LWN.net Weekly Edition for August 19, 2004

Parallel forks

The free software world generally sees a fork in a development project as a bad thing. The ability to fork is a crucial freedom, but the exercise of that ability is seen much like initiating a divorce. Sometimes it is necessary, but it is rarely an event which brings joy.

Little attention, however, has been paid to the idea of a parallel fork, which we will define as a fork which continues to follow the changes in the original project. The Linux kernel has been the subject of large numbers of parallel forks over the years; distributor kernels, architecture-specific trees, and development trees have diverged widely from the mainline kernel and each other, but they also track the updates to the mainline. Projects which are patched by distributors (such as cdrecord) can also be seen as parallel forks. Yet another example might be Sylpheed-claws, which functions as a testing ground for bleeding-edge Sylpheed features. Parallel forks can be the best of both worlds: they retain a tie to the original project, but also are responsive to whatever forces created the fork in the first place.

A parallel fork worthy of some attention is ooo-build, a version of OpenOffice.org maintained by the folks at Ximian. Version 1.3.0 of ooo-build was announced on August 18. This fork was motivated by several issues, which are explained in depth at the project web site. What it comes down to, however, is that the OpenOffice.org process is slow, bureaucratic, and difficult for outsiders to contribute to. As the web site says, "this is no way to create excitement and provide fast problem fixes." So ooo-build was set up as a place where would-be contributors can get their changes in quickly and, with luck, see those changes used and possibly propagated back into OpenOffice.org.

What does the 1.3.0 release offer?

There is a detailed list, which includes a number of bug fixes, GTK+ and KDE file selector support, Lotus 123 importing, improved icons, and much more. Oh, and the obnoxious business where OOo calls your file "modified" every time you print it has been fixed.

The ooo-build parallel fork is a good thing: it brings the notoriously unapproachable OpenOffice.org development process closer to what the rest of the community expects to deal with. It can be a useful staging ground which gets new features to users quickly, and enables stability testing which can help smooth the eventual merging of those features into OpenOffice.org. It is not the sort of acrimonious separation which normally comes to mind when the word "fork" is mentioned; it is, instead, more of an impedance matching mechanism. ooo-build should result in a better OpenOffice.org experience for everybody involved.

Comments (8 posted)

Alternatives to cdrecord

After last week's discussion of cdrecord, and concerns that recent releases of cdrecord may not be free software, we decided to take a look and see what alternatives exist for Linux users. The answer, unfortunately, is "not many." While there are quite a few front-ends for recording CDs under Linux, there are very few actual CD and DVD-burning applications available to Linux users. Applications like K3b, MP3Roaster, BashBurn and others all use cdrecord to burn CDs.

In all, we were only able to find three suitable candidates for users looking to find a replacement for cdrecord. Projects that were obviously abandoned or with no new releases in more than one year were not considered.

Cdrdao

For users with no interest in recording DVDs, Cdrdao is available under the GPL and is a good alternative to cdrecord. This utility will perform disk-at-once recording for audio and data CD-R/CD-RWs. The primary focus of the Cdrdao project seems to be audio or mixed-mode CDs. In fact, documentation on burning ISO images with cdrdao seems to be non-existent.

However, it is possible to burn ISOs with cdrdao with a little extra effort. Burning CDs with cdrdao requires a description file (either a native toc-file or a cue file from a Windows burning utility) in addition to the actual data to be burned to CD. In the case of ISO images, users must create the toc-file by hand to provide cdrdao with the necessary information to burn a disk from an ISO. The cdrdao utility is also used to make an image of a disk, and to create a toc-file to burn the image back to disk.

Aside from the extra bit of effort required to create a toc-file, cdrdao works well and is probably preferable to cdrecord for users who primarily burn audio CDs. One note of caution, users should specify an appropriate writing speed for their device. This writer neglected to specify a writing speed the first time out of the gate, and cdrdao elected to shoot for a rather optimistic 40x writing speed -- which produced a coaster rather than a bootable KNOPPIX disk on the Sony DRU-530A DVD+RW/-RW, CD-RW drive. Theoretically, this drive is rated for 40x burns with CD-R media, but much better success has been had with lower burn rates.

The supported drives page gives a list of drives that are known to work with cdrdao, though it is not exhaustive. Version 1.1.9 of cdrdao was released on June 7, 2004.

OSS DVD Extensions

Though not a standalone program, the OSS DVD extensions are worth mentioning. This project provides extensions to cdrecord for users who would like to be able to burn DVDs as well as CDs. There is little difference between using cdrecord and cdrecord with the OSS DVD extensions, with the exception that the OSS DVD extensions enable DVD burning from DVD-R(W) drives.

The OSS DVD website includes patches for several releases of cdrecord, as well as RPMs for several versions of Fedora Core, Mandrake, Red Hat, and SUSE Linux. The last patch for cdrtools was released in May. The OSS DVD Extensions should work with any drive supported by cdrecord.

DVD+RW-Tools

Another project for DVD-burning is the DVD+RW-Tools project. Despite the name, the DVD+RW-Tools project actually supports DVD+RW and DVD-RW drives.

This writer has been happily using DVD+RW-Tools since investing in a DVD burner back in February. The DVD+RW-Tools project includes a utility called growisofs, which is used to master images and burn them to disk. Growisofs can also be used "on the fly" to burn directly to DVD without the intermediate step of creating a image file. The project also includes a utility called dvd+rw-format to, not surprisingly, format DVD+RW media before use.

The DVD+RW-Tools are used only for burning DVDs. Users who want to burn CDs and DVDs must depend on cdrecord or cdrdao for CD burning. The project seems to be a fairly healthy one, with the latest release being a little more than a month old at the time of this writing. According to the DVD+RW-Tools website, any MMC-compliant drive should be supported.

Conclusions

While it's not unusual for people to complain that there are too many programs that handle a given task (e-mail clients, for example), the Linux community could do with a choice of CD and DVD recording programs. The existing programs are suitable enough, but users are left with a disappointing number of options when they need to utilize CD and DVD burners.

Comments (22 posted)

IBM's summary judgment motion

The core of the suit filed by the SCO Group against IBM is a set of breach-of-contract allegations. SCO is saying that IBM, through its contributions to Linux, has violated the Unix licensing contracts signed with ATT years ago. SCO's rather broader public claims have tended to overshadow the much more restricted nature of the actual case at hand, but that is what the real issue is. IBM has concluded that the time has come to put an end to those charges, however, and has filed for a partial summary judgment which would dispose of the contract case. The supporting memorandum is available as a 100-page PDF file. Your editor, who has not had a chance to rip into this sort of meaty legal document for a while, has been through the whole thing; the following is a summary of what IBM is saying.

IBM goes on at great length on why it believes the judgment should be entered. The core of the argument reads this way:

• There is very little of the original Unix code in either AIX or Dynix.

• Of that code which remains, IBM has contributed none of it to Linux.

• SCO's interpretation of the license, which would give SCO rights over any code which ever went near AIX or Dynix, is nonsensical. SCO has no rights over IBM's code which it developed itself.

• Even if the license agreement did, somehow, give SCO those rights, Novell has the right to waive licensing enforcements, and has done so in this case.

• SCO, by virtue of continuing to publish the contested code itself, has forfeited any rights it may have had to keep others from doing so.

• SCO's right to terminate IBM's AIX and Dynix license (the basis of two of SCO's charges) does not exist, and, if it did, it would be overridden by Novell's waiver.

As followers of the flotilla of SCO cases have been reminded many times by now: a motion for a summary judgment must show that there are no disputed facts at issue. For IBM to prevail here (and avoid a longer trial on these charges), it must show that all the facts are on the table and are not contested. The standards are high for this sort of motion; if you want to short out a real trial and dump a set of charges against you, you must have a truly convincing argument.

Direct copying of code

The first two points above (direct copying of code) are argued early on, in ¶7:

One of the best ways of establishing an "undisputed" fact, obviously, is to use the opposite side's statements against them. IBM does not stop there, however; the company brought in its own MIT scientist (and a high-profile one at that: Randall Davis) to compare IBM's Linux contributions against the SYSV code base. Mr. Davis concluded that, as one might expect, there is no SYSV code (or even similarities to SYSV code) in IBM's work, which is, thus, not a derived work of SYSV. The memorandum does not state whether Mr. Davis developed a deep semantic theory to that effect, however.

Finally, IBM repeatedly points out that SCO was never able to provide any examples of SYSV-derived code contributed to Linux, and that SCO is not arguing that such a contribution has occurred:

Thus, says IBM, the lack of any direct use of SYSV-derived code in violation of the license agreement is undisputed.

What the license says

SCO still seems to believe that it has a case, however. That case depends on a very broad reading of the Unix license contract signed between ATT and IBM almost 20 years ago. From ¶62:

SCO, in other words, claims to own anything which ever might have breathed the same air as SYSV Unix. This interpretation has been clear for some time, and IBM has gone to great lengths to get SCO to commit itself (in court) to that position. IBM now hopes to demonstrate that, beyond any possibility of dispute, the license contracts do not give SCO the rights it thinks it has.

The first step in that process was to hold depositions with all of the people involved in the writing and signing of those contracts. So they tracked down all of the IBM, Sequent, and (crucially) ATT people who were involved in the process and queried them about the intent of the license language. Everybody involved, on both sides of the table, agreed that the contract was never intended to give ATT (or any of its successors) power over code which it did not develop. There are many pages of quotes to this effect. Here is one example, from Michael DeFazio, who ran ATT's Unix product management, marketing, and licensing group, and who said:

Several of the ATT people involved are also quoted as stating, flat out, that SCO's claims are wrong.

IBM notes that, under New York law (which is the law governing its agreement with ATT), sworn statements from both parties to a contract are the most compelling evidence with regard to the intent of the contract. So, if there were any ambiguity in what the contract means (which, says IBM, there is not), the testimony from the relevant IBM, Sequent, and ATT people would be more than sufficient to straighten things out.

Not content with that, however, IBM argues this issue from several other points. It brings up the old issue of $ echo describing ATT's intent, and the "side letter" signed with IBM and various other licensees. ATT also redrafted the paragraph in question at some point; the people involved stated that the change was only to make the intent clearer, and did not actually change the license terms. IBM states that SCO's interpretation of the contract is simply absurd and unreasonable, and thus not enforceable. And finally, IBM cites federal copyright law and its provisions regarding rights over derivative works.

Waivers

IBM believes that it has shown that there is no possible interpretation of the ATT license contract which favors SCO's position. But, says IBM, even if that argument were to fall apart entirely, it doesn't matter: Novell has waived any alleged breaches by IBM. The agreement between Novell and the Santa Cruz Operation ("old SCO") is murky in several ways, but it seems clear that Novell retained the right to shut down enforcement of Unix license agreements at its will. Says IBM:

If that isn't enough, IBM also claims that SCO, itself, has waived any enforcement rights through its own distribution of Linux.

In support of this position, IBM has dug up old SCO press releases and such proclaiming features like journaling filesystems, SMP scalability, asynchronous I/O, etc. As many people have pointed out over the last year, SCO has dug itself into a deep hole with its own Linux distribution activities.

License termination

Two of SCO's charges against IBM have to do with SCO's "termination" of IBM's Unix licenses. This termination, says SCO, deprives IBM of the right to distribute AIX or Dynix. It also, incidentally, is said to deprive all users of those operating systems the right to keep running them - a risk of proprietary code that, one assumes, most users were not expecting to have to deal with.

IBM's motion deals with these actions almost as an afterthought. If IBM has truly not breached the Unix agreements, then SCO's "termination" is clearly beyond its powers. IBM states that SCO has no right to terminate the license in this way in any case, however; quoting Novell:

Even without this argument, however, Novell's waiver of enforcement rights should be adequate to counteract this "termination."

Conclusion

IBM's motion for a partial summary judgment is thoroughly and comprehensively argued; the company would appear to have covered all of the bases. If IBM's argument holds water with the judge, the core of SCO's case will have been demolished, and the collapse of the entire house of cards will not be far away. This motion is an ambitious attempt to put an end to this whole affair.

It is interesting to see which arguments do not appear in this memorandum. In particular, there is no reference to the whole issue of who really owns the Unix copyrights other than little digs like saying that SCO "purports" to have acquired them. The copyright ownership issue could, by itself, torpedo everything SCO is trying to accomplish. But the ownership of the copyrights is very much a disputed fact, and, as such, it is not a useful argument in support of a summary judgment.

If IBM succeeds with this motion, the SCO case is done. It would be far too soon to conclude that this will come to pass, however. The next step will be a response from SCO, followed by arguments in front of the judge. SCO will do its best to drag up facts which, it will claim, remain in dispute. We may see expert witnesses claiming that, testimony from the principals involved notwithstanding, the ATT license agreements have a broader meaning than IBM is claiming. SCO may try to claim that it hasn't been able to come up with the facts because IBM has been "stalling discovery." And so on. If SCO can create enough fog around IBM's arguments, it might just succeed in defeating this motion and forcing the whole thing to go to a full trial. In that case, we would have to wait until next year for the outcome.

Comments (22 posted)

Page editor: Jonathan Corbet

Security

The Mosquitos trojan

Many people interested in security issues fear the first big security breach which affects mobile wireless devices. A large, destructive cell phone worm would make for a bad day in many quarters. The "Mosquitos" trojan does not quite live up to those fears, but there are lessons to be learned from it anyway.

Mosquitos is a game for Symbian-based wireless handsets. According to early reports, a version of the game had been "cracked" and circulated through the usual channels. Users who picked it up and ran it found out, sooner or later, that it had a bad habit of sending text messages to expensive, premium phone numbers. That was almost certainly not the experience the users had in mind when they loaded the game.

While many outlets reported the existence of a Symbian trojan, rather fewer followed up with the truth of the matter became clear: the "trojan" functionality was an intentional feature added by the manufacturer of the game. It is, in essence, an attempt at a copy protection mechanism; if the game finds itself running outside of its intended geographical area, it sends a bunch of expensive messages in retaliation. This behavior is a feature, not a trojan.

