from pixmaps, which defeats any attempt to pass graphical data between the 2D and 3D APIs. On the other side, 2D operations do not support textures.

Fast user switching can involve switching between virtual terminals, which is "painful." Only one user session can be running 3D graphics at a time, which is a big limitation. On the hotplug front, there are some limitations on how the framebuffer is handled. In particular, the X server cannot resize the framebuffer, and it can only associate one framebuffer with the graphics processor. Some GPUs have maximum line widths, so the one-framebuffer issue limits the maximum size of the internal desktop.

With regard to power usage: Keith noted that using framebuffer compression in the Intel driver saves 1/2 watt of power. But there are a number of things to be fixed yet. 2D graphics busy-waits on the GPU, meaning that a graphics-intensive program can peg the system's CPU, even though the GPU is doing all of the real work. But the GPU could be doing more as well; for example, video playback does most of the decoding, rescaling, and color conversion in the CPU. But contemporary graphics processors can do all of that work - they can, for example, take the bit stream directly from a DVD and display it. The GPU requires less power than the CPU, so shifting that work over would be good for power consumption as well as system responsiveness.

Having summarized the state of the art, Keith turned his attention to the future. There is quite a bit of work being done in a number of areas - and not being done in others - which leads toward a better X for everybody. On the 3D compositing front, what's needed is to eliminate the "shared back buffers" used for 3D rendering so that the rendered output can be handled like any other graphical data. Eliminating tearing requires providing the ability to synchronize with the vertical retrace operation in the graphics card. The core mechanism to do this is already there in the form of the X Sync extension. But, says Keith, nobody is working on bringing all of this together at the moment. Getting rid of boot-time flickering, instead, is a matter of getting the X server properly set up sufficiently early in the process. That's mostly a distributor's job.

To further integrate APIs, one thing which must be done is to get rid of overlays and to allow all graphical operations (including Xv operations) to draw into pixmaps. There is a need for some 3D extensions to create a channel between GLX and pixmaps.

Supporting fast user switching means adding the ability to work with multiple DRM master. Framebuffer resizing, instead, means moving completely over to the EXA acceleration architecture and finishing the transition to the TTM memory manager. In the process, it may become necessary to break all existing DRI applications, unfortunately. And multiple framebuffer support is the objective of a project called "shatter," which will allow screens to be split across framebuffers.

Improving the power consumption means getting rid of the busy-waiting with 2D graphics (Keith say the answer is simple: "block"). The XvMC protocol should be extended beyond MPEG; in particular, it needs work to be able to properly support HDTV. All of this stuff is currently happening.

Finally, on the security issue, Keith noted the ongoing work to move graphical mode setting into the kernel. That will eliminate the need for the server to directly access the hardware - at least, when DRM-based 2D graphics are being done. In that case, it will become possible to run the X server as "nobody," eliminating all privilege. There are few people who would argue against the idea of taking root privileges away from a massive program like the X server.

[Dave Airlie] In a separate talk, Dave Airlie covered the state of Linux graphics at a lower level - support for graphics adapters. He, too, talked about moving graphical mode setting into the kernel, bringing an end to a longstanding "legacy issue" and turning the X server into just a rendering system. That will reduce security problems and help with other nagging issues (graphical boot, suspend and resume) as well.

Mode setting is the biggest area of work at the moment. Beyond that, the graphics developers are working on getting TTM into the kernel; this will give them a much better handle on what is happening with graphics memory. Then, graphics drivers are slowly being reworked around the Gallium3D architecture. This will improve and simplify these drivers significantly, but "it's going to be a while" before this work is ready. The upcoming DRI2 work will improve buffering and fix the "glxgears on a cube" problem.

Moving on to graphics adapters: AMD/ATI has, of course, begun the process of releasing documentation for its hardware. This happened in an interesting way, though: AMD went to SUSE in order to get a driver developed ahead of the documentation release; the result was the "radeonhd" driver. Meanwhile, the Avivo project, which had been reverse-engineering ATI cards, had made significant progress toward a working driver. Dave took that work and the AMD documentation to create the improved "radeon" driver. So now there are two competing projects writing drivers for ATI adapters. Dave noted that code is moving in both directions, though, so it is not a complete duplication of work. (As an aside, from what your editor has heard, most observers expect the radeon driver to win out in the end).

The ATI R500 architecture is a logical addition to the earlier (supported) chipsets, so R500 support will come relatively quickly. R600, instead, is a totally new processor, so R600 owners will be "in for a wait" before a working driver is available.

Intel has, says Dave, implemented the "perfect solution": it develops free drivers for its own hardware. These drivers are generally well done and well documented. Intel is "doing it right."

NVIDIA, of course, is not doing it right. The Nouveau driver is coming along, now, with 5-6 developers working on it. Dave had an RandR implementation in a state of half-completion for some time; he finally decided that he would not be able to push it forward and merged it into the mainline repository. Since then, others have run with it and RandR support is moving forward quickly. It was, he says, a classic example of why it is good to get the code out there early, whether or not it is "ready." Performance is starting to get good, to the point that NVIDIA suddenly added some new acceleration improvements to its binary-only driver. Dave is still hoping that NVIDIA might yet release some documents - if it happens by next year, he says, he'll stand in front of the room and dance a jig.

Comments (69 posted)

Ten-year timeline part 5: Not just SCO

By Jonathan Corbet
February 13, 2008
Part 4 of this retrospective ended in October, 2002, when LWN adopted its current subscription model. That change brought a certain amount of stability for LWN (too much, we might argue), but, in the wider Linux world, things continued to happen. This installment picks up where the last left off.

During this period, the business of Linux was relatively quiet - not that many acquisitions, but not many failures either. But quite a bit was happening around legal issues, copyright enforcement, and more...

  • October 10, 2002: BitKeeper flames return as the non-compete clause in its license comes to light. The sendmail source distribution is trojaned.

BitKeeper flames were a more-or-less constant feature in those days, but BitKeeper became an established part of the kernel development process anyway. In the October 10, 2002 edition, your editor wrote: "If Larry McVoy (or his board of directors) wakes up hung over one morning and decides to end free access to BitKeeper, the show is over." That was, unfortunately, an example of your editor's crystal ball working rather better than usual.