Then again, that might depend on your definition of "trojan." It is an undocumented behavior hidden within a program; certainly nobody who bought this game intended to purchase a function which sends unwanted messages if it decides things are not right. Most users might be forgiven for feeling that they had, indeed, been trojaned after all.

It would be out of character for us to fail to point out that this sort of behavior is almost exclusively associated with closed-source, proprietary software. The author of a free software program is certainly capable of inserting trojan-like behavior; consider the mICQ incident from February, 2003. But it would be surprising indeed for any such code to last for long. Free software means that hostile code can be found and ripped out in a hurry. Now if we only had mobile phones built with free software...

Comments (9 posted)

Brief items

Crypto researchers abuzz over flaws (News.com)

News.com reports from Crypto 2004, where researchers are presenting findings on weaknesses in secure hash algorithms. "Biham's presentation was very preliminary, but it could call into question the long-term future of the wildly popular SHA-1 algorithm and spur researchers to identify alternatives. Currently considered the gold standard of its class of algorithms, SHA-1 is embedded in popular programs like PGP and SSL. It is certified by the National Institute of Standards and Technology and is the only signing algorithm approved for use in the U.S. government's Digital Signature Standard."

Comments (26 posted)

New vulnerabilities

acroread: UUDecode filename buffer overflow

Package(s):	acroread	CVE #(s):
Created:	August 16, 2004	Updated:	August 17, 2004
Description:	acroread contains two errors in the handling of UUEncoded filenames. First, it fails to check the length of a filename before copying it into a fixed size buffer and, secondly, it fails to check for the backtick shell metacharacter in the filename before executing a command with a shell. By enticing a user to open a PDF with a specially crafted filename, an attacker could execute arbitrary code or programs with the permissions of the user running acroread.
Alerts:	Gentoo 200408-14 2004-08-15

Comments (none posted)

Gaim: remote code execution vulnerability

Package(s):	gaim	CVE #(s):	CAN-2004-0500
Created:	August 12, 2004	Updated:	October 18, 2004
Description:	The Gaim IRC client (versions 0.81 and prior) has a remote code execution vulnerability in the MSN-protocol parsing functions.
Alerts:	Fedora-Legacy FLSA:1237 2004-10-16 Whitebox WBSA-2004:400-01 2004-09-20 Slackware SSA:2004-239-01 2004-08-26 Fedora FEDORA-2004-279 2004-08-26 Fedora FEDORA-2004-278 2004-08-26 Mandrake MDKSA-2004:081 2004-08-12 SuSE SUSE-SA:2004:025 2004-08-12 Gentoo 200408-12 2004-08-12

Comments (none posted)

glibc: Information leak with LD_DEBUG

Package(s):	glibc	CVE #(s):	CAN-2004-1453
Created:	August 17, 2004	Updated:	May 26, 2005
Description:	Silvio Cesare discovered a potential information leak in glibc. It allows LD_DEBUG on SUID binaries where it should not be allowed. This has various security implications, which may be used to gain confidential information. An attacker can gain the list of symbols a SUID application uses and their locations and can then use a trojaned library taking precedence over those symbols to gain information or perform further exploitation.
Alerts:	Red Hat RHSA-2005:256-01 2005-05-18 Gentoo 200408-16 2004-08-16

Comments (1 posted)

gv: unsafe sscanf () buffer overflow vulnerability

Package(s):	gv	CVE #(s):	CAN-2002-0838
Created:	August 12, 2004	Updated:	August 19, 2004
Description:	gv (prior to version 3.5.8-r4) has a buffer overflow vulnerability involving the sscanf() function. An attacker can execute arbitrary code with the permission of the user running gv.
Alerts:	Gentoo 200408-10 2004-08-12

Comments (1 posted)

kdebase: multiple vulnerabilities

Package(s):	kdebase	CVE #(s):	CAN-2004-0689 CAN-2004-0690 CAN-2004-0721 CAN-2004-0746
Created:	August 12, 2004	Updated:	October 4, 2004
Description:	Three separate vulnerabilities have been identified in the KDE 3.2 "kdebase" package; see this advisory for details. These problems include two temporary file vulnerabilities and a "frame injection" problem in konqueror which could help with phishing attacks. In a fourth vulnerability, described here, Konqueror allows websites to set cookies for certain country specific secondary top level domains.
Alerts:	Red Hat RHSA-2004:412-01 2004-10-04 Conectiva CLA-2004:864 2004-09-13 Fedora FEDORA-2004-293 2004-09-08 Fedora FEDORA-2004-292 2004-09-08 Fedora FEDORA-2004-291 2004-09-08 Fedora FEDORA-2004-290 2004-09-08 Slackware SSA:2004-247-01 2004-09-03 Mandrake MDKSA-2004:086 2004-08-20 Debian DSA-539-1 2004-08-17 Gentoo 200408-13 2004-08-12

Comments (none posted)

MySQL: temporary file vulnerability

Package(s):	mysql	CVE #(s):	CAN-2004-0457
Created:	August 18, 2004	Updated:	September 1, 2004
Description:	The MySQL "mysqlhotcopy" script contains a temporary file vulnerability which could be used by an attacker to overwrite files.
Alerts:	Gentoo 200409-02 2004-09-01 Debian DSA-540-1 2004-08-18

Comments (none posted)

nessus: adduser race condition vulnerability

Package(s):	nessus	CVE #(s):
Created:	August 12, 2004	Updated:	August 17, 2004
Description:	The nessus security scanner has a temporary file vulnerability that allows a user to perform a privilege escalation attack by way of an adduser race condition.
Alerts:	Gentoo 200408-11 2004-08-12

Comments (none posted)

rsync: path-sanitizing bug

Package(s):	rsync	CVE #(s):	CAN-2004-0792
Created:	August 16, 2004	Updated:	November 1, 2004
Description:	This August 2004 rsync advisory reports that there is a path-sanitizing bug that affects daemon mode in all recent rsync versions (including 2.6.2) but only if chroot is disabled. It does NOT affect the normal send/receive filenames that specify what files should be transferred (this is because these names happen to get sanitized twice, and thus the second call removes any lingering leading slash(es) that the first call left behind). It does affect certain option paths that cause auxilliary files to be read or written.
Alerts:	Conectiva CLA-2004:881 2004-11-01 Slackware SSA:2004-285-01 2004-10-12 Whitebox WBSA-2004:436-01 2004-09-20 Red Hat RHSA-2004:436-01 2004-09-01 Fedora FEDORA-2004-269 2004-08-19 Fedora FEDORA-2004-268 2004-08-19 Gentoo 200408-17 2004-08-17 Mandrake MDKSA-2004:083 2004-08-17 Netwosix NW-2004-0017 2004-08-17 Trustix TSLSA-2004-0042 2004-08-17 tinysofa TSSA-2004-020-ES 2004-08-16 Debian DSA-538-1 2004-08-17 SuSE SUSE-SA:2004:026 2004-08-16 OpenPKG OpenPKG-SA-2004.037 2004-08-15

Comments (none posted)

ruby: insecure file permissions

Package(s):	ruby	CVE #(s):	CAN-2004-0755
Created:	August 16, 2004	Updated:	October 14, 2004
Description:	Andres Salomon noticed a problem in the CGI session management of Ruby, an object-oriented scripting language. CGI::Session's FileStore (and presumably PStore, but not in Debian woody) implementations store session information insecurely. They simply create files, ignoring permission issues. This can lead an attacker who has also shell access to the webserver to take over a session.
Alerts:	Fedora FEDORA-2004-264 2004-10-15 Red Hat RHSA-2004:441-01 2004-09-30 Gentoo 200409-08 2004-09-03 Debian DSA-537-1 2004-08-16

Comments (none posted)

xine-lib: VCD MRL buffer overflow

Package(s):	xine-lib	CVE #(s):
Created:	August 17, 2004	Updated:	August 18, 2004
Description:	xine-lib contains a bug where it is possible to overflow the vcd:// input source identifier management buffer through carefully crafted playlists. An attacker may construct a carefully-crafted playlist file which will cause xine-lib to execute arbitrary code with the permissions of the user. In order to conform with the generic naming standards of most Unix-like systems, playlists can have extensions other than .asx (the standard xine playlist format), and made to look like another file (MP3, AVI, or MPEG for example). If an attacker crafts a playlist with a valid header, they can insert a VCD playlist line that can cause a buffer overflow and possible shellcode execution.
Alerts:	Gentoo 200408-18 2004-08-17

Comments (1 posted)

Updated vulnerabilities

Apache mod_proxy: denial of service

Package(s):	apache	CVE #(s):	CAN-2004-0492
Created:	June 11, 2004	Updated:	October 14, 2004
Description:	A buffer overflow vulnerability in the apache mod_proxy module can be exploited to create a denial of service.
Alerts:	Fedora-Legacy FLSA:1737 2004-10-13 Mandrake MDKSA-2004:065 2004-06-29 Debian DSA-525-1 2004-06-24 Gentoo 200406-16 2004-06-21 OpenPKG OpenPKG-SA-2004.029 2004-06-11

Comments (none posted)

apache2: stack-based buffer overflow in ssl_util.c

Package(s):	apache2	CVE #(s):	CAN-2004-0488
Created:	June 1, 2004	Updated:	October 14, 2004
Description:	A stack-based buffer overflow exists in the ssl_util_uuencode_binary function in ssl_util.c in Apache. When mod_ssl is configured to trust the issuing CA, a remote attacker may be able to execute arbitrary code via a client certificate with a long subject DN.
Alerts:	Fedora-Legacy FLSA:1888 2004-10-13 Debian DSA-532-2 2004-07-27 Debian DSA-532-1 2004-07-22 Red Hat RHSA-2004:245-01 2004-06-14 Gentoo 200406-05 2004-06-09 Slackware SSA:2004-154-01 2004-06-02 OpenPKG OpenPKG-SA-2004.026 2004-05-27 Trustix TSLSA-2004-0031 2004-06-02 Mandrake MDKSA-2004:054 2004-06-01 Mandrake MDKSA-2004:055 2004-06-01

Comments (none posted)

aspell: bounds checking problem

Package(s):	aspell	CVE #(s):	CAN-2004-0548
Created:	June 17, 2004	Updated:	December 20, 2004
Description:	Aspell's word-list-compress utility fails to properly check bounds when dealing with words that are more than 256 bytes long. This can lead to arbitrary code execution by an attacker.
Alerts:	Mandrake MDKSA-2004:153 2004-12-20 OpenPKG OpenPKG-SA-2004.042 2004-09-15 Gentoo 200406-14 2004-06-17

Comments (none posted)

Cfengine: RSA Authentication Heap Corruption

Package(s):	Cfengine	CVE #(s):
Created:	August 10, 2004	Updated:	August 11, 2004
Description:	Two vulnerabilities have been found in cfservd. One is a buffer overflow in the AuthenticationDialogue function and the other is a failure to check the proper return value of the ReceiveTransaction function. An attacker could use the buffer overflow to execute arbitrary code with the permissions of the user running cfservd, which is usually the root user. However, before such an attack could be mounted, the IP-based ACL would have to be bypassed. With the second vulnerability, an attacker could cause a denial of service attack.
Alerts:	Gentoo 200408-08 2004-08-10

Comments (none posted)

cvstrac: arbitrary code execution

Package(s):	cvstrac	CVE #(s):
Created:	August 6, 2004	Updated:	August 11, 2004
Description:	Richard Ngo reported on BugTraq that a vulnerability has been discovered in the CVS repository web browsing tool CVSTrac. If properly exploited an attacker can execute arbitrary code on the CVSTrac host with the privileges of the associated web server.
Alerts:	OpenPKG OpenPKG-SA-2004.036 2004-08-06

Comments (none posted)

Ethereal: Multiple security problems

Package(s):	ethereal	CVE #(s):	CAN-2004-0633 CAN-2004-0634 CAN-2004-0635
Created:	July 9, 2004	Updated:	August 19, 2004
Description:	There are multiple vulnerabilities in versions of Ethereal earlier than 0.10.5, including: * In some cases the iSNS dissector could cause Ethereal to abort. * If there was no policy name for a handle for SMB SID snooping it could cause a crash. * A malformed or missing community string could cause the SNMP dissector to crash. See this advisory for more information.
Alerts:	Whitebox WBSA-2004:378-01 2004-08-19 Red Hat RHSA-2004:378-01 2004-08-05 Netwosix NW-2004-0016 2004-07-23 Fedora FEDORA-2004-234 2004-07-22 Debian DSA-528-1 2004-07-17 Fedora FEDORA-2004-220 2004-07-14 Fedora FEDORA-2004-219 2004-07-14 Mandrake MDKSA-2004:067 2004-07-09 Gentoo 200407-08 2004-07-09

Comments (none posted)

Filename disclosure vulnerability in fam

Package(s):	fam	CVE #(s):	CAN-2002-0875
Created:	August 19, 2002	Updated:	January 5, 2005
Description:	"fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible.
Alerts:	Red Hat RHSA-2005:005-01 2005-01-05 Debian DSA-154-1 2002-08-15

Comments (none posted)

flim: insecure file creation

Package(s):	flim	CVE #(s):	CAN-2004-0422
Created:	May 5, 2004	Updated:	December 16, 2004
Description:	The emacs "flim" mode creates temporary files in an insecure fashion, possibly allowing a local attacker to overwrite files.
Alerts:	Fedora FEDORA-2004-546 2004-12-15 Red Hat RHSA-2004:344-01 2004-08-18 Debian DSA-500-1 2004-05-01

Comments (none posted)

gnome-vfs: backend script vulnerabilities

Package(s):	gnome-vfs	CVE #(s):	CAN-2004-0494
Created:	August 4, 2004	Updated:	February 21, 2005
Description:	Several scripts packaged with gnome-vfs, using its "extfs" capability, have security flaws. These scripts tend not to be used on many systems, but their presence can still be a threat.
Alerts:	Fedora-Legacy FLSA:1944 2005-02-20 Whitebox WBSA-2004:373-01 2004-08-19 Red Hat RHSA-2004:373-01 2004-08-04

Comments (none posted)

gtkhtml: malformed messages cause crash

Package(s):	gtkhtml	CVE #(s):	CAN-2003-0133 CAN-2003-0541
Created:	April 14, 2003	Updated:	April 18, 2005
Description:	GtkHTML is the HTML rendering widget used by the Evolution mail reader. GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug when handling HTML messages. Alan Cox discovered that certain malformed messages could cause the Evolution mail component to crash.
Alerts:	Debian DSA-710-1 2005-04-18 Mandrake MDKSA-2003:093 2003-09-18 Conectiva CLA-2003:737 2003-09-12 Red Hat RHSA-2003:264-01 2003-09-09 Mandrake MDKSA-2003:046 2003-04-15 Red Hat RHSA-2003:126-01 2003-04-14

Comments (none posted)

iproute: local denial of service

Package(s):	iproute net-tools	CVE #(s):	CAN-2003-0856
Created:	November 25, 2003	Updated:	December 14, 2004
Description:	The iproute utility is susceptible to spoofed netlink messages sent by local users, with the result that denial of service attacks are possible.
Alerts:	Mandrake MDKSA-2004:148 2004-12-13 Fedora FEDORA-2004-154 2004-06-03 Fedora FEDORA-2004-115 2004-05-11 Debian DSA-492-1 2004-04-18 Gentoo 200404-10 2004-04-09 Red Hat RHSA-2003:316-01 2003-11-24

Comments (none posted)

racoon: failure to verify signatures

Package(s):	ipsec-tools racoon	CVE #(s):	CAN-2004-0155
Created:	April 7, 2004	Updated:	August 19, 2004
Description:	Versions of ipsec-tools prior to 0.2.5 contain a vulnerability wherein the racoon utility fails to verify digital signatures on some packets. This hole can lead to unauthorized connections or man-in-the-middle attacks. See this advisory for details.
Alerts:	Whitebox WBSA-2004:308-01 2004-08-19 Mandrake MDKSA-2004:027 2004-04-08 Gentoo 200404-05 2004-04-07

Comments (none posted)

kdelibs: cookie disclosure

Package(s):	kdelibs	CVE #(s):	CAN-2003-0592
Created:	March 10, 2004	Updated:	August 24, 2004
Description:	kdelibs (and, thus, Konqueror) has a vulnerability where a hostile server can force the disclosure of cookies that should not be presented to it. KDE versions 3.1.3 and later contain a fix.
Alerts:	Gentoo 200408-23 2004-08-24 Red Hat RHSA-2004:074-01 2004-03-10 Red Hat RHSA-2004:075-01 2004-03-10 Mandrake MDKSA-2004:022 2004-03-10 Debian DSA-459-1 2004-03-10

Comments (none posted)

kernel allows unauthorized changes to the group ID

Package(s):	kernel	CVE #(s):	CAN-2004-0497
Created:	July 2, 2004	Updated:	September 27, 2004
Description:	During an audit of the Linux kernel, SUSE discovered a flaw that allowed a user to make unauthorized changes to the group ID of files in certain circumstances - such as when the files are exported via NFS.
Alerts:	Conectiva CLA-2004:869 2004-09-27 Gentoo 200407-16 2004-07-22 Whitebox WBSA-2004:360-01 2004-07-07 Mandrake MDKSA-2004:066 2004-07-06 SuSE SUSE-SA:2004:020 2004-07-02 Fedora FEDORA-2004-206 2004-07-02 Fedora FEDORA-2004-205 2004-07-02 Red Hat RHSA-2004:354-01 2004-07-02 Red Hat RHSA-2004:360-01 2004-07-02

Comments (none posted)

kernel information leak

Package(s):	kernel	CVE #(s):	CAN-2004-0415
Created:	August 3, 2004	Updated:	October 26, 2004
Description:	Paul Starzetz discovered flaws in the Linux kernel when handling file offset pointers. These consist of invalid conversions of 64 to 32-bit file offset pointers and possible race conditions. A local unprivileged user could make use of these flaws to access large portions of kernel memory. Note that this vulnerability affects all 2.4 kernels through 2.4.26 and 2.6 kernels through 2.6.7. A fix for this problem was added to the fifth 2.4.27 release candidate.
Alerts:	Conectiva CLA-2004:879 2004-10-26 Fedora-Legacy FLSA:1804 2004-10-18 Mandrake MDKSA-2004:087 2004-08-26 Gentoo 200408-24 2004-08-25 Whitebox WBSA-2004:413-01 2004-08-19 Red Hat RHSA-2004:327-01 2004-08-18 Fedora FEDORA-2004-251 2004-08-10 Trustix TSLSA-2004-0041 2004-08-09 SuSE SUSE-SA:2004:024 2004-08-09 Red Hat RHSA-2004:413-01 2004-08-03 Red Hat RHSA-2004:418-01 2004-08-03 Fedora FEDORA-2004-247 2004-08-03

Comments (none posted)

kernel-utils: setuid vulnerability

Package(s):	kernel-utils	CVE #(s):	CAN-2003-0019
Created:	February 7, 2003	Updated:	January 21, 2005
Description:	The kernel-utils package contains several utilities that can be used to control the kernel or machine hardware. In Red Hat Linux 8.0 this package contains user mode linux (UML) utilities. The uml_net utility in kernel-utils packages with Red Hat Linux 8.0 was incorrectly shipped setuid root. This could allow local users to control certain network interfaces, add and remove arp entries and routes, and put interfaces in and out of promiscuous mode. All users of the kernel-utils package should update to these packages that contain a version of uml_net that is not setuid root. Alternatively, as a work-around to this vulnerability issue the following command as root: chmod -s /usr/bin/uml_net
Alerts:	Red Hat RHSA-2003:056-08 2003-02-07

Comments (none posted)

libpng: multiple vulnerabilities

Package(s):	libpng	CVE #(s):	CAN-2002-1363 CAN-2004-0597 CAN-2004-0598 CAN-2004-0599
Created:	August 4, 2004	Updated:	February 10, 2005
Description:	There is yet another set of holes in libpng, versions 1.2.5 and prior, which can be exploited by a malicious image file; see this advisory from Chris Evans or this CERT advisory for details.
Alerts:	Fedora-Legacy FLSA:1943 2005-02-08 Red Hat RHSA-2004:421-01 2004-08-04 Gentoo 200408-22 2004-08-23 Whitebox WBSA-2004:402-01 2004-08-19 Mandrake MDKSA-2004:082 2004-08-12 Slackware SSA:2004-223-01 2004-08-09 Slackware SSA:2004-223-02 2004-08-07 Slackware SSA:2004-222-01b 2004-08-10 Slackware SSA:2004-222-01 2004-08-07 Conectiva CLA-2004:856 2004-08-06 Trustix TSLSA-2004-0040 2004-08-05 Gentoo 200408-03 2004-08-05 Debian DSA-536-1 2004-08-04 Mandrake MDKSA-2004:079 2004-08-04 SuSE SUSE-SA:2004:023 2004-08-04 Red Hat RHSA-2004:402-01 2004-08-04 OpenPKG OpenPKG-SA-2004.035 2004-08-04

Comments (1 posted)

libxml2 - arbitrary code execution

Package(s):	libxml2	CVE #(s):	CAN-2004-0110
Created:	February 26, 2004	Updated:	August 19, 2009
Description:	Yuuichi Teranishi discovered a flaw in libxml2 versions prior to 2.6.6. When fetching a remote resource via FTP or HTTP, libxml2 uses special parsing routines. These routines can overflow a buffer if passed a very long URL. If an attacker is able to find an application using libxml2 that parses remote resources and allows them to influence the URL, then this flaw could be used to execute arbitrary code.
Alerts:	Fedora FEDORA-2009-8594 2009-08-15 Fedora FEDORA-2009-8582 2009-08-15 Fedora-Legacy FLSA:1324 2004-07-19 Conectiva CLA-2004:836 2004-03-31 Gentoo 200403-01 2004-03-06 Trustix TSLSA-2004-0010 2004-03-05 OpenPKG OpenPKG-SA-2004.003 2004-03-05 Netwosix NW-2004-0004 2004-03-04 Debian DSA-455-1 2004-03-03 Mandrake MDKSA-2004:018 2004-03-03 Red Hat RHSA-2004:091-02 2004-03-03 Whitebox WBSA-2004:090-01 2004-03-01 Red Hat RHSA-2004:090-01 2004-02-26 Fedora FEDORA-2004-087 2004-02-25 Red Hat RHSA-2004:091-01 2004-02-26

Comments (none posted)

logcheck: symlink vulnerability

Package(s):	logcheck	CVE #(s):	CAN-2004-0404
Created:	April 21, 2004	Updated:	December 22, 2004
Description:	The logcheck utility handles temporary files in an unsafe way, possibly allowing local attackers to overwrite files.
Alerts:	Mandrake MDKSA-2004:155 2004-12-22 Debian DSA-488-1 2004-04-16

Comments (none posted)

mikmod: buffer overflow

Package(s):	mikmod	CVE #(s):	CAN-2003-0427
Created:	June 16, 2003	Updated:	June 16, 2005
Description:	Ingo Saitz discovered a bug in mikmod whereby a long filename inside an archive file can overflow a buffer when the archive is being read by mikmod.
Alerts:	Fedora FEDORA-2005-405 2005-06-16 Red Hat RHSA-2005:506-01 2005-06-13 Fedora FEDORA-2005-404 2005-06-09 Gentoo 200307-01 2003-07-02 Debian DSA-320-1 2003-06-13

Comments (none posted)

mod_python: denial of service vulnerability

Package(s):	mod_python	CVE #(s):	CAN-2003-0973
Created:	January 27, 2004	Updated:	October 4, 2004
Description:	Apache's mod_python module could crash the httpd process if a specific, malformed query string was sent. The Apache Foundation has reported that mod_python may be prone to Denial of Service attacks when handling a malformed query. Mod_python 2.7.9 was released to fix the vulnerability, however, because the vulnerability has not been fully fixed, version 2.7.10 has been released. Users of mod_python 3.0.4 are not affected by this vulnerability.
Alerts:	Fedora-Legacy FLSA:1325 2004-10-03 Conectiva CLA-2004:837 2004-04-12 Whitebox WBSA-2004:058-01 2004-03-01 Debian DSA-452-1 2004-02-29 Red Hat RHSA-2004:058-01 2004-02-26 Red Hat RHSA-2004:063-01 2004-02-26 Gentoo 200401-03 2004-01-27

Comments (none posted)

MoinMoin Group ACL Bypass

Package(s):	moinmoin	CVE #(s):
Created:	July 12, 2004	Updated:	August 26, 2004
Description:	MoinMoin contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is triggered when an attacker creates a user with the same name as an administrative group. This flaw may lead to a loss of integrity. See this osvdb entry for additional information.
Alerts:	Gentoo 200407-09 2004-07-11

Comments (none posted)

mozilla: multiple vulnerabilties

Package(s):	mozilla	CVE #(s):	CAN-2003-0594 CAN-2003-0564
Created:	March 10, 2004	Updated:	August 19, 2004
Description:	Mozilla 1.4 contains a few vulnerabilities, including disclosure of cookies to the wrong server, a scripting vulnerability which can allow an attacker to run arbitrary code, and an S/MIME vulnerability which can lead to remote denial of service or code execution attacks.
Alerts:	Whitebox WBSA-2004:421-01 2004-08-19 Whitebox WBSA-2004:110-01 2004-03-29 Red Hat RHSA-2004:112-01 2004-03-17 Mandrake MDKSA-2004:021 2004-03-10

Comments (none posted)

mpg321: format string vulnerability

Package(s):	mpg321	CVE #(s):	CAN-2003-0969
Created:	January 6, 2004	Updated:	March 28, 2005
Description:	A vulnerability was discovered in mpg321, a command-line mp3 player, whereby user-supplied strings were passed to printf(3) unsafely. This vulnerability could be exploited by a remote attacker to overwrite memory, and possibly execute arbitrary code. In order for this vulnerability to be exploited, mpg321 would need to play a malicious mp3 file (including via HTTP streaming).
Alerts:	Gentoo 200503-34 2005-03-28 Debian DSA-411-1 2004-01-05

Comments (none posted)

MySQL: temporary file vulnerabilities

Package(s):	mysql	CVE #(s):	CAN-2004-0381 CAN-2004-0388
Created:	April 14, 2004	Updated:	August 18, 2004
Description:	The mysqlbug and mysqld_multi scripts contain temporary file vulnerabilities which could be used by a local attacker to overwrite files on the system.
Alerts:	Gentoo 200405-20 2004-05-25 Mandrake MDKSA-2004:034 2004-04-19 OpenPKG OpenPKG-SA-2004.014 2004-04-14 Debian DSA-483-1 2004-04-14

Comments (none posted)

neon: buffer overflow

Package(s):	neon	CVE #(s):	CAN-2004-0398
Created:	May 19, 2004	Updated:	September 30, 2004
Description:	The neon library (through version 0.24.5) contains a buffer overflow in its date parsing code, allowing arbitrary code execution when connecting to a hostile server. See this advisory for details. This vulnerability also affects related applications (such as cadaver).
Alerts:	Fedora-Legacy FLSA:1552 2004-09-29 Mandrake MDKSA-2004:078 2004-07-29 Gentoo 200406-03 2004-06-05 Gentoo 200405-25b 2004-06-02 Gentoo 200405-25 2004-05-30 Conectiva CLA-2004:841 2004-05-25 Gentoo 200405-15 2004-05-20 Gentoo 200405-13 2004-05-20 OpenPKG OpenPKG-SA-2004.024 2004-05-19 Mandrake MDKSA-2004:049 2004-05-19 Fedora FEDORA-2004-130 2004-05-19 Fedora FEDORA-2004-129 2004-05-19 Red Hat RHSA-2004:191-01 2004-05-19 Debian DSA-507-1 2004-05-19 Debian DSA-506-1 2004-05-19

Comments (none posted)