The trojaning of sendmail was the first of a few such incidents. It looked like a scary trend for a while, but, in fact, the frequency of this kind of attack has dropped quite a bit in the intervening years.

  • October 31, 2002: the first cryptographic code is finally merged into the Linux kernel. The first Reiser4 snapshot is posted.

  • December 19, 2002: The Creative Commons project is launched. ElcomSoft (Dmitry Sklyarov's employer) is acquitted of DMCA violation charges. Kernel developers start to complain that the 2.5 feature freeze is thawing.

  • January 16, 2003: The U.S. Supreme Court decides in favor of unlimited copyright term extensions. MandrakeSoft enters bankruptcy. The SCO Group starts making noises about its "Unix IP."

  • January 30, 2003: SCO forms SCOSource and makes rather more dire noises about Linux.

By this point, there was a certain amount of discomfort over the direction SCO was taking. But nobody had any clue of just how weird it would actually get.

Remember the days of disruptive worms? MS-SQL was one of the scariest, in that it did most of its propagation in just a few minutes. We don't see to many worms like that anymore; contemporary crackers prefer to turn systems into zombies and rent them out.

  • March 13, 2003: The SCO Group files a $1 billion lawsuit against IBM.

And so it began, with SCO telling the world that the Linux community could not possibly have achieved what it did unless the work had been stolen by IBM.

For the remainder of this retrospective, your editor will attempt to keep the number of SCO-related entries to a minimum. It has been quite an experience to go back and reread all of those McBride/Enderle/Boies/DiDio/Lyons/etc. quotes, and it is tempting to put them all here. But that temptation will be resisted; those who want to relive that bit of bizarre history in more detail can read the LWN pages directly or dig through the considerable resources at Groklaw.

SCO is about as scary as Y2K now, but, in 2003, the SCO suit was a frightening event. To many of us it seemed possible that, maybe, one out of thousands of developers might have slipped something improper into the kernel code base. And, in any case, we were under attack by a company with millions of dollars to burn and a loud-mouthed CEO. The whole thing cost us a lot of time and anxiety - and, for those most directly involved - money.

Nonetheless, your editor will reiterate his claim that, overall, the SCO attack has been good for us. We needed to improve our legal defenses; as Linux grew, there could be no doubt that people would attempt to use the legal system to grab a piece of the pie. In SCO we had an arrogant assailant with no substance; we were attacked by a clown. We got the ability to straighten up our processes, arrange better legal help, and prove that our code is clean without the inconvenience of facing a complaint with a bit of legitimacy. The community is now close to immune from copyright-based attack, and is much better poised to deal with similar attackers (patent trolls, for example) who could still do us some serious damage.

  • March 27, 2003: Keith Packard is kicked out of the XFree86 core team. Red Hat Linux 9 - the last Red Hat Linux release - is announced.

  • May 15, 2003: SCO suspends Linux sales and sends a warning letter to 1500 Linux users.

  • May 22, 2003: The GNU and Ghostscript projects part ways. Microsoft buys a $10 million Unix license from SCO.

  • May 29, 2003: Novell claims that it, not SCO, owns Unix. Kernel developers get upset about the fact that there has been no 2.4 kernel release for six months. The 2.5 kernel gets a reworked char device layer, IDE tagged command queueing support and the USB gadget subsystem - seven months into the 2.5 feature freeze. The city of Munich decides to move to Linux.

Novell's claim was clearly significant at the time, though it fell below the radar again for several months. In the end, of course, this was the factor which killed SCO. That is convenient, but almost unfortunate too: there would have been value in seeing the substance of SCO's claims demolished in court.

In these days of fast releases, it is interesting to consider that, for the first half of 2003, there were no stable kernel releases at all.

  • June 19, 2003: Linus Torvalds moves to OSDL. The kernel gets a massively reworked ext3 filesystem - eight months into the feature freeze. SCO raises its claim for damages to $3 billion and "terminates" IBM's AIX license. Software patents return to the European Parliament.

  • July 10, 2003: Andrew Morton moves to OSDL.

OSDL was often controversial in the Linux community, but nobody doubted that providing a home for developers like Linus and Andrew was a good thing. Until now, neither had held a job where working on Linux was their primary duty.

Meanwhile, few suspected how big the software patent battle in Europe would become - or that the anti-patent side would emerge victorious (for now).

  • July 17, 2003: The 2.6.0-test1 kernel is released; it includes the new anticipatory disk I/O scheduler. Slackware celebrates its 10th anniversary. The Mozilla Foundation is created.

  • July 24, 2003: Red Hat gets out of the boxed distribution business. Mozilla starts requesting donations from users.

Selling Linux in boxes was how Red Hat got going, so the end of that business was a clear sign that things had changed. The separation of Mozilla and AOL (which had bought Netscape) was a little scary at the time; it seemed that the project could fade away before the Mozilla browser became truly ready and that it was an Internet Explorer future for all of us. Things were a little lean at Mozilla for a while. Now that Mozilla is bringing in tens of millions of dollars every year, the idea that it once sought donations is amusing.

  • August 7, 2003: Novell acquires Ximian. Red Hat files suit against SCO. SCO offers the "intellectual property license for Linux." SELinux is merged for the 2.6.0-test3 kernel.

  • August 21, 2003: SCO shows some "copied code."

SCO, remember, "encrypted" its slides of "copied" code by switching them to a Greek font - a scheme which the community, somehow, managed to overcome. The code in question was straight from ancient Unix; it had been contributed by SGI, and had already been removed by the time it was revealed. After this, nobody worried that SCO might come up with the "millions of lines" of code that, it said, it could prove it owned.

  • September 25, 2003: The Fedora project launches. Software patents pass in the European Parliament. Sun's Jonathan Schwartz says "We do not believe that Linux plays a role on the server. Period."

  • October 16, 2003: Under pressure from the FSF and others, LinkSys releases source for its WRT54G routers.

Fedora started with all kinds of talk about what a community-oriented project it would be. The reality was rather slower in coming, but is beginning to be visible now. Meanwhile, Fedora was a useful (and used) distribution from the outset.