Nessus NASL scripting engine security issues

Package(s):	nessus	CVE #(s):
Created:	May 27, 2003	Updated:	August 12, 2004
Description:	Some some vulnerabilities exsist in the Nessus NASL scripting engine. To exploit these flaws, an attacker would need to have a valid Nessus account as well as the ability to upload arbitrary Nessus plugins in the Nessus server (this option is disabled by default) or he/she would need to trick a user somehow into running a specially crafted nasl script. Read the full advisory for additional information.
Alerts:	Gentoo 200305-10 2003-05-27

Comments (none posted)

netpbm: insecure temporary files

Package(s):	netpbm	CVE #(s):	CAN-2003-0924
Created:	January 19, 2004	Updated:	December 29, 2004
Description:	netpbm is graphics conversion toolkit made up of a large number of single-purpose programs. Many of these programs were found to create temporary files in an insecure manner, which could allow a local attacker to overwrite files with the privileges of the user invoking a vulnerable netpbm tool.
Alerts:	Conectiva CLA-2004:909 2004-12-29 Gentoo 200410-02 2004-10-04 Mandrake MDKSA-2004:011-1 2004-09-27 Whitebox WBSA-2004:031-01 2004-02-12 Mandrake MDKSA-2004:011 2004-02-11 Red Hat RHSA-2004:030-01 2004-02-05 Fedora FEDORA-2004-068 2004-02-06 Red Hat RHSA-2004:031-01 2004-01-22 Debian DSA-426-1 2004-01-18

Comments (1 posted)

openssh: timing attack leads to information disclosure

Package(s):	openssh	CVE #(s):	CAN-2003-0190
Created:	May 2, 2003	Updated:	November 30, 2004
Description:	From the advisory: "During a pen-test we stumbled across a nasty bug in OpenSSH-portable with PAM support enabled (via the --with-pam configure script switch). This bug allows a remote attacker to identify valid users on vulnerable systems, through a simple timing attack. The vulnerability is easy to exploit and may have high severity, if combined with poor password policies and other security problems that allow local privilege escalation."
Alerts:	Ubuntu USN-34-1 2004-11-30 OpenPKG OpenPKG-SA-2003.035 2003-08-06 Red Hat RHSA-2003:222-01 2003-07-29 Gentoo 200305-02 2003-05-13 Gentoo 200305-01 2002-03-05

Comments (1 posted)

OpenSSL: denial of service vulnerabilities

Package(s):	OpenSSL	CVE #(s):	CAN-2004-0081 CAN-2003-0851
Created:	March 17, 2004	Updated:	November 2, 2005
Description:	Versions 0.9.7a-c of the OpenSSL library suffer from two denial of service vulnerabilities; see the version 0.9.7d release announcement for details.
Alerts:	Red Hat RHSA-2005:830-00 2005-11-02 Red Hat RHSA-2005:829-00 2005-11-02 Fedora FEDORA-2005-1042 2005-10-31 Fedora-Legacy FLSA:1395 2004-05-08 Conectiva CLA-2004:834 2004-03-31 Whitebox WBSA-2004:084-01 2004-03-23 Red Hat RHSA-2004:084-01 2004-03-23 Fedora FEDORA-2004-095 2004-03-19 Whitebox WBSA-2004:120-01 2004-03-22 Trustix TSLSA-2004-0012 2004-03-17 Slackware SSA:2004-077-01 2004-03-17 Red Hat RHSA-2004:121-01 2004-03-17 OpenPKG OpenPKG-SA-2004.007 2004-03-18 Gentoo 200403-03 2004-03-17 Debian DSA-465-1 2004-03-17 Netwosix NW-2004-0005 2004-03-17 Mandrake MDKSA-2004:023 2004-03-17 SuSE SuSE-SA:2004:007 2004-03-17 Red Hat RHSA-2004:120-01 2004-03-17 Red Hat RHSA-2004:119-01 2004-03-17 EnGarde ESA-20040317-003 2004-03-17

Comments (1 posted)

opera: remote filesystem read access vulnerability

Package(s):	opera	CVE #(s):
Created:	August 5, 2004	Updated:	August 11, 2004
Description:	The Opera browser has a vulnerability that may allow a remote attacker to read a local filesystem.
Alerts:	Gentoo 200408-05 2004-08-05

Comments (none posted)

pavuk: buffer overflow

Package(s):	pavuk	CVE #(s):	CAN-2004-0456
Created:	June 30, 2004	Updated:	November 11, 2004
Description:	Versions of the pavuk web spider through 0.9.28-r1 contain a buffer overflow which could be exploited by a hostile server.
Alerts:	Gentoo 200411-19 2004-11-10 Debian DSA-527-1 2004-07-03 Gentoo 200406-22 2004-06-30

Comments (none posted)

php: remotely exploitable memory errors

Package(s):	php	CVE #(s):	CAN-2004-0594
Created:	July 14, 2004	Updated:	February 7, 2005
Description:	Stefan Esser has issued an advisory regarding a remotely exploitable hole in PHP (through version 4.3.7). If the memory_limit feature is in use (as it should be, to prevent denial of service attacks), allocation failures can be forced at highly inopportune times, and those failures can be exploited to execute arbitrary code. The exploit is described as "quite easy," and it can be done regardless of whether Apache1 or Apache2 is in use. Upgrading to PHP 4.3.8 fixes the problem; yesterday's PHP 5.0 release also contains the fix (but the final release candidate did not).
Alerts:	Debian DSA-669-1 2005-02-07 Whitebox WBSA-2004:392-01 2004-08-19 Fedora FEDORA-2004-223 2004-07-23 Fedora FEDORA-2004-222 2004-07-23 OpenPKG OpenPKG-SA-2004.034 2004-07-22 Slackware SSA:2004-202-01 2004-07-20 Debian DSA-531-1 2004-07-20 Red Hat RHSA-2004:392-01 2004-07-19 Red Hat RHSA-2004:395-01 2004-07-19 Conectiva CLA-2004:847 2004-07-16 SuSE SUSE-SA:2004:021 2004-07-16 Mandrake MDKSA-2004:068 2004-07-14 Gentoo 200407-13 2004-07-15 tinysofa TSSA-2004-013 2004-07-14

Comments (none posted)

PuTTY: pre-authentication arbitrary code execution problem

Package(s):	putty	CVE #(s):
Created:	August 5, 2004	Updated:	October 28, 2004
Description:	PuTTY, a telnet and SSH client, contains a vulnerability that can allow an SSH server to execute arbitrary code on a connecting client.
Alerts:	Gentoo 200410-29 2004-10-27 Gentoo 200408-04 2004-08-05

Comments (none posted)

python: buffer overflow

Package(s):	python	CVE #(s):	CAN-2004-0150
Created:	March 10, 2004	Updated:	October 11, 2004
Description:	Python (versions 2.2 and 2.2.1 only) has a buffer overflow in the getaddrinfo() function which can be exploited by a malformed IPv6 address.
Alerts:	Debian DSA-458-3 2004-10-10 Gentoo 200409-03 2004-09-02 Debian DSA-458-2 2004-08-31 Mandrake MDKSA-2004:019 2004-03-09 Debian DSA-458-1 2004-03-09

Comments (none posted)

samba: potential buffer overruns

Package(s):	samba	CVE #(s):	CAN-2004-0600 CAN-2004-0686
Created:	July 22, 2004	Updated:	September 2, 2004
Description:	According to this Samba advisory, Evgeny Demidov discovered that the Samba SMB/CIFS server has a buffer overflow bug in the Samba Web Administration Tool (SWAT) on decoding Base64 data during HTTP Basic Authentication. Samba versions between 3.0.2 through 3.0.4 are affected. (CAN-2004-0600) Another buffer overflow bug has been located in the Samba code used to support the "mangling method = hash" functionality. The default setting for this parameter is "mangling method = hash2" and therefore Samba is not vulnerable by default. Samba versions between 2.2.0 through 2.2.9 and 3.0.0 through 3.0.4 are affected. (CAN-2004-0686)
Alerts:	Fedora FEDORA-2004-285 2004-09-02 Fedora FEDORA-2004-284 2004-09-02 Whitebox WBSA-2004:259-01 2004-08-19 Conectiva CLA-2004:854 2004-07-30 Gentoo 200407-21 2004-07-29 Trustix TSLSA-2004-0039 2004-01-05 Red Hat RHSA-2004:404-01 2004-07-26 Slackware SSA:2004-207-01 2004-07-25 tinysofa TSSA-2004-014 2004-07-23 SuSE SUSE-SA:2004:022 2004-07-23 Netwosix NW-2004-0015 2004-07-23 Mandrake MDKSA-2004:071 2004-07-22 Conectiva CLA-2004:851 2004-07-22 Red Hat RHSA-2004:259-01 2004-07-22 OpenPKG OpenPKG-SA-2004.033 2004-07-22

Comments (1 posted)

shorewall: temporary file exploit

Package(s):	shorewall	CVE #(s):
Created:	August 10, 2004	Updated:	August 11, 2004
Description:	Javier Fernández-Sanguino Peña has discovered an exploitable vulnerability in the way that Shorewall handles temporary files and directories. The vulnerability can allow a non-root user to cause arbitrary files on the system to be overwritten. LEAF Bering and Bering uClibc users are generally not at risk due to the fact that LEAF boxes do not typically allow logins by non-root users. The complete advisory is here.
Alerts:	Mandrake MDKSA-2004:080 2004-08-09

Comments (none posted)

sox: buffer overflow

Package(s):	sox	CVE #(s):	CAN-2004-0557
Created:	July 28, 2004	Updated:	February 21, 2005
Description:	Sox suffers from buffer overflows in its WAV file handling; these overflows could conceivably be exploited by way of a malicious sound file.
Alerts:	Fedora-Legacy FLSA:1945 2005-02-20 Debian DSA-565-1 2004-10-13 Whitebox WBSA-2004:409-01 2004-08-19 Slackware SSA:2004-223-03 2004-08-07 Conectiva CLA-2004:855 2004-07-30 Gentoo 200407-23 2004-07-30 Mandrake MDKSA-2004:076 2004-07-28 Red Hat RHSA-2004:409-01 2004-07-29 Fedora FEDORA-2004-244 2004-07-28 Fedora FEDORA-2004-235 2004-07-28

Comments (none posted)

SpamAssassin: Denial of Service vulnerability

Package(s):	spamassassin	CVE #(s):	CAN-2004-0796
Created:	August 9, 2004	Updated:	August 11, 2005
Description:	SpamAssassin contains an unspecified Denial of Service vulnerability. By sending a specially crafted message an attacker could cause a Denial of Service attack against the SpamAssassin service.
Alerts:	Fedora-Legacy FLSA:129284 2005-08-10 Fedora-Legacy FLSA:2268 2005-03-24 Red Hat RHSA-2004:451-01 2004-09-30 Conectiva CLA-2004:867 2004-09-22 OpenPKG OpenPKG-SA-2004.041 2004-09-15 Mandrake MDKSA-2004:084 2004-08-18 Gentoo 200408-06 2004-08-09

Comments (none posted)

squid: buffer overflow

Package(s):	squid	CVE #(s):	CAN-2004-0541
Created:	June 9, 2004	Updated:	September 30, 2004
Description:	The NTLM authentication helper used by the squid proxy contains a buffer overflow vulnerability; an overly-long password may be used to run arbitrary code. Sites not using NTLM authentication are not vulnerable.
Alerts:	Red Hat RHSA-2004:462-01 2004-09-30 Mandrake MDKSA-2004:093 2004-09-15 Gentoo 200409-04 2004-09-02 Gentoo 200406-13 2004-06-17 Whitebox WBSA-2004:242-01 2004-06-10 Trustix TSLSA-2004-0033 2004-06-10 Mandrake MDKSA-2004:059 2004-06-09 SuSE SuSE-SA:2004:016 2004-06-09 Red Hat RHSA-2004:242-01 2004-06-09 Fedora FEDORA-2004-164 2004-06-09 Fedora FEDORA-2004-163 2004-06-09

Comments (none posted)

SquirrelMail cross site scripting vulnerabilities

Package(s):	squirrelmail	CVE #(s):	CAN-2004-0519 CAN-2004-0520 CAN-2004-0521
Created:	May 21, 2004	Updated:	October 4, 2004
Description:	Several unspecified cross-site scripting (XSS) vulnerabilities and a well hidden SQL injection vulnerability were found in SquirrelMail versions 1.4.2 and lower. An XSS attack allows an attacker to insert malicious code into a web-based application. SquirrelMail does not check for code when parsing variables received via the URL query string.
Alerts:	Fedora-Legacy FLSA:1733 2004-10-02 Conectiva CLA-2004:858 2004-08-12 Whitebox WBSA-2004:240-01 2004-06-21 Gentoo 200406-08 2004-06-15 Red Hat RHSA-2004:240-01 2004-06-14 Fedora FEDORA-2004-160 2004-06-09 Fedora FEDORA-2004-159 2004-06-09 Gentoo 200405-16:02 2004-05-25 Gentoo 200405-16 2004-05-21

Comments (none posted)

Subversion: Remote heap overflow

Package(s):	subversion	CVE #(s):	CAN-2004-0413
Created:	June 11, 2004	Updated:	March 7, 2005
Description:	Subversion has a remote Denial of Service vulnerability that may allow a server that runs svnserve to execute arbitrary code. See this advisory for more information.
Alerts:	Fedora-Legacy FLSA:1748 2005-03-07 SuSE SuSE-SA:2004:018 2004-06-17 Fedora FEDORA-2004-166 2004-06-11 Fedora FEDORA-2004-165 2004-06-11 OpenPKG OpenPKG-SA-2004.028 2004-06-11 Gentoo 200406-07 2004-06-10

Comments (none posted)

sysstat: temporary file vulnerability

Package(s):	sysstat	CVE #(s):	CAN-2004-0107 CAN-2004-0108
Created:	March 10, 2004	Updated:	October 4, 2004
Description:	The sysstat utility has a temporary file vulnerability which can be exploited by a local attacker to overwrite system files.
Alerts:	Fedora-Legacy FLSA:1372 2004-10-03 Gentoo 200404-04 2004-04-06 Debian DSA-460-2 2004-04-03 Trustix TSLSA-2004-0011 2004-03-16 Whitebox WBSA-2004:053-01 2004-03-10 Red Hat RHSA-2004:053-01 2004-03-10 Red Hat RHSA-2004:093-01 2004-03-10 Debian DSA-460-1 2004-03-10

Comments (none posted)

File overwrite vulnerability in tar and unzip

Package(s):	tar unzip	CVE #(s):	CAN-2001-1267 CAN-2001-1268 CAN-2001-1269 CAN-2002-0399
Created:	October 1, 2002	Updated:	April 10, 2006
Description:	The tar utility does not properly filter file names containing "../", meaning that a hostile archive can, if unpacked by an unsuspecting user, overwrite any file that is writable by that user. GNU tar versions 1.13.19 and earlier are vulnerable; unzip through version 5.42 has the same vulnerability.
Alerts:	Fedora-Legacy FLSA:183571-1 2006-04-04 Red Hat RHSA-2006:0195-01 2006-02-21 Conectiva CLA-2002:538 2002-10-29 Mandrake MDKSA-2002:066 2002-10-10 Mandrake MDKSA-2002:065 2002-10-10 EnGarde ESA-20021003-022 2002-10-03 Gentoo unzip-20021001 2002-10-01 Gentoo tar-20021001 2002-10-01 Red Hat RHSA-2002:096-24 2002-09-18

Comments (1 posted)

tcpdump: ISAKMP payload handling denial-of-service vulnerabilities

Package(s):	tcpdump	CVE #(s):	CAN-2004-0183 CAN-2004-0184
Created:	March 30, 2004	Updated:	September 30, 2004
Description:	TCPDUMP v3.8.1 and earlier versions contain multiple flaws in the packet display functions for the ISAKMP protocol. Upon receiving specially crafted ISAKMP packets, TCPDUMP will try to read beyond the end of the packet capture buffer and crash. More information is available in this Rapid7 advisory.
Alerts:	Fedora-Legacy FLSA:1468 2004-09-29 Whitebox WBSA-2004:219-01 2004-06-10 Red Hat RHSA-2004:219-01 2004-05-26 Fedora FEDORA-2004-120 2004-05-13 Slackware SSA:2004-108-01 2004-04-17 Mandrake MDKSA-2004:030 2004-04-14 OpenPKG OpenPKG-SA-2004.010 2004-04-07 Debian DSA-478-1 2004-04-06 Trustix TSLSA-2004-0015 2004-03-30

Comments (none posted)

Multiple vendor telnetd vulnerability

Package(s):	telnet Telnet netkit-telnet-ssl kerberos telnetd netkit-telnet nkitb/nkitserv/telnetd krb5	CVE #(s):
Created:	May 21, 2002	Updated:	October 5, 2004
Description:	This vulnerability, originally thought to be confined to BSD-derived systems, was first covered in the July 26th Security Summary. It is now known that Linux telnet daemons are vulnerable as well.
Alerts:	Gentoo 200410-03 2004-10-05 Yellow Dog YDU-20010810-2 2001-08-10 Yellow Dog YDU-20010810-1 2001-08-10 SuSE SuSE-SA:2001:029 2001-09-03 Slackware sl-997726350 2001-08-09 Red Hat RHSA-2001:100-02 2001-08-09 Red Hat RHSA-2001:099-09 2002-02-07 Red Hat RHSA-2001:099-06 2001-08-09 Progeny PROGENY-SA-2001-27 2001-08-14 Mandrake MDKSA-2001:093 2001-12-17 Mandrake MDKSA-2001:068 2001-08-13 HP HPSBTL0202-023 2002-02-12 Debian DSA-075-2 2001-08-14 Debian DSA-075-1 2001-08-14 Conectiva CLA-2001:413 2001-08-24 SCO Group CSSA-2001-030.0 2001-08-10

Comments (none posted)

wv: buffer overflow

Package(s):	wv	CVE #(s):	CAN-2004-0645
Created:	July 14, 2004	Updated:	February 10, 2005
Description:	wv, a viewer for MS Word files, contains a buffer overflow which may be exploited by a suitably-crafted file. Version 1.0.0-r1 fixes the problem.
Alerts:	Fedora-Legacy FLSA:1906 2005-02-08 Conectiva CLA-2004:902 2004-12-01 Debian DSA-579-1 2004-11-01 Debian DSA-550-1 2004-09-20 Conectiva CLA-2004:863 2004-09-10 Mandrake MDKSA-2004:077 2004-07-29 Fedora FEDORA-2004-225 2004-07-23 Fedora FEDORA-2004-224 2004-07-23 Gentoo 200407-11 2004-07-14

Comments (none posted)

XChat 2.0.x SOCKS5 Vulnerability

Package(s):	xchat	CVE #(s):	CAN-2004-0409
Created:	April 19, 2004	Updated:	November 15, 2005
Description:	XChat is vulnerable to a stack overflow that may allow a remote attacker to run arbitrary code. The SOCKS 5 proxy code in XChat is vulnerable to a remote exploit. Users would have to be using XChat through a SOCKS 5 server, enable SOCKS 5 traversal which is disabled by default and also connect to an attacker's custom proxy server. This vulnerability may allow an attacker to run arbitrary code within the context of the user ID of the XChat client.
Alerts:	Fedora-Legacy FLSA:123013 2005-11-14 Red Hat RHSA-2004:585-01 2004-10-27 Netwosix NW-2004-0014 2004-05-01 Red Hat RHSA-2004:177-01 2004-04-30 Mandrake MDKSA-2004:036 2004-04-21 Debian DSA-493-1 2004-04-21 Gentoo 200404-15 2004-04-19

Comments (none posted)

xine-ui - insecure temporary file creation

Package(s):	xine-ui	CVE #(s):	CAN-2004-0372
Created:	April 6, 2004	Updated:	April 27, 2006
Description:	Shaun Colley discovered a problem in xine-ui, the xine video player user interface. A script contained in the package to possibly remedy a problem or report a bug does not create temporary files in a secure fashion. This could allow a local attacker to overwrite files with the privileges of the user invoking xine.
Alerts:	Gentoo 200404-20 2004-04-27 Slackware SSA:2004-111-01 2004-04-20 Mandrake MDKSA-2004:033 2004-04-19 Debian DSA-477-1 2004-04-06

Comments (none posted)

Resources

August CRYPTO-GRAM Newsletter

The August issue of CRYPTO-GRAM is out; this months topics include another stupid aviation security story, alibi networks, GHB, and phishing attacks. "Computer security is an arms race, and money creates very motivated attackers. Unsolved, this type of security problem can change the way people interact with the Internet. It'll prove that the naysayers were right all along, that the Internet isn't safe for electronic commerce."

Full Story (comments: 5)

Metasploit Framework v2.2

Version 2.2 of the Metasploit Framework is out; click below for the details. This release contains a set of new exploits, PPC and Sparc exploit support, and much more.

Full Story (comments: none)

Two security articles

vnunet has interviewed Robert Clyde, CTO at Symantec. "With open source, if an individual cares about a code flaw they'll fix it fast; if it's an obscure piece of code it could languish for years untouched. Commercial companies will try and fix all problems within a fixed timescale. Most commercial vendors are really behind reporting problems honestly and trying to fix them. I don't know of a single vendor who will sit on a vulnerability - maybe five years ago but not now."

Compare that with this eWeek article on Oracle's security performance. "It's been a good seven or eight months since the vulnerabilities were discovered. Sure, eight months seems like it would be 'as quickly as possible.' For a roomful of monkeys arbitrarily hitting keys to come up with a security fix. On broken keyboards."

Comments (9 posted)

Page editor: Jonathan Corbet

Kernel development

Brief items

Kernel release status

The current 2.6 kernel is 2.6.8.1. Linus announced the availability of the 2.6.8 allegedly stable kernel on August 13. Unfortunately, it turned out to be a true "Friday the 13th" release with a fatal bug in the NFS code, so 2.6.8.1 was rushed out to fix it. This is the first time that the kernel has used a four-entry version number. Changes since -rc4 include the "Khazad" crypto algorithm, some added permissions checking on raw SCSI commands from user space (see below), and the removal of the fcntl() file operations method. For those just tuning in, changes from 2.6.7 include snapshot and mirror support in the device mapper, unbelievable numbers of "sparse" annotations, a bunch of read-copy-update performance improvements, 64-bit SuperH support, some security fixes, a reworked symbolic link lookup mechanism (which will eventually enable raising the maximum link depth), and lots of fixes. The long-format changelog has the details; the 2.6.8.1 changelog is also out there for the curious.

No patches have been added to Linus's BitKeeper repository since the 2.6.8.1 release.

The current prepatch from Andrew Morton is 2.6.8.1-mm1. Recent changes to -mm include kprobes ("Generally we prefer to not merge infrastructure into the kernel unless it has in-kernel users. kprobes is exceptional, in that its applications are all custom-written to solve a particular problem."), the removal of the single-array scheduler patch, a waitid() system call implementation, and lots of fixes.

The current 2.4 prepatch is 2.4.28-pre1, which was released by Marcelo on August 15. Additions include a big serial ATA update, the Khazad crypto algorithm, some networking updates, and a handful of fixes.

Comments (5 posted)

Kernel development news

The end of the fcntl() method

Some kernel interfaces last longer than others. The fcntl() method is one of the others. It was added to the file_operations structure in 2.6.6 with the purpose of giving low-level filesystems and device drivers an opportunity to look at the command being executed from an fcntl() system call and, possibly, do something different. The immediate motivation was allowing the NFS code to disallow the combination of the O_APPEND and O_DIRECT flags, since those two modes cannot work together in that filesystem. Since then, the CIFS filesystem also has made use of it to better handle the F_NOTIFY command by getting directory notifications from the remote server.

In 2.6.8, that operation is gone again. The thinking is that the file_operations structure did not really need another general-purpose, multiplexed operation like fcntl(). So the method was replaced with two new, carefully-focused methods. The first is:

    int (*check_flags)(int flags);

This operation, if present, will be called in response to an fcntl(F_SETFL,...) system call. It can look at the flags passed in from user space and ensure that they make sense for the device or filesystem in question.

The other new operation is:

    int (*dir_notify)(struct file *filp, unsigned long arg);

This is the new method used by CIFS to handle F_NOTIFY requests. All other fcntl() operations are handled in the core VFS code, as usual.

The patch as merged by Linus fixed the NFS and CIFS code to use the new methods. Unfortunately, nobody tested the NFS changes before the patch was merged, and this change went in just before the final 2.6.8 release came out. The result was an NFS implementation which crashed the kernel, and the need for a quick 2.6.8.1 release.

Comments (10 posted)

2.6.8 and CD recording

By far the loudest chorus of complaints about the 2.6.8.1 kernel comes from users who have found that they can no longer burn CDs. In most cases, the problem can be worked around by running the recording program from a root shell (setuid is not sufficient), but that is an unsatisfying alternative for many. Why, ask inquiring minds, did CD recording have to break with the new kernel?

It's all a matter of trying to get the permissions right. Burning a CD requires sending a number of special-purpose SCSI commands to the drive, so the operation is performed outside of the regular I/O paths. But once you can send arbitrary commands, you can do more than write CDs. In pushing for changes, Alan Cox put it this way:

Seeing this outcome as undesirable, Linus threw in a patch shortly before releasing 2.6.8. This patch creates an array of known SCSI commands, associating each with "safe for read" and "safe for write" flags. Those flags are tested when a process attempts to execute the given command. If the device has been opened for read access, the set of allowed commands is relatively small: read, request sense, play CD, etc. A process with write access can execute more commands, but not the whole set. Any command not explicitly flagged as safe for the given open mode is restricted to processes with the CAP_SYS_RAWIO capability - root, for all practical purposes.

This patch broke CD burning in multiple ways. Users of growisofs were burned (so to speak) because that utility opens the device for read access. That should never have worked, but did until now; fixing that problem will require a patch to the application. Beyond that, however, is the simple fact that numerous SCSI commands needed for CD burning were omitted from the "safe for write" list. These vary from locking the door to "send OPC," "blank", and many others. Enabling CD writing from an unprivileged process with write access to the drive will require adding several commands to the list.

Unfortunately, expanding the list in that manner can bring back the original problem. Many commands which are safe to execute in one context can destroy data, firmware, or hardware in other contexts. And it can be very hard for the kernel to tell the difference between the two. There has been talk of expanding the checking framework to better understand the target device's operating modes and, perhaps, giving high- or low-level drivers a say in the decision. Down that road lies complexity, however, and it would be hard to reach a point where the developers could declare victory and call the problem solved. It may well be that, despite other faults in his reasoning on CD recording, Jörg Schilling got it right when he suggested that the most secure mode of operation is to simply restrict device access and run the CD recording application in a setuid mode.

Comments (20 posted)

Power management: looking for a direction

Power management remains one of the unfinished jobs from the 2.5 development series. Many of the pieces are in place, including the whole device model infrastructure, but the kernel still lacks a comprehensive, working power management subsystem. There are signs that things are starting to happen, but it seems that the developers still lack a clear idea of how they want to go forward.

Back on August 9, Patrick Mochel posted a patch aimed at improving the power management subsystem. It brought significant changes to the device model, including:

• Two power management methods were added to the class subsystem. Until this point, classes had not been part of the power management code at all; they are, instead, a way of exporting device information in a functional organization. The rationale behind putting power management functions in classes was that the higher-level code would better understand how to "quiesce" a device in preparation for a power state change.

• Three new power management methods were be added to the device model representation of a bus (struct bus_type). These were pm_save() (save state prior to a state transition), pm_restore() (restore state afterward), and pm_power() (perform an actual state change). These methods would replace the current suspend() and resume() bus methods, and the equivalent methods associated with struct device_driver. The idea is to move all power management tasks firmly into the bus-level code, and to let that code pass things on to low-level drivers as appropriate.

• Each device would get two new arrays. One of these (pm_supports) lists all of the power management states supported by the device, in that particular device's (usually bus-specific) terms. The second array (pm_system) is a simple mapping from the power states understood system-wide into the equivalent device states. These states are described by the new pm_state structure, and sysfs interfaces exist to query the supported states and to transition between them.