The LinkSys settlement was the result of a long battle. It was an important early GPL enforcement action which led to the creation of a number of distributions created for the sole purpose of doing interesting things on LinkSys routers. The ironic result is that LinkSys almost certainly sold quite a few more units than it would have if it had continued to hold on to the code.

  • October 23, 2003: SCO gets $50 million from BayStar.

  • November 6, 2003: Novell acquires SUSE. A fight erupts over the "Linux Gazette" name.

  • December 24, 2003: SCO claims ownership of the Unix ABI. The 2.6.0 kernel is released. Red Hat acquires Sistina. The Mozilla Foundation asks for more donations.

2.6.0 took almost exactly three years after 2.4.0 came out. For the few developers who had observed the 2.4 feature freezes, their code - which could be four years old at this point - was only now making it into an official mainline release. It was not yet understood at this point, but, once 2.6.0 came out, the "new kernel development model" started to take shape. Never again would we go years between major stable releases.

  • January 22, 2004: SCO files its "slander of title" suit against Novell. Linus gets dunked.

  • January 29, 2004: UnitedLinux dies a quiet death. SCO sends a letter to the U.S. Congress. Version 2 of the Apache License is adopted.

  • February 5, 2004: XFree86 leader David Dawes changes the project's license.

There had been trouble in XFree86 for a long time, but the license change brought it all to a head. This was the move which killed XFree86, led to the creation of the revitalized X.org, and, eventually, brought life back to X development.

The first Grumpy Editor article was never intended to be the beginning of a series; your editor was simply grumpy that the Galeon browser had gone the route of many early GNOME 2.x applications: less configurability, fewer features, and worse performance. The persona proved popular with readers, though, and the Grumpy Editor has been making irregular appearances on LWN ever since.

  • February 19, 2004: The Netfilter team settles its first GPL enforcement action in Europe.

  • February 26, 2004: X11 development moves to the freedesktop.org project. MandrakeSoft is ordered by a French court to stop using the "Mandrake" name.

  • March 4, 2004: SCO sues AutoZone and DaimlerChrysler. EV1Servers.Net buys an expensive SCO license - a move they certainly still regret. FreeS/WAN shuts down.

The attack on Linux users had been long foreshadowed - and feared. Regardless of the validity of its claims, SCO could certainly make life hard for Linux by attacking those who use it. The attacks were so laughable, though, that they had no appreciable effect, even in the short term.

  • March 11, 2004: The Anderer memo surfaces, tying SCO to Microsoft. The tenth anniversary of the green card spam.

  • March 18, 2004: Open Source Risk Management launches. MandrakeSoft files its plan to exit bankruptcy.

For those who don't remember, OSRM was a scheme to sell insurance against legal attacks to users of free software. But, by this point, nobody was all that worried about SCO, and OSRM never did take off. On the other hand, MandrakeSoft did succeed in getting out of bankruptcy and is still with us.

  • March 25, 2004: BitMover claims that the pace of kernel development has doubled as a result of the adoption of BitKeeper.

This installment started with BitKeeper, and will end there. For all the complaints about BitKeeper and its associated "don't piss off Larry" license, few could contest the claim that kernel development was proceeding at a much faster pace. We needed a tool like that. To this day, it remains discouraging that we were not able to develop a distributed revision control system for ourselves until Larry McVoy and BitMover showed the way. If there was ever an itch in need of scratching, this was it.

The next installment (which will most likely appear two weeks from now) will start with April, 2004 and come fairly close to the present. Stay tuned.

Comments (3 posted)

Page editor: Jake Edge

Security

Eee PC security or lack thereof

By Jake Edge
February 13, 2008

The Eee PC has garnered a lot of press for its small form factor, low weight, and solid-state disk, but it has also made a poor showing with security researchers. RISE Security released a report on the security of the Eee last week, showing that it can be subverted ("rooted") right out of the box from ASUS. Unfortunately, it is even worse than that as, even after updating an Eee using the standard mechanism, the hole is not patched.

The vulnerability identified by RISE is in the Samba daemon (smbd), version 3.0.24, which is installed and runs on stock Eee PCs. The vulnerability, CVE-2007-2446 was identified and patched last May, so the Eee is shipping with a version of Samba known to be vulnerable to an arbitrary code execution flaw for nine months or so. In itself, that is not completely surprising.

When hardware vendors install a distribution—or commercial OS like Windows—they tend to install the latest released version, which is likely to be out of date with respect to security issues. A vendor installing Fedora 8 or Debian etch today will be behind on countless security updates. But, unlike the Samba problem discovered on the Eee, updates do exist in the standard places. If the new user updates their system immediately, there is a fairly small window of vulnerability.

Unfortunately for Eee owners, the modified Xandros distribution that comes with it does not yet have an update for Samba. This leaves all Eee PCs vulnerable to being rooted by anyone on the same network. Since the Eee is meant as a mobile device, it likely spends a lot of its time connected to various public networks, especially wireless networks. The Eee makes an interesting target for attackers because it very well might have authentication information for banks or brokerages as well as other private or confidential files.

Some have seriously downplayed the threat but it is clear they don't understand it:

The root attack performed was relatively easy to do, if you like command lines. Maybe Asus or Xandros could work on a patch for this. It almost makes one wonder how many other exploits are lying under the surface just waiting to be found. But, it's not like this actually puts you in danger, just how many hackers are going to be looking for the Asus EeePC or even Xandros based system online and attack them? Probably not many.

Sales of the Eee last year was around 300,000 units; large enough to be an attractive target for the malicious. Because there is not an update to close the hole, Eee users have to rely on other means to protect themselves. This eeeuser.com comment thread provides some of the better advice for dealing with the problem. Removing the Samba package seems to be the simplest, but fairly heavy handed, way to avoid the hole—but many folks need a working Samba. There is no way to disable Samba from the Eee GUI which is the way most owners plan to interact with the machine. This whole incident makes it seem like ASUS (and perhaps Xandros) are not terribly interested in the security of the machines that they sell.

There is a larger issue here. When the normal means of getting security patches comes from the same medium that is also the biggest security threat, there will always be windows of vulnerability. Even if hardware vendors diligently update the distribution they install, there is still some shelf-life and shipping time where security updates can be released. Various studies have shown that there may not be enough time to download patches before an unpatched system succumbs to an attack.