The resulting discussion implied a lot of changes to this patch; among other things, the idea of using the class layer to quiesce devices was controversial. An updated version of the patch has not been posted, however.

Pavel Machek, meanwhile, has been trying to address a much smaller piece of the problem: confusion over what the power management states really mean. The power management code itself uses a set of states roughly related to those defined in the ACPI specification, but other parts of the system (PCI drivers, for example) have a different set of states. The current power management methods take a u32 state value, and it is far from clear what kind of state is intended.

Pavel's patch tries to address this problem by creating a new enum type called system_state. The bus- and driver-level power management methods are modified to accept a parameter of this type, so that it is clear that (1) the power management core's state values are being used, and (2) the parameter describes the state to which the entire system is changing. It clears up a core ambiguity without otherwise changing how things work.

Even this change is controversial, however. The largest concern is that, eventually, it is expected that the drivers will need more information than just the target system state. So, it is suggested, the type of the parameter should be a structure pointer rather than a simple scalar value. But nobody has really figured out what should go into the structure yet.

Getting it right the first time matters in this case. It is generally accepted that fixing power management will require a driver API change, and that, potentially, all drivers in the kernel (and out of tree as well) will have to be changed at once. Developers are resigned to this change - but they would really rather only do it once. So, says Patrick, it's better to wait:

What this means is that the discussion is likely to continue for a while - and that an upgraded power management system will not be ready until 2.6.10, at best. Linux users, who have waited a long time for better power management, can probably manage to be patient for a little while yet.

Comments (none posted)

Update from the latency front

Efforts to track down and eliminate sources of latency in the 2.6 kernel continue. It seems, however, that most of the low-hanging fruit has been found; with the current iteration of the voluntary preemption patch, the remaining problems are rare and relatively hard to track down. So Ingo Molnar built himself a new tool to help with those harder cases.

Ingo's problem with the previous preempt timing patch was that, while it showed where a lengthy latency took place, it yielded little information about what was happening during the high-latency event. So he adapted the profiling mechanism to bring a little light to the situation. With the latency tracing option turned on, a little tracing function gets called as part of every kernel function call. This trace code stores the time of the call into a large (4000 entries), per-CPU array. If the kernel avoids scheduling for too long, that array of function call information gets copied into a static array which is made available via /proc/latency.

Ingo included some example output with his patch:

  preemption latency trace v1.0
  -----------------------------
   latency: 121 us, entries: 1032 (1032)
   process: default.hotplug/1470, uid: 0
   nice: -10, policy: 0, rt_priority: 0
  =======>
   0.000ms (+0.000ms): page_address (kmap_high)
   0.000ms (+0.000ms): page_slot (page_address)
   0.000ms (+0.000ms): flush_all_zero_pkmaps (kmap_high)
   0.000ms (+0.000ms): set_page_address (flush_all_zero_pkmaps)
  [...]
   0.118ms (+0.000ms): page_slot (set_page_address)
   0.118ms (+0.000ms): check_preempt_timing (sub_preempt_count)

The output shows the function call, and, in parentheses, the caller of each function. In this case, the output identifies flush_all_zero_pkmaps() as the real villain.

Other changes to this patch include making hardware and software interrupts (which have been redirected into kernel threads) preemptible by default ("I reviewed a number of softirq users and it appears to be safe"), and, of course, the breaking up of more code which holds locks for too long.

Comments (none posted)

Patches and updates

Kernel trees

• Linus Torvalds: Linux v2.6.8. (August 14, 2004)

• Andrew Morton: 2.6.8.1-mm1. (August 17, 2004)

• Con Kolivas: 2.6.8.1-ck1. (August 16, 2004)

• maximilian attems: 2.6.8.1-kjt1. (August 16, 2004)

• Marcelo Tosatti: Linux 2.4.28-pre1. (August 16, 2004)

Core kernel code

• Peter Williams: V-4.1 Single Priority Array O(1) CPU Scheduler Evaluation. (August 12, 2004)

• Ingo Molnar: Latency Tracer, voluntary-preempt-2.6.8-rc4-O6. (August 13, 2004)

• Ingo Molnar: voluntary-preempt-2.6.8.1-P0. (August 16, 2004)

• Ingo Molnar: voluntary-preempt-2.6.8.1-P1. (August 16, 2004)

• maximilian attems: Add msleep_interruptible() function to kernel/timer.c. (August 16, 2004)

• Erik Jacobson: Process Aggregates for 2.6.8. (August 16, 2004)

• Limin Gu: JOB for 2.6.8. (August 18, 2004)

• Jay Lan: csa patch for 2.6.8. (August 18, 2004)

• Roland McGrath: waitid system call. (August 17, 2004)

• john stultz: New timeofday implementation proposal. (August 18, 2004)

• john stultz: New timeofday code. (August 18, 2004)

Development tools

• Hariprasad Nellitheertha: Kexec based crash dumping. (August 17, 2004)

• Hariprasad Nellitheertha: Documentation. (August 17, 2004)

• Hariprasad Nellitheertha: Memory preserving reboot using kexec. (August 17, 2004)

• Hariprasad Nellitheertha: Interface for copying the dump pages. (August 17, 2004)

• Hariprasad Nellitheertha: Register snapshotting before kexec-boot. (August 17, 2004)

• Hariprasad Nellitheertha: ELF format interface for the dump. (August 17, 2004)

• Hariprasad Nellitheertha: Device abstraction for linear/raw view of the dump. (August 17, 2004)

Device drivers

• Hollis Blanchard: Host Virtual Serial Interface (HVSI) driver. (August 13, 2004)

• Hollis Blanchard: HVSI driver. (August 18, 2004)

• Peter Osterlund: Speed up the cdrw packet writing driver. (August 16, 2004)

• James Bottomley: dma_declare_coherent_memory. (August 16, 2004)

• Jaroslav Kysela: ALSA 1.0.6. (August 16, 2004)

• James.Smart@Emulex.Com: Emulex lpfcdriver v8.0.9 available. (August 18, 2004)

• Jeff Garzik: libata queue updated. (August 18, 2004)

• Pavel Machek: enums to clear suspend-state confusion. (August 18, 2004)

Documentation

• Jeff Garzik: Linux SATA RAID FAQ. (August 12, 2004)

Filesystems and block I/O

• James Morris: Move transaction file ops into libfs + cleanup (update). (August 16, 2004)

• Herbert Poetzl: Bind Mount Extensions 0.05. (August 18, 2004)

• Matthew Wilcox: Remove fcntl f_op. (August 18, 2004)

Janitorial

• Rusty Russell: Remove MODULE_PARM from main part of kernel. (August 18, 2004)

Memory management

• Jesse Barnes: allocate page caches pages in round robin fasion. (August 13, 2004)

• Christoph Lameter: page fault fastpath: Increasing SMP scalability by introducing pte locks?. (August 16, 2004)

• Yasunori Goto: Fw: [Lhms-devel] Making hotremovable attribute with memory section[0/4]. (August 17, 2004)

• Christoph Lameter: page fault fastpath patch v2: fix race conditions, stats for 8,32 and 512 cpu SMP. (August 17, 2004)

Networking

• David S. Miller: Move inetdev/ifa over to RCU. (August 18, 2004)

Architecture-specific

• Danny van Dyk: Microcode Update Driver for AMD K8 CPUs. (August 16, 2004)

• Jens Maurer: Use x86 SSE instructions for clear_page, copy_page. (August 17, 2004)

Security-related

• David Howells: keys & keyring management update patch. (August 18, 2004)

• David Howells: keys & keyring management: keyfs patch. (August 18, 2004)

Miscellaneous

• Jeff Garzik: new tool: blktool. (August 16, 2004)

• Jeff Garzik: ethtool version 2 released. (August 17, 2004)

• Stephen Hemminger: new iproute2. (August 18, 2004)

• christophe varoqui: multipath-tools-0.2.8. (August 18, 2004)

• Heinz Mauelshagen: *** Announcement: dmraid 1.0.0-rc3 ***. (August 18, 2004)

Page editor: Jonathan Corbet

Distributions

News and Editorials

What is UserLinux?

Bruce Perens posted an early draft of the UserLinux Manifesto late last year. Since then UserLinux has generated considerable press coverage, much of it laced with a profound misunderstanding of what this not yet released distribution is all about. (The first beta release is due out September 1.) So, let's take a look at what UserLinux is, and what it isn't. See also Brock Frazier's definition of UserLinux from his post to the UserLinux mailing list.

UserLinux is not a fork of Debian, it's a Custom Debian Distribution aimed at the business market. UserLinux is currently a subset of Debian Sarge. All packages are taken from main, none from non-free, and where Debian provides a choice of about 9000 packages, UserLinux streamlines that down to one web browser, one mail transfer agent, one desktop, and so on, without a bewildering array of choices. There are currently three different flavors of UserLinux; the enterprise server, the enterprise desktop, and the SOHO (Small Office/Home Office) edition. Each one defines a subset of Debian Sarge packages that will create a simple system tailored to the desired task.

Most experienced Linux users are used to having a wide array of competing packages to chose from, but for most businesses such choice is often confusing and it adds to maintenance costs and security risks. UserLinux chooses packages based on stability, usability, licensing, compatibility and adherence to open standards, to create a distribution that is simple, stable and easy to maintain.

Since UserLinux is Debian Sarge, any sysadmin with some knowledge of Debian will be able to add additional packages or modify the package list, if desired. A business with a skilled Debian sysadmin in-house will be able to download and use UserLinux without any support contracts or licensing fees. Many businesses will not have a knowledgeable sysadmin in-house, and will instead contract with a UserLinux vendor for installation and support. If the customer is knowledgeable enough to have a preference for some package not included the default UserLinux install, they are free to negotiate a modified package list with their vendor. Most customers should find the default UserLinux install to be adequate for their needs.

Will it sell? Only time will tell for sure. Vnunet says: the big companies aren't getting in line to offer support for UserLinux. True enough, for now. What big customer wants to request a pre-beta OS? Bruce Perens wasn't fazed by the article, and for good reason.

The first stable UserLinux release will follow closely on the heels of Debian's Sarge release. After that, who knows.

Comments (1 posted)

Distribution News

Debian GNU/Linux

The Debian Weekly News for August 17, 2004 is out. This week's topics include an offer of 24x7 support for Debian GNU/Linux with HP Extensions from Hewlett-Packard, where to find online changelog files, plus several Sarge release topics including a Sarge security checkup, open season on RC bugs leads to 0-day NMUs, best practice QA uploads, synchronizing Skolelinux with Sarge, and more.

John Goerzen provides a brief SPI update, which includes the news that Bdale Garbee and Branden Robinson were elected to a 3-year term on the SPI Board and the following officers have been selected by the board: President, John Goerzen; Vice President, Benjamin Mako Hill; Treasurer, Jimmy Kaplowitz; and Secretary, David Graham.

Steve Langasek reports on the status of the libtiff transition. "Now that the gcc blockage has been addressed, it's possible to get a clearer look at what's needed to complete the libtiff transition for sarge. The answer is: quite a lot, really. What follows is a summary of the packages we know to be involved in this transition."

Another release task is sorting out sid updates that need to be in Sarge. All package maintainers should ensure that any bugs that have been fixed in sid are also fixed in Sarge.

Debian Sarge Bug-Squashing Week runs August 16 - 22. Help squash those release-critical bugs if you can.

Comments (none posted)

Fedora

Issue #15 of the Fedora News Updates is out. This edition covers the announced end-of-life for Fedora Core 1, many new updates in the Docs project, and plenty of talk about porting Fedora to other platforms - Intel IXP2400, SGI's Altix (ia64), and even Alpha. There is also some developer talk about updating current releases, as well as developing test suites for Fedora, and more.

Fedora Core updates:

• desktop-file-utils: fixes the issue described in Bugzilla #90724 (FC1)
• ghostscript: provides shared libraries. Ghostscript was then remade because the hpijs packages had the wrong release number (FC1)
• system-config-date has been rebuilt for FC2.

Comments (none posted)

Mandrakelinux Community Newsletter -- Issue # 94

The Mandrakelinux Community Newsletter for August 16, 2004 is out. This edition covers the release of Mandrakelinux 10.1 Beta1 and other topics.

Full Story (comments: none)

New Distributions

clive - Conectiva Live

Conectiva has announced (click below) the first beta release of Conectiva Linux Live CD, based on CL 10. It comes in two flavors, KDE and GNOME.

Full Story (comments: none)

Minor distribution updates

distccKNOPPIX

distccKNOPPIX has released v0.1.0 with major feature enhancements. "Changes: distccKNOPPIX now contains gcc versions 2.95, 3.2, 3.3, and 3.4. There are now four different downloads depending on which gcc version you wish as default. (although all gcc versions are on each ISO) The distcc version has been updated to 2.16. You can now pass boot options to the kernel to specify which gcc you wish as your default. You can also change the gcc version at the command line with update-alternatives --config gcc. You can also run from hard drive or RAM using the "toram" or "tohd" boot options. Smarter detection of the node's IP address was added as well."

Comments (none posted)

GeeXboX

GeeXboX has released v0.98 with major feature enhancements. "Changes: This release switches MPlayer to 1.0pre5, has better WiFi support and drivers for RT2400 and ACX100 chipsets, adds control through joysticks, support for SPDIF output, software decoding of DTS audio streams, a chapter selector for DVDs and Matroska files, fixes the TV-Out problem with nVidia cards, and adds support for external USB SmartMedia and CompactFlash card readers."

Comments (none posted)

MoviX

MoviX has released eMoviX 0.9.0rc1 with minor feature enhancements. "Changes: Most 0.9.0pre1 bugs have been fixed. Many remotes have been imported from MoviX, and all text handling (subtitles and filenames) is now based on utf8. TrueType fonts are now used in the MPlayer menu, and translations in several languages have been imported from MoviX."

MoviX2 v0.3.1rc2 is also available. "Changes: This release includes the ability to adjust the size of the GUI fonts, NIC selection when more than one NIC is detected, improved PCMCIA support, and a few minor bugfixes."

Comments (none posted)

Distribution reviews

Install Slackware Linux 10.0 (LinuxIT)

LinuxIT.br has step-by-step instructions (in Portuguese) for installing Slackware 10.0. (Thanks to William da Rocha)

Comments (none posted)

Page editor: Rebecca Sobol

Development

The MediaWiki Collaborative Editing Software

MediaWiki is a web wiki package that is being developed by the Wikimedia Foundation.

The code is based on PHP; it has been released under version 2 of the GNU General Public License. MediaWiki is derived from the older Wikipedia project, the project history gives the details. The future development plans for MediaWiki are spelled out in the project roadmap page.

Numerous web sites use MediaWiki including Wikipedia, an online encyclopedia, and Wikiquote, a quote archive. For some amusement, search for Linus Torvalds on Wikiquote.

MediaWiki has a rather lengthy Feature List, some of the highlights include:

• A web-based user interface.
• Optional MySQL database support.
• A multi-level permission system.
• Caching functionality.
• Article cross-linking capabilities.
• Support for article revisions.
• Multi-lingual support.
• Multimedia extensions.
• Support for RSS syndication.
• Search and query support.
• Support for user-edited and user-uploaded data.
• Support for LaTeX mathematical functions.
• Generation of printable articles.
• Talk pages for user messaging.
• Watch list support for tracking changes.

Two new versions of MediaWiki were released this week. version 1.3.0 came out with this note: "After an annoyingly long series of beta releases, say hello to MediaWiki 1.3.0! Everyone running the beta releases is _strongly_ recommended to upgrade to the current code." An important security fix was included in this release.

Version 1.3.1 was also announced with this note: "1.3.1 fixes some remaining issues from 1.3.0."

The Wikipedia site speaks volumes about the usefulness and maturity the software, visitors may even be inspired to contribute some content.

Comments (none posted)

System Applications

Audio Projects

ALSA 1.0.6 released

Version 1.0.6 of the Alsa sound driver has been released with a long list of changes. "The 1.0.6a driver package fixes the /proc problem with loading of the sequencer client modules."

Full Story (comments: 4)

Esound 0.2.35 is out

Version 0.2.35 of Esound is out with bug fixes, code cleanup, and more. "EsounD (the Enlightened Sound Daemon) is a server process that allows multiple applications to share a single sound card."

Full Story (comments: none)

Database Software

JPOX 1.0.2 released (SourceForge)

Version 1.0.2 of JPOX, a Java Data Objects implementation, is available with bug fixes.

Comments (none posted)

libgda/libgnomedb 1.1.6 released

Version 1.1.6 of libgda/libgnomedb, a database development framework, is out. "This is another development release in the road to 1.2, which will be the next stable release, and which shows a preview of the new features getting into the 1.2 final release."

Full Story (comments: none)

Mergeant 0.52 released

Version 0.52 of Mergeant, a database user and administration tool based on GNOME-DB, is out. "This is a development release, the first one after the splitting of Mergeant into libmergeant and the GUI frontend, resulting in a much better architecture."

Full Story (comments: none)

PostgreSQL Weekly News

The August 16, 2004 edition of the PostgreSQL Weekly News is out. "While the initial response to PostgreSQL 8.0 beta has been very positive, that wasn't the biggest news of this past weeks development. What really shook things up was the discovery of a long standing bug in PostgreSQL's XLOG COMMIT code. Even though there have never been any known reports of this bug on any released version of PostgreSQL, the nature of the bug is one where, given the right amount of bad luck, it is possible to incur some data loss".

Full Story (comments: none)

The Slony team has released version 1.0.2

Version 1.0.2 of Slony, a replication engine for the PostgreSQL database, has been announced. "With this version, the Slony-I replication system allows you to use its advanced node switching features to make version upgrades to PostgreSQL 8.0 in minutes, regardless of database size. Version 1.0.2 also fixes minor bugs, and is a drop-in replacement for existing Slony-I 1.0.0 or 1.0.1 installations."

Comments (none posted)

Embedded Systems

BusyBox 1.0.0-rc3 released

Version 1.0.0-rc3 of BusyBox, a condensed collection of command line utilities for embedded systems, has been released. See the Change Log for details.

Comments (none posted)

Interoperability

Samba 2.2.11 Available for Download

Stable release 2.2.11 of Samba has been announced. "Please note that the Samba 2.2 code tree will reach its End-Of-Life on October 1, 2004. Administrators of existing Samba 2.2 installations are encouraged to upgrade to the latest Samba 3.0.x release prior to that date."

Full Story (comments: none)

Security

Metasploit Framework v2.2

Version 2.2 of the Metasploit Framework, an exploit development platform, is out. Those working in the field of computer security would be advised to take a look. "The 2.2 release includes three user interfaces, 30 exploits and 40 payloads. Additionally, this is the first public release to contain the new in-memory DLL-injection system and the VNC (remote desktop) payload."

Full Story (comments: 2)

Web Site Development

phpwsBB 0.9.7 released (SourceForge)

Version 0.9.7 of phpwsBB, a native bulletin board module for the phpWebSite CMS, has been released. This version fixes a critical build problem.

Comments (none posted)

Zope X3 3.0.0 beta 3 released

The third - and possibly final - Zope X3 beta has been released. Zope X3 is a completely rewritten product with no backward compatibility, but with the benefit of years of experience; more information can be found on ZopeX3 web page.

Full Story (comments: 4)

ZopeMag Weekly News

The July 29 - August 13 edition of the ZopeMag Weekly News is online with Zope information and a Weekly dose of useful Plone tips.

Comments (none posted)

Desktop Applications

Accessibility

gnopernicus 0.9.9 released

Version 0.9.9 of gnopernicus, the GNOME desktop screen reader for the visually impaired, is out. Changes include translation work, group context change notification, and more.

Full Story (comments: none)

Audio Applications

Audacity 1.2.2-pre1 released

Version 1.2.2-pre1 of Audacity, an audio file editor, has been released. "Audacity 1.2.2-pre1 is a public test version of Audacity. Help us test the new features and bug fixes that will appear in our next stable version of Audacity later this month, including VU meters and multi-file export!"

Comments (none posted)

Mammut V0.17 released

Version 0.17 of Mammut, an audio FFT tool, is out with improved Jack initialization and other changes.

Full Story (comments: none)

Desktop Environments

Metacity 2.8.3 released

Version 2.8.3 of the Metacity window manager for GNOME is out with a number of bug fixes and some translation updates.

Full Story (comments: none)

KDE-CVS-Digest (KDE.News)

The August 13, 2004 edition of the KDE CVS-Digest is online, here's the content summary: "Mostly bugfixes this week, including fixes for the 3.3 release. Digikam implements EXIF based rotation in image editor. Krita adds gradient support. KOffice can now save styles to OASIS. Security fixes in khtml."

Comments (none posted)

Waldo Bastian on Kiosk and the Linux desktop (KDE.News)

KDE.News interviews Waldo Bastian. "There are of course cost saving aspects but I think the most important reason for companies to go with KDE is that it puts the company back in control over their corporate desktops. With KDE your IT department gets new opportunities to help make your desktop workers more productive instead of spending all day fighting to prevent things from falling apart."

Comments (4 posted)

Electronics

New Open Collector releases

The Open Collector site features a number of new electronic tool releases this week. Here's what has been released: The ADMS 1.2.10 code generator, the MMTL 1.2.1 Multilayer Multiconductor Transmission Line 2-D and 2.5-D electromagnetic modeling tool suite, the Eclipse Verilog Editor version 0.2.0, the Alliance 5.0 VLSI CAD framework, and the FXTurns-n-Layers 1.1.4 graphical transformer and induction coil design aid. There is also an update from the Ronja Tetrapolis project, which involves a point-to-point visible light transmission link made with automotive LED tail light assemblies.

Comments (none posted)

Financial Applications

BIE 6.0.3 (STABLE) released

Stable version 6.0.3 of BIE, the Business Integration Engine, has been released. BIE is a Java-based data integration system for exchanging internal and external data.

Comments (none posted)

Games

gnome-games 2.7.7 is out

Version 2.7.7 of gnome-games, a collection of games for the GNOME desktop, is available. "A lot of the themes have been split into a separate package called gnome-games-extra-data. The core package now contains only a minimum amount of graphics, it is still functional, but your favourite themes may not be there."

Full Story (comments: none)

gnome-games-extra-data 2.7.0

The initial release of gnome-games-extra-data (verson 2.7.0) is out. "Most of the graphics you will find here were formerly in the gnome-games package. There are two additional tilesets for Mahjongg from Richard Hoelscher based on the old GNOME 1.4 graphics."

Full Story (comments: none)

Stella release 1.4.1 (SourceForge)

Version 1.4.1 of Stella, an Atari 2600 VCS emulator, has been released. It features numerous bug fixes.

Comments (none posted)

GUI Packages

GLib 2.4.6 released

Version 2.4.6 of GLib is out with bug fixes and updated translations.

Full Story (comments: none)

GTK+ 2.4.7 released

Version 2.4.7 of GTK+, a graphical user interface toolkit, is out. "This is an emergency bug fix release to fix two serious problems with GtkFileChooser in GTK+ 2.4.6."

Full Story (comments: none)

Gtk2-Perl 2.7.91 announced

Version 2.7.91 of Gtk2-Perl, the Perl bindings to GTK+, is out with documentation fixes and improvements.

Full Story (comments: none)

Interoperability

Wine 20040813 released

Version 20040813 of Wine has been announced. Changes include a new msiexec application, support for alpha blending, sound support improvements, code cleanups, and bug fixes.

Comments (none posted)

Multimedia

GStreamer 0.8.5 "Stuttgart" released

Version 0.8.5 of GStreamer, a streaming media framework, is available with lots of bug fixes and a few new features. "The 0.8.x series is a stable series aimed at end users. It is not API or ABI compatible with the stable 0.6.x series. It is, however, parallel installable with the 0.6.x series."

Full Story (comments: none)

News Readers

Liferea 0.5.3 Announced

Version 0.5.3 of Liferea, the Linux Feed Reader, is out with lots of changes and some bug fixes.

Full Story (comments: none)

Web Browsers

Epiphany 1.2.8 released

Stable version 1.2.8 of the Epiphany browser has been released. Changes include support for the latest Mozilla API, confirm before file overwriting, and lots of bug fixes.

Full Story (comments: none)

Epiphany 1.3.5 released

Development version 1.3.5 of the Epiphany browser is out. Changes include removal of the startup script, adaptation to the latest Mozilla API, bug fixes, translation work, and more.

Full Story (comments: none)

Epiphany Extensions 1.1.3

Version 1.1.3 of Epiphany Extensions, the collection of extensions for the Epiphany browser, is out. "Epiphany Extensions 1.1.3 is a development release for use with the 1.3.x development series of Epiphany."

Full Story (comments: none)

Netscape 7.2 Released (MozillaZine)

MozillaZine reports that America Online has released Netscape 7.2. "Based on Mozilla 1.7, this latest version features better popup blocking, vCard support, an improved junk mail algorithm, better standards support, performance enhancements and several hundred other bug fixes. It also includes patches for recent security vulnerabilities."

Comments (none posted)

Word Processors

AWN #EOF Released

Eric Zen, editor of the AbiWord Weekly News, has declared the end of the road for the publication. "In fact, I don't really think there should be an AWN. It's not that AbiWord doesn't develop at a newsworthy pace, but so many other projects do." RIP AWN.

Full Story (comments: none)

AbiWord v2.0.10 Released

Stable version 2.0.10 of AbiWord has been released. "This release is a bugfix release only."

Comments (none posted)

Miscellaneous

gLabels 2.0.1 released

Version 2.0.1 of gLabels, a label printing application, is available for download. This release features several bug fixes and has an updated Japanese translation.

Comments (none posted)

gnome-applets 2.7.2 released

Version 2.7.2 of GNOME Applets are out, changes are mostly in the gweather component. "GNOME Applets are the little programs you run in your panel. Just about everyone uses a GNOME Applet or two, the package includes applets like the battery applet, CPU load applet, weather applet and mixer applet."

Full Story (comments: none)

Gnome OSD 0.3.0 announced

Version 0.3.0 of Gnome OSD, an On Screen Display notification system for the Gnome desktop, is out. The change overview says: "New control center preferences dialog, allowing configuration of font and message position/alignment."

Full Story (comments: none)

HylaFAX 4.2.0 released

Version 4.2.0 of HylaFAX, a Fax modem package, has been announced. "This release includes nearly a year's worth of truly exceptional contributions from HylaFAX developers and users alike, and everyone should consider migrating to a HylaFAX-4.2.x release as soon as possible."

Comments (none posted)

OpenWFE 1.4.1 released (SourceForge)

Version 1.4.1 of OpenWFE has been announced. "OpenWFE is an open source java workflow engine. It is a complete Business Process Management suite, with 4 components : an engine, a worklist, a webclient and a reactor (host for automatic agents). It can also be used behind the scene. OpenWFE 1.4.1 is a bug fix release. One important concept was introduced for stores : the order in which they are instantiated in the worklist configuration file is now the order in which they are asked if they accept a workitem for a given participant name."

Comments (none posted)

Languages and Tools

C

The GCC Newsletter

The August 18, 2004 edition of the GCC Newsletter is online. Read about a tentative gcc 3.5 release schedule, performance benchmarking, C constant expressions proposals, and more.

Comments (none posted)

Caml

Caml Weekly News

The August 17, 2004 edition of the Caml Weekly News is out with this week's Caml language news.

Full Story (comments: none)

Java

SwingSet 0.8.0-beta Released

Version 0.8.0-beta of SwingSet has been announced. "We are pleased to announce the 0.8.0-beta release of SwingSet, an open source Java toolkit that allows the standard Java Swing components to be made database aware. For the latest, version all components have been made into Java Beans which will allow for better integration with Java IDEs."

Full Story (comments: none)

Creating Custom Desktop Components (O'ReillyNet)

O'Reilly is running an article on Swing widgets. "Swing includes a vast collection of GUI components, but sometimes you need something that's unique to your application. Andrei Cioroianu returns with an installment on how to code your own Swing widget."