It is a difficult problem to solve completely. Any solution must be very straightforward and consistent so that unsophisticated users can be trained to do it as a matter of course. News about security issues needs to get more widespread attention as well, so that those same users know when the procedure needs to be followed. Firewalls and other network protections only go so far if the machine needs to reach out to the internet to pick up its updates.

If distributions provided some kind of blob (tar file, .deb, .rpm, etc.) that contained all of the security updates since the release, users could grab that from a different (presumably patched or not vulnerable) machine, put it on a USB stick or some other removable media and get it to the new machine. A utility provided by the distribution could then process that blob to apply all the relevant patches—all while the vulnerable machine stayed off the net. As the world domination plan continues, threats against Linux will become more commonplace; we need to try and ensure that users, especially the unsophisticated ones, can be secure in their choice of Linux.

Comments (22 posted)

Security news

Multi-threaded OpenSSH

The folks at the Pittsburgh Supercomputing Center have posted a special version of OpenSSH aimed at high-bandwidth applications. "This cipher mode introduces multi-threading into the OpenSSH application in order to allow it to make full use of CPU resources available on multi-core systems. As the canonical distribution of OpenSSH is unable to make use of more than one core, high performance transfers can be bottlenecked by the cryptographic overhead." It's worth noting that the OpenSSH developers fear the security implications of multi-threading the program and seem uninclined to incorporate this work.

Comments (23 posted)

New vulnerabilities

clamav: arbitrary code execution

Package(s):clamav CVE #(s):CVE-2008-0318
Created:February 13, 2008 Updated:April 18, 2008
Description:

From the CVE:

Integer overflow in libclamav in ClamAV before 0.92.1, as used in clamd, allows remote attackers to cause a denial of service and possibly execute arbitrary code via a crafted Petite packed PE file, which triggers a heap-based buffer overflow.

Alerts:
Fedora FEDORA-2008-1608 2008-02-13
Fedora FEDORA-2008-1625 2008-02-13
Debian DSA-1497-1 2008-02-16
Gentoo 200802-09 2008-02-21
SuSE SUSE-SR:2008:004 2008-02-22
Mandriva MDVSA-2008:088 2007-04-17

Comments (1 posted)

Doomsday: multiple vulnerabilities

Package(s):Doomsday CVE #(s):CVE-2007-4642 CVE-2007-4643 CVE-2007-4644
Created:February 7, 2008 Updated:February 13, 2008
Description: From the Gentoo alert:

Luigi Auriemma discovered multiple buffer overflows in the D_NetPlayerEvent() function, the Msg_Write() function and the NetSv_ReadCommands() function. He also discovered errors when handling chat messages that are not NULL-terminated (CVE-2007-4642) or contain a short data length, triggering an integer underflow (CVE-2007-4643). Furthermore a format string vulnerability was discovered in the Cl_GetPackets() function when processing PSV_CONSOLE_TEXT messages (CVE-2007-4644).

This vulnerability can be used for the execution of arbitrary code or to create a denial of service.

Alerts:
Gentoo 200802-02 2008-02-06

Comments (none posted)

duplicity: password disclosure

Package(s):duplicity CVE #(s):CVE-2007-5201
Created:February 13, 2008 Updated:February 13, 2008
Description:

From the CVE:

The FTP backend for Duplicity sends the password as a command line argument when calling ncftp, which might allow local users to read the password by listing the process and its arguments.

Alerts:
Fedora FEDORA-2008-1584 2008-02-13
Fedora FEDORA-2008-1521 2008-02-13

Comments (1 posted)

firefox: multiple vulnerabilities

Package(s):firefox seamonkey thunderbird CVE #(s):CVE-2008-0412 CVE-2008-0413 CVE-2008-0415 CVE-2008-0417 CVE-2008-0418 CVE-2008-0419 CVE-2008-0591 CVE-2008-0592 CVE-2008-0593
Created:February 8, 2008 Updated:April 2, 2008
Description: From the Red Hat advisory:
Several flaws were found in the way Firefox processed certain malformed web content. A webpage containing malicious content could cause Firefox to crash, or potentially execute arbitrary code as the user running Firefox. (CVE-2008-0412, CVE-2008-0413, CVE-2008-0415, CVE-2008-0419)

Several flaws were found in the way Firefox displayed malformed web content. A webpage containing specially-crafted content could trick a user into surrendering sensitive information. (CVE-2008-0591, CVE-2008-0593)

A flaw was found in the way Firefox stored password data. If a user saves login information for a malicious website, it could be possible to corrupt the password database, preventing the user from properly accessing saved password data. (CVE-2008-0417)

A flaw was found in the way Firefox handles certain chrome URLs. If a user has certain extensions installed, it could allow a malicious website to steal sensitive session data. Note: this flaw does not affect a default installation of Firefox. (CVE-2008-0418)

A flaw was found in the way Firefox saves certain text files. If a website offers a file of type "plain/text", rather than "text/plain", Firefox will not show future "text/plain" content to the user in the browser, forcing them to save those files locally to view the content. (CVE-2008-0592)

Alerts:
Red Hat RHSA-2008:0103-01 2008-02-07
Red Hat RHSA-2008:0104-01 2008-02-07
Red Hat RHSA-2008:0105-01 2008-02-07
Ubuntu USN-576-1 2008-02-08
Debian DSA-1484-1 2008-02-10
Debian DSA-1485-1 2008-02-10
Debian DSA-1489-1 2008-02-10
rPath rPSA-2008-0051-1 2008-02-08
Foresight FLEA-2008-0001-1 2008-02-11
Fedora FEDORA-2008-1435 2008-02-13
Fedora FEDORA-2008-1535 2008-02-13
Fedora FEDORA-2008-1669 2008-02-13
Fedora FEDORA-2008-1459 2008-02-13
Fedora FEDORA-2008-1435 2008-02-13
Fedora FEDORA-2008-1535 2008-02-13
Fedora FEDORA-2008-1435 2008-02-13
Fedora FEDORA-2008-1535 2008-02-13
Fedora FEDORA-2008-1435 2008-02-13
Fedora FEDORA-2008-1535 2008-02-13
Fedora FEDORA-2008-1435 2008-02-13
Fedora FEDORA-2008-1535 2008-02-13
Fedora FEDORA-2008-1435 2008-02-13
Fedora FEDORA-2008-1535 2008-02-13
Fedora FEDORA-2008-1435 2008-02-13
Fedora FEDORA-2008-1535 2008-02-13
Fedora FEDORA-2008-1435 2008-02-13
Fedora FEDORA-2008-1535 2008-02-13
Fedora FEDORA-2008-1435 2008-02-13
Fedora FEDORA-2008-1535 2008-02-13
Fedora FEDORA-2008-1435 2008-02-13
Fedora FEDORA-2008-1535 2008-02-13
Fedora FEDORA-2008-1435 2008-02-13
Fedora FEDORA-2008-1535 2008-02-13
Fedora FEDORA-2008-1435 2008-02-13
Fedora FEDORA-2008-1535 2008-02-13
Fedora FEDORA-2008-1435 2008-02-13
Fedora FEDORA-2008-1535 2008-02-13
Fedora FEDORA-2008-1435 2008-02-13
Fedora FEDORA-2008-1535 2008-02-13
Fedora FEDORA-2008-1535 2008-02-13
Fedora FEDORA-2008-1535 2008-02-13
SuSE SUSE-SA:2008:008 2008-02-15
Debian DSA-1506-1 2008-02-24
Mandriva MDVSA-2008:048 2007-02-22
Red Hat RHSA-2008:0105-02 2008-02-27
Fedora FEDORA-2008-2118 2008-02-28
Fedora FEDORA-2008-2060 2008-02-28
rPath rPSA-2008-0093-1 2008-02-29
Slackware SSA:2008-061-01 2008-03-03
Ubuntu USN-582-1 2008-02-29
Ubuntu USN-582-2 2008-03-06
Mandriva MDVSA-2008:062 2007-03-06
Debian DSA-1485-2 2008-03-17
Debian DSA-1506-2 2008-03-20
Fedora FEDORA-2008-2812 2008-04-01
Fedora FEDORA-2008-2830 2008-04-01

Comments (2 posted)

firefox: multiple vulnerabilities

Package(s):firefox CVE #(s):CVE-2008-0414 CVE-2008-0416 CVE-2008-0420 CVE-2008-0594
Created:February 8, 2008 Updated:March 26, 2008
Description: From the Ubuntu advisory:
Flaws were discovered in the file upload form control. A malicious website could force arbitrary files from the user's computer to be uploaded without consent. (CVE-2008-0414)

Various flaws were discovered in character encoding handling. If a user were ticked into opening a malicious web page, an attacker could perform cross-site scripting attacks. (CVE-2008-0416)

Flaws were discovered in the BMP decoder. By tricking a user into opening a specially crafted BMP file, an attacker could obtain sensitive information. (CVE-2008-0420)

Emil Ljungdahl and Lars-Olof Moilanen discovered that a web forgery warning dialog wasn't displayed under certain circumstances. A malicious website could exploit this to conduct phishing attacks against the user. (CVE-2008-0594)

Alerts:
Ubuntu USN-576-1 2008-02-08
Debian DSA-1484-1 2008-02-10
Debian DSA-1485-1 2008-02-10
Debian DSA-1489-1 2008-02-10
rPath rPSA-2008-0051-1 2008-02-08
Foresight FLEA-2008-0001-1 2008-02-11
Fedora FEDORA-2008-1435 2008-02-13
Fedora FEDORA-2008-1535 2008-02-13
Fedora FEDORA-2008-1669 2008-02-13
Fedora FEDORA-2008-1459 2008-02-13
Fedora FEDORA-2008-1435 2008-02-13
Fedora FEDORA-2008-1535 2008-02-13
Fedora FEDORA-2008-1435 2008-02-13
Fedora FEDORA-2008-1535 2008-02-13
Fedora FEDORA-2008-1435 2008-02-13
Fedora FEDORA-2008-1535 2008-02-13
Fedora FEDORA-2008-1435 2008-02-13
Fedora FEDORA-2008-1535 2008-02-13
Fedora FEDORA-2008-1435 2008-02-13
Fedora FEDORA-2008-1535 2008-02-13
Fedora FEDORA-2008-1435 2008-02-13
Fedora FEDORA-2008-1535 2008-02-13
Fedora FEDORA-2008-1435 2008-02-13
Fedora FEDORA-2008-1535 2008-02-13
Fedora FEDORA-2008-1435 2008-02-13
Fedora FEDORA-2008-1535 2008-02-13
Fedora FEDORA-2008-1435 2008-02-13
Fedora FEDORA-2008-1535 2008-02-13
Fedora FEDORA-2008-1435 2008-02-13
Fedora FEDORA-2008-1535 2008-02-13
Fedora FEDORA-2008-1435 2008-02-13
Fedora FEDORA-2008-1535 2008-02-13
Fedora FEDORA-2008-1435 2008-02-13
Fedora FEDORA-2008-1535 2008-02-13
Fedora FEDORA-2008-1435 2008-02-13
Fedora FEDORA-2008-1535 2008-02-13
Fedora FEDORA-2008-1535 2008-02-13
Fedora FEDORA-2008-1535 2008-02-13
SuSE SUSE-SA:2008:008 2008-02-15
Debian DSA-1506-1 2008-02-24
Mandriva MDVSA-2008:048 2007-02-22
Red Hat RHSA-2008:0105-02 2008-02-27
Fedora FEDORA-2008-2118 2008-02-28
Fedora FEDORA-2008-2060 2008-02-28
Ubuntu USN-582-1 2008-02-29
Ubuntu USN-582-2 2008-03-06
Debian DSA-1485-2 2008-03-17
Debian DSA-1506-2 2008-03-20
Ubuntu USN-592-1 2008-03-26

Comments (none posted)

glib2: buffer overflow

Package(s):glib2 CVE #(s):
Created:February 13, 2008 Updated:February 13, 2008
Description:

From the Fedora advisory:

PCRE 7.6 fixed following bug: A character class containing a very large number of characters with codepoints greater than 255 (in UTF-8 mode, of course) caused a buffer overflow. The GLib release 2.14.6 updates the included copy of PCRE to version 7.6.

Alerts:
Fedora FEDORA-2008-1533 2008-02-13

Comments (none posted)

gnumeric: arbitrary code execution

Package(s):gnumeric CVE #(s):CVE-2008-0668
Created:February 13, 2008 Updated:April 22, 2008
Description:

From the CVE:

The excel_read_HLINK function in plugins/excel/ms-excel-read.c in Gnome Office Gnumeric before 1.8.1 allows user-assisted remote attackers to execute arbitrary code via a crafted XLS file containing XLS HLINK opcodes, possibly because of an integer signedness error that leads to an integer overflow. NOTE: some of these details are obtained from third party information.

Alerts:
Gentoo 200802-05 2008-02-12
Mandriva MDVSA-2008:056 2007-02-28
Debian DSA-1546-1 2008-04-10
Ubuntu USN-604-1 2008-04-22

Comments (none posted)

gnumeric: integer overflow and signedness errors

Package(s):gnumeric CVE #(s):
Created:February 8, 2008 Updated:February 13, 2008
Description: Gnumeric has an integer overflow and signedness errors in the XLS processing, with unknown consequences.
Alerts:
Fedora FEDORA-2008-1313 2008-02-05
Fedora FEDORA-2008-1403 2008-02-05

Comments (none posted)

java: multiple vulnerabilities

Package(s):java-1.5.0-sun CVE #(s):CVE-2008-0657
Created:February 12, 2008 Updated:April 25, 2008
Description: Multiple unspecified vulnerabilities in the Java Runtime Environment in Sun JDK and JRE 6 Update 1 and earlier, and 5.0 Update 13 and earlier, allow context-dependent attackers to gain privileges via an untrusted (1) application or (2) applet, as demonstrated by an application or applet that grants itself privileges to (a) read local files, (b) write to local files, or (c) execute local programs.
Alerts:
Red Hat RHSA-2008:0123-01 2008-02-12
Red Hat RHSA-2008:0156-02 2008-03-05
Red Hat RHSA-2008:0210-01 2008-04-03
Gentoo 200804-20 2008-04-17
SuSE SUSE-SA:2008:025 2008-04-25

Comments (none posted)

kernel: insufficient range checks

Package(s):kernel CVE #(s):CVE-2008-0007
Created:February 8, 2008 Updated:May 9, 2008
Description: From the SUSE advisory: Insufficient range checks in certain fault handlers could be used by local attackers to potentially read or write kernel memory.
Alerts:
SuSE SUSE-SA:2008:006 2008-02-07
rPath rPSA-2008-0048-1 2008-02-08
Mandriva MDVSA-2008:044 2008-02-12
Debian DSA-1503 2008-02-22
Debian DSA-1504 2008-02-22
Debian DSA-1503-2 2008-03-06
Mandriva MDVSA-2008:072 2008-03-20
SuSE SUSE-SA:2008:017 2008-03-28
Debian DSA-1565-1 2008-05-01
Red Hat RHSA-2008:0211-01 2008-05-07
Red Hat RHSA-2008:0237-01 2008-05-07
Red Hat RHSA-2008:0233-01 2008-05-07
CentOS CESA-2008:0211 2008-05-07
CentOS CESA-2008:0233 2008-05-09

Comments (none posted)

kernel: local root privilege escalation

Package(s):linux-2.6 CVE #(s):CVE-2008-0010 CVE-2008-0600
Created:February 11, 2008 Updated:March 7, 2008
Description:

From the Debian advisory:

The vmsplice system call did not properly verify address arguments passed by user space processes, which allowed local attackers to overwrite arbitrary kernel memory, gaining root privileges (CVE-2008-0010, CVE-2008-0600).

Alerts:
Debian DSA-1494-1 2008-02-11
Fedora FEDORA-2008-1422 2008-02-11
Fedora FEDORA-2008-1423 2008-02-11
Mandriva MDVSA-2008:043 2007-02-11
Mandriva MDVSA-2008:044 2008-02-12
SuSE SUSE-SA:2008:007 2008-02-12
Debian DSA-1494-2 2008-02-12
Fedora FEDORA-2008-1629 2008-02-13
Fedora FEDORA-2008-1433 2008-02-13
Red Hat RHSA-2008:0129-01 2008-02-12
rPath rPSA-2008-0052-1 2008-02-12
Slackware SSA:2008-042-01 2008-02-13
Ubuntu USN-577-1 2008-02-12
SuSE SUSE-SA:2008:013 2008-03-06

Comments (1 posted)

kernel: memory access violation

Package(s):linux-2.6 CVE #(s):CVE-2008-0163
Created:February 11, 2008 Updated:February 13, 2008
Description:

From the Debian advisory:

In the vserver-enabled kernels, a missing access check on certain symlinks in /proc enabled local attackers to access resources in other vservers (CVE-2008-0163).

Alerts:
Debian DSA-1494-1 2008-02-11
Debian DSA-1494-2 2008-02-12
Slackware SSA:2008-042-01 2008-02-13

Comments (none posted)

mailman: cross-site scripting

Package(s):mailman CVE #(s):CVE-2008-0564
Created:February 13, 2008 Updated:March 17, 2008
Description:

From the Red Hat bugzilla entry:

Multiple cross-site scripting (XSS) vulnerabilities in Mailman before 2.1.10b1 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors related to (1) editing templates and (2) the list's "info attribute" in the web administrator interface, a different vulnerability than CVE-2006-3636.

Alerts:
Fedora FEDORA-2008-1356 2008-02-13
Fedora FEDORA-2008-1334 2008-02-13
rPath rPSA-2008-0056-1 2008-02-15
Mandriva MDVSA-2008:061 2007-03-06
Ubuntu USN-586-1 2008-03-15

Comments (none posted)

moin: file overwrite via crafted cookie

Package(s):moin CVE #(s):
Created:February 13, 2008 Updated:February 13, 2008
Description:

From the Fedora advisory:

It was discovered that moin allowed to overwrite arbitrary files writable by the user running moin using a crafted cookie with certain user IDs via a directory traversal flaw. This updated package fixes this issue.

Alerts:
Fedora FEDORA-2008-1562 2008-02-13
Fedora FEDORA-2008-1486 2008-02-13

Comments (none posted)

mozilla: multiple vulnerabilities

Package(s):mozilla CVE #(s):
Created:February 13, 2008 Updated:February 13, 2008
Description:
Here are the details from the Slackware 12.0 ChangeLog:
+--------------------------+
patches/packages/mozilla-firefox-2.0.0.12-i686-1.tgz:
  Upgraded to firefox-2.0.0.12.
  This upgrade fixes some more security bugs.
  For more information, see:
    http://www.mozilla.org/projects/security/known-vulnerabil...
  (* Security fix *)
patches/packages/seamonkey-1.1.8-i486-1_slack12.0.tgz:
  Upgraded to seamonkey-1.1.8.
  This upgrade fixes some more security bugs.
  For more information, see:
    http://www.mozilla.org/projects/security/known-vulnerabil...
  (* Security fix *)
+--------------------------+
Alerts:
Slackware SSA:2008-043-01 2008-02-13

Comments (none posted)

mplayer: multiple vulnerabilities

Package(s):mplayer CVE #(s):CVE-2008-0485 CVE-2008-0486 CVE-2008-0629 CVE-2008-0630
Created:February 13, 2008 Updated:April 1, 2008
Description:

From the Debian advisory:

Several buffer overflows have been discovered in the MPlayer movie player, which might lead to the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems:

CVE-2008-0485: Felipe Manzano and Anibal Sacco discovered a buffer overflow in the demuxer for MOV files.

CVE-2008-0486: Reimar Doeffinger discovered a buffer overflow in the FLAC header parsing.

CVE-2008-0629: Adam Bozanich discovered a buffer overflow in the CDDB access code.

CVE-2008-0630: Adam Bozanich discovered a buffer overflow in URL parsing.

Alerts:
Debian DSA-1496-1 2008-02-12
Fedora FEDORA-2008-1581 2008-02-13
Fedora FEDORA-2008-1543 2008-02-13
Mandriva MDVSA-2008:045 2007-02-14
Mandriva MDVSA-2008:046 2007-02-15
Mandriva MDVSA-2008:046-1 2007-02-20
Gentoo 200802-12 2008-02-26
Gentoo 200803-16 2008-03-10
SuSE SUSE-SR:2008:006 2008-03-14
Debian DSA-1536-1 2008-03-31

Comments (none posted)

netpbm: buffer overflow

Package(s):netpbm CVE #(s):CVE-2008-0554
Created:February 8, 2008 Updated:March 17, 2008
Description: From the Mandriva advisory: A buffer overflow in the giftopnm utility in netpbm prior to version 10.27 could allow attackers to have an unknown impact via a specially crafted GIF file.
Alerts:
Mandriva MDVSA-2008:039 2008-02-07
Debian DSA-1493-1 2008-02-10
Red Hat RHSA-2008:0131-01 2008-02-28

Comments (none posted)

openldap: denial of service

Package(s):openldap CVE #(s):CVE-2007-6698
Created:February 8, 2008 Updated:April 25, 2008
Description: From the CVE entry: The BDB backend for slapd in OpenLDAP before 2.3.36, allows remote authenticated users to cause a denial of service (crash) via a potentially-successful modify operation with the NOOP control set to critical, possibly due to a double free vulnerability.
Alerts:
Fedora FEDORA-2008-1307 2008-02-05
rPath rPSA-2008-0059-1 2008-02-12
Fedora FEDORA-2008-1616 2008-02-13
Red Hat RHSA-2008:0110-01 2008-02-21
Mandriva MDVSA-2008:058 2007-03-05
Ubuntu USN-584-1 2008-03-05
Debian DSA-1541-1 2008-04-08
SuSE SUSE-SR:2008:010 2008-04-25

Comments (none posted)

openldap: denial of service

Package(s):openldap CVE #(s):CVE-2008-0658
Created:February 13, 2008 Updated:April 25, 2008
Description:

From the rPath advisory:

Previous versions of the openldap package are vulnerable to a Denial of Service attack in which authenticated users can crash the slapd server.

Alerts:
rPath rPSA-2008-0059-1 2008-02-12
Fedora FEDORA-2008-1616 2008-02-13
Fedora FEDORA-2008-1568 2008-02-13
Red Hat RHSA-2008:0110-01 2008-02-21
Mandriva MDVSA-2008:058 2007-03-05
Ubuntu USN-584-1 2008-03-05
Gentoo 200803-28 2008-03-19
Debian DSA-1541-1 2008-04-08
SuSE SUSE-SR:2008:010 2008-04-25

Comments (none posted)

phpbb2: multiple vulnerabilities

Package(s):phpbb2 CVE #(s):CVE-2006-4758 CVE-2006-6839 CVE-2006-6840 CVE-2006-6508 CVE-2006-6841 CVE-2008-0471
Created:February 11, 2008 Updated:February 13, 2008
Description:

From the Debian advisory:

CVE-2008-0471: Private messaging allowed cross site request forgery, making it possible to delete all private messages of a user by sending them to a crafted web page.

CVE-2006-6841 / CVE-2006-6508: Cross site request forgery enabled an attacker to perform various actions on behalf of a logged in user. (Applies to sarge only)

CVE-2006-6840: A negative start parameter could allow an attacker to create invalid output. (Applies to sarge only)

CVE-2006-6839: Redirection targets were not fully checked, leaving room for unauthorised external redirections via a phpBB forum. (Applies to sarge only)

CVE-2006-4758: An authenticated forum administrator may upload files of any type by using specially crafted filenames. (Applies to sarge only)

Alerts:
Debian DSA-1488-1 2008-02-09

Comments (none posted)

SDL_image: buffer overflows

Package(s):SDL_image CVE #(s):CVE-2007-6697 CVE-2008-0544
Created:February 8, 2008 Updated:March 27, 2008
Description: From the Mandriva advisory: The LWZReadByte() and IMG_LoadLBM_RW() functions in SDL_image contain a boundary error that could be triggered to cause a static buffer overflow and a heap-based buffer overflow. If a user using an application linked against the SDL_image library were to open a carefully crafted GIF or IFF ILBM file, the application could crash or possibly allow for the execution of arbitrary code.
Alerts:
Mandriva MDVSA-2008:040 2007-02-07
Debian DSA-1493-1 2008-02-10
rPath rPSA-2008-0061-1 2008-02-13
Debian DSA-1493-2 2008-03-16
Ubuntu USN-595-1 2008-03-26

Comments (none posted)

tk: buffer overflow

Package(s):tk CVE #(s):CVE-2008-0553
Created:February 8, 2008 Updated:April 4, 2008
Description: From the Mandriva advisory: The ReadImage() function in Tk did not check CodeSize read from GIF images prior to initializing the append array, which could lead to a buffer overflow with unknown impact.
Alerts:
Mandriva MDVSA-2008:041 2007-02-07
Fedora FEDORA-2008-1323 2008-02-05
Fedora FEDORA-2008-1384 2008-02-05
Fedora FEDORA-2008-1131 2008-02-05
Fedora FEDORA-2008-1122 2008-02-05
Debian DSA-1490-1 2008-02-10
Debian DSA-1491-1 2008-02-10
rPath rPSA-2008-0054-1 2008-02-12
Red Hat RHSA-2008:0134-01 2008-02-21
Red Hat RHSA-2008:0135-01 2008-02-21
Red Hat RHSA-2008:0136-01 2008-02-21
Red Hat RHSA-2008:0135-02 2008-02-22
SuSE SUSE-SR:2008:008 2008-04-04

Comments (none posted)

tomcat: multiple vulnerabilities

Package(s):tomcat5 CVE #(s):CVE-2007-5342 CVE-2007-5333 CVE-2007-6286 CVE-2007-1355 CVE-2007-1358 CVE-2008-0002
Created:February 13, 2008 Updated:April 28, 2008
Description: Refer to the CVE entries for more information.
Alerts:
Fedora FEDORA-2008-1467 2008-02-13
Fedora FEDORA-2008-1603 2008-02-13
Red Hat RHSA-2008:0042-01 2008-03-11
Gentoo 200804-10 2008-04-10
Red Hat RHSA-2008:0195-01 2008-04-28

Comments (none posted)

wml: multiple file overwrite vulnerabilities

Package(s):wml CVE #(s):CVE-2008-0665 CVE-2008-0666
Created:February 11, 2008 Updated:April 28, 2008
Description:

From the Debian advisory:

Frank Lichtenheld and Nico Golde discovered that WML, an off-line HTML generation toolkit, creates insecure temporary files in the eperl and ipp backends and in the wmg.cgi script, which could lead to local denial of service by overwriting files.

Alerts:
Debian DSA-1492-1 2008-02-10
Gentoo 200803-23 2008-03-15
Mandriva MDVSA-2008:076 2007-03-26
Debian DSA-1492-2 2008-04-27

Comments (none posted)

wordpress: remote editing via unknown vectors

Package(s):wordpress CVE #(s):CVE-2008-0664
Created:February 13, 2008 Updated:February 13, 2008
Description:

From the CVE:

The XML-RPC implementation (xmlrpc.php) in WordPress before 2.3.3, when registration is enabled, allows remote attackers to edit posts of other blog users via unknown vectors.

Alerts:
Fedora FEDORA-2008-1512 2008-02-13
Fedora FEDORA-2008-1559 2008-02-13

Comments (none posted)

Updated vulnerabilities

cairo: integer overflow

Package(s):Cairo CVE #(s):CVE-2007-5503
Created:November 29, 2007 Updated:April 10, 2008
Description: Cairo has an integer overflow vulnerability in the PNG image processing code. If a user processes a specially crafted PNG image with an application that is linked against cairo, arbitrary code can be executed with the user's privileges.
Alerts:
Red Hat RHSA-2007:1078-02 2007-11-29
Slackware SSA:2007-337-01 2007-12-04
Ubuntu USN-550-1 2007-12-03
Gentoo 200712-04 2007-12-09
Ubuntu USN-550-2 2007-12-10
Ubuntu USN-550-3 2007-12-13
rPath rPSA-2008-0015-1 2008-01-15
Fedora FEDORA-2007-3818 2008-01-16
Mandriva MDVSA-2008:019 2007-01-21
SuSE SUSE-SR:2008:003 2008-02-07
Debian DSA-1542-1 2008-04-09

Comments (none posted)

MySQL: privilege escalation

Package(s):MySQL CVE #(s):CVE-2007-3781 CVE-2007-5969
Created:December 11, 2007 Updated:April 7, 2008
Description: MySQL Community Server before 5.0.51, when a table relies on symlinks created through explicit DATA DIRECTORY and INDEX DIRECTORY options, allows remote authenticated users to overwrite system table information and gain privileges via a RENAME TABLE statement that changes the symlink to point to an existing file. (CVE-2007-5969)

MySQL Community Server before 5.0.45 does not require privileges such as SELECT for the source table in a CREATE TABLE LIKE statement, which allows remote authenticated users to obtain sensitive information such as the table structure. (CVE-2007-3781)

Alerts:
Mandriva MDKSA-2007:243 2007-12-10
Red Hat RHSA-2007:1155-01 2007-12-18
Fedora FEDORA-2007-4471 2007-12-15
Fedora FEDORA-2007-4465 2007-12-15
Red Hat RHSA-2007:1157-01 2007-12-19
Ubuntu USN-559-1 2007-12-21
Debian DSA-1451-1 2008-01-06
rPath rPSA-2008-0018-1 2008-01-17
SuSE SUSE-SR:2008:003 2008-02-07
Gentoo 200804-04 2008-04-06

Comments (none posted)

Sun JDK/JRE: multiple vulnerabilities

Package(s):Sun JDK/JRE CVE #(s):CVE-2007-2435 CVE-2007-2788 CVE-2007-2789
Created:June 1, 2007 Updated:April 18, 2008
Description: An unspecified vulnerability involving an "incorrect use of system classes" was reported by the Fujitsu security team. Additionally, Chris Evans from the Google Security Team reported an integer overflow resulting in a buffer overflow in the ICC parser used with JPG or BMP files, and an incorrect open() call to /dev/tty when processing certain BMP files.
Alerts:
Gentoo 200705-23 2007-05-31
Gentoo 200706-08 2007-06-26