Comments (none posted)

Extend JavaSound to play MP3, Ogg Vorbis, and more (O'ReillyNet)

O'Reilly is running an article on extending JavaSound. "The JavaSound API adds audio capabilities to the Java platform. It's been part of J2SE since version 1.3 and it supports the WAV, AU, and AIFF audio formats, and provides MIDI support. It doesn't support some other audio formats, such as MP3, but it provides a flexible plugin architecture allowing any third-party vendor to add custom audio format support through the JavaSound Service Provider Interfaces (SPIs). This article deals with this plugin architecture and API, how to write and use a custom SPI implementation, how metadata such as title, artist, and copyright are exposed, and how multiple SPI implementations could be integrated in an application such as player or a game."

Comments (none posted)

PHP

Two new releases of PHP

Two new releases of PHP have been announced.
Here is the announcement for version 5.0.1: "This is a maintenance release that in addition to many non-critical bug fixes also includes new UNIX and Windows installation docs which are now auto-generated from the PHP Manual."
And the version 4.3.9RC1 announcement says: "This is the first release candidate and should have a very low number of problems and/or bugs. Nevertheless, please download and test it as much as possible on real-life applications to uncover any remaining issues."
Lastly, the online PHP manual's Installation and Configuration section has been reworked.

Comments (none posted)

PHP Debugging Basics (O'ReillyNet)

David Sklar shows some techniques for debugging PHP on O'Reilly. "David Sklar, author of Learning PHP 5, provides some basic techniques for finding and fixing the problems in your programs. In particular, he covers how to set up error reporting as you like it, how to find parse errors, and how to inspect program data."

Comments (none posted)

Python

Dr. Dobb's Python-URL!

The August 18, 2004 edition of Dr. Dobb's Python-URL! is out with the latest Python language article links.

Full Story (comments: none)

Ruby

Ruby-GNOME2 0.10.1

Version 0.10.1 of Ruby-GNOME2, the Ruby language bindings to GNOME 2, is out. "This release fixes some serious bugs in Ruby-GNOME2-0.10.0 discovered just after the release".

Full Story (comments: none)

Exploring E4X with Ruby (O'ReillyNet)

Jack Herrington works with E4X and Ruby in an O'Reilly article. "XML processing with SAX can be tricky, and is painful in the DOM. The new E4X approach can make processing XML much easier. Jack Herrington explores E4X and demonstrates a simple port to the Ruby programming language."

Comments (none posted)

XML

Practical SAX Notes (O'Reilly)

Uche Ogbuji discusses SAX issues on O'Reilly. "In this article I discuss issues related to recent articles in this column, including some practical problems using XML facilities -- SAX in particular -- across Python versions and installed software configurations. I also revisit ElementTree's support for XML namespaces and discuss some other Python tools' support for breaking large documents into chunks."

Comments (none posted)

Editors

gedit 2.7.91 released

Version 2.7.91 of gedit, the GNOME text editor, is out with work on the translations and several bug fixes.

Full Story (comments: none)

Test Suites

Marathon 0.82 released (SourceForge)

Version 0.82 of Marathon has been announced. "This is a minor feature update and bug fix release. Marathon should work better on Linux now. Marathon runs gui based acceptance tests against swing applications. It is composed of a runner, and recorder, and an editor. Tests scripts are expressed as python code."

Comments (none posted)

Page editor: Forrest Cook

Linux in the news

Recommended Reading

Linus Torvalds' Benevolent Dictatorship (Business Week)

Business Week interviews Linus Torvalds. "I am a dictator, but it's the right kind of dictatorship. I can't really do anything that screws people over. The benevolence is built in. I can't be nasty. If my baser instincts took hold, they wouldn't trust me, and they wouldn't work with me anymore. I'm not so much a leader, I'm more of a shepherd."

Comments (9 posted)

John Perry Barlow 2.0 (Reason)

Reason interviews John Perry Barlow. "Trying to own intellectual products and creating an economy of scarcity around them as we do with physical objects is very harmful to the development of culture and the ability to speak freely, and a very important principle not talked about much, which is the right to know. I think we have a right to know. It shouldn't be something we have to purchase."

Comments (3 posted)

Why India is struggling with localized language computing (NewsForge)

NewsForge takes a look at localization efforts in India. "Developers can localize only programs which are internationalized, explains Dr. Nagarjuna G, Chairman FSF-India. Internationalized programs encode their messages and names of commands in a standard such as Unicode and follow a framework, so that the core program works completely independent of the natural language."

Comments (8 posted)

The SCO Problem

An Enderle Blow by Blow (Groklaw)

Groklaw features some comments about Rob Enderle's controversial keynote speech at the SCOForum conference. "So, bottom line: why all the attacks on Groklaw all of a sudden? And why no Enderle apology? He didn't even apologize for his foul language. I will give you my theory. I noticed that Darl McBride in his speech at SCOForum made some predictions, after he took a jab at Groklaw too. He said he commended "open blogs" and sites like Slashdot, where everyone is free to say whatever they wish. He falsely claimed that any time anything positive is left as a comment on Groklaw, I remove it. Actually, I have no recollection of ever seeing a positive comment about SCO here on Groklaw and I certainly haven't removed any as a result."

Comments (4 posted)

AutoZone Order - PDF and text (Groklaw)

For those interested in the details, the full text of the order from the AutoZone case is now available on Groklaw, along with extensive commentary from PJ. "The judge has clarified some things and added some items that were not mentioned at the hearing. It isn't open-ended discovery. It's a really fast track, but the judge has given SCO a little more time. All discovery must be done by 90 days from the date of the order."

Comments (none posted)

That SCO Case Drags On (IT-Director)

Robin Bloor catches up with SCO in this IT-Director article, with a side trip into software patents. "As for SCO, sadly Linux doesn't seem to infringe any SCO patents. So this third legal possibility for SCO seems doomed. Indeed it looks to me as though SCO is not going to have much of a Christmas. Perhaps Santa Claus has decided that SCO CEO, Darl McBride, simply has not been a good enough child this year."

Comments (1 posted)

Companies

BBC sees possibilities with online archive (vnunet)

Vnunet looks at efforts by the BBC to produce an online archive site. "The BBC is doing some other navel gazing as its Charter comes up for review, and radical ideas are being thrown about. It is developing an open source video codec, called Dirac, to replace the Real Networks software currently used to stream video from the BBC site. This could challenge other commercial formats, including Microsoft's Windows Media Player 9."

Comments (5 posted)

Motorola picks Linux for HP mobile gear (Silicon.com)

Silicon.com covers a collaboration between Motorola and HP that puts carrier grade Linux into mobile phones. "Joy King, director of worldwide marketing for HP's network and service provider business unit, believes that Linux is evolving into the standard to use. While Motorola isn't ready to dump its own software just yet, she said, through this partnership, it has started down that path." Here is the press release.

Comments (1 posted)

Linux Adoption

Asian govt Linux alliance close to software launch (Hindustan Times)

The Hindustan Times reports on a North Asian government alliance to promote the Linux operating system. "Lu said the topic was complicated by Oracle, which along with Chinese software firm Red Flag is developing "Asianux", a standard Linux operating system designed for Asia. The national alliance was not involved with that project, he said. In China, the firm overseeing development of the official software was Beijing Co-Create Open Source Software Co Ltd."

Comments (none posted)

China's OSS alliance is founded to withstand Microsoft (China Economic Net)

China Economic Net reports on efforts to upset Microsoft's dominance in China. "It will be possible for Thiz Technology Group Limited, who focuses on personal desktop operating systems, to make its assault on Microsoft in the desktop field. The first step that they choose to take is talent cultivation, which has never happened before. It is well known that at present there are two mainstream computer operating systems in the world, namely Microsoft's Windows and the globally open Linux. Among them, Windows that is familiar to personal computer users has been monopolizing the computer desktop market for almost 10 years, while Linux, which has been forced to simply cooperate with some corporate users, has failed to get the correct approach to cut into the personal computer desktop market." Thanks to Chel van Gennip.

Comments (13 posted)

Munich OSS switch to go ahead, patents or no patents (Register)

The Register reports that the city of Munich is moving ahead with its switch to Linux. "Patent fears will not derail Munich's move to Linux, city mayor Christian Ude has told a press conference. Earlier this month the city put the brakes on its Windows to open source migration while the implications of pending EU patent legislation could be examined, but Ude has now said that the project will go ahead, and that the city administration is merely pausing to consider matters for a few days."

Comments (2 posted)

Munich Posts Want Ad -- Seeking Linux Experts for LiMux (Groklaw)

Groklaw mentions a new job opening for a Linux expert in Munich. ""At the online job fair of the Bavarian State Capital 'talented and motivated staff' are wanted to maintain and administer the future Linux-based clients. The job ad underlines Major Christian Ude's announcement yesterday that the migration to Linux will be continued." I like this mayor. He has courage."

Comments (none posted)

Vienna to offer workers Linux desktop option (Computerworld)

Computerworld reports on a user-optional Linux migration plan in Vienna, Austria. "Next year, users of 7,500 of the 16,000 desktop workstations in the municipality of Vienna will have the choice of moving to Linux, according to Erwin Gillich, head of the city's information services. An evaluation of the test will follow in 2006. Vienna is one of several European cities and organizations to switch to the open-source operating system. Compared with the decision made by the city of Munich, which plans to fully replace Microsoft Corp. operating systems with Linux, the municipality of Vienna is opting for a slow transformation."

Comments (none posted)

Linux at Work

Most Reliable Hosting Providers during July (Netcraft)

Netcraft looks at the most reliable hosting providers during July. Of the top ten systems, 4 use Linux and 4 use FreeBSD.

Comments (none posted)

Legal

Lawyers Weigh In on Linux Patent Threat (eWeek)

eWeek talks with a few lawyers about Linux and software patents. "Kelly Talcott, an intellectual property partner in the New York office of the national law firm of Kirkpatrick & Lockhart LLP, agreed. 'OSRM's announcement simply puts a number to a fact that the software industry has been living with for years. With the increasing number of issued software patents comes the increasing possibility of being sued for infringement. This affects all flavors of software, not just Linux.'"

Comments (1 posted)

Torvalds trademark looms over Australian Linux industry (ZDNet.com.au)

ZDNet Australia covers Linux Australia Inc., a company that has secured Linus Torvalds' support to register the word "Linux" as a trademark with Australia's intellectual property regulator. "The move is designed to prevent local companies attempting to claim the word as their own, but it will also throw open the possibility that local Linux vendors will start paying royalties to trade on the term for the first time."

Comments (3 posted)

A Big Fly in the Open-Source Soup (Business Week)

Here's a strange article in Business Week on "intellectual property uncertainty" in Linux. SCO is not a problem, says the author, and neither are patents (for now). The "murky" GPL is the big issue. "Bright as it is, the future of commercial open source might be considerably brighter if Linux and other programs went to a more commerce-friendly license with fewer complexities and ambiguities than the GPL. There's plenty of precedent. The BSD license, the Mozilla Foundation license used for browsers, and the Apache license all provide for free distribution of code and source code with fewer restrictions than the GPL."

Comments (32 posted)

The MySQL License Question (OfB.biz)

Open for Business examines MySQL's license. "The big question we wanted to know was if MySQL was adding restrictions to the GPL or if the terms on the site were simply a broad overview that represents suggestions that in no way alter the permissions given by the license. Urlocker confirmed to us that MySQL did not consider the page to be an addition to the GPL, but rather information for those attempting to understand -- in simple terms -- why they might need a MySQL commercial license."

Comments (16 posted)

Interviews

Sneak preview of KDE 3.3: Q&A with developer George Staikos (NewsForge)

NewsForge talks with George Staikos about KDE 3.3. "Staikos: Actually KDE PIM (Personal Information Management) was one of the big focal points of this release. An incredible amount of work has been done on all of the PIM components -- KOrganizer, KAddressBook, KMail, Kontact, groupware, resources, and more. We have definitely seen speed improvements, too, especially in Konqueror file browsing, KMail, and the IMAP I/O slave. Optimization work for 3.3 is still ongoing, and I expect to see more."

Comments (none posted)

Anonymous, Open Source P2P with MUTE (O'ReillyNet)

O'ReillyNet looks at MUTE, an open-source P2P application. "[Jason] Rohrer, a 26-year-old programmer from Potsdam, New York, found inspiration in the way ants stream toward a food source. From observing the creatures' behavior, he mapped out a networking method that functions similarly -- essentially, a shared file is the food source, and clients on the network are the ants seeking the food. He then wrote his own P2P program putting this theory to practice and christened it MUTE. Developed entirely in C++ and released as open source, the program runs on Linux, Win32, and Mac OS X."

Comments (12 posted)

Interview with Bruce Schneier (Netcraft)

Netcraft has put up an interview with Bruce Schneier. On product liability for software bugs: "I presume there would be some exemption for open source, just as the United States has a 'good Samaritan' law protecting doctors who help strangers in dire need. Companies could also make a business wrapping liability protection around open source software and selling it, much as companies like Red Hat wrap customer support around open source software."

Comments (1 posted)

Linux clusters outshined by supercomputers in HPC (Search Enterprise Linux)

Search Enterprise Linux talks with Paul Terry, CTO of Cray Canada. "Terry: The Cray XD1 system, together with Cray's Red Storm platforms, will be the first Linux system purpose-built to handle HPC workloads. It uses a new architecture that presents a real alternative to clusters, while preserving the economics of commercial components. The Direct Connected Processor architecture breaks the communications bottleneck by embedding the interconnect and removing the PCI bottleneck to directly connect processors to each other and memory. The Cray Red Storm system, designed for Sandia, take this same direct connect approach.

Comments (11 posted)

Resources

OOo Off the Wall: Getting in the Frame (Linux Journal)

Linux Journal takes a look at frame styles in OpenOffice.org Writer. "The more complex your documents, however, the more you should know about how to use frame styles. The number of options available are extensive enough that you can fine-tune a frame's look and behavior almost as much as you can in a desktop publishing program. You even can add blank frames (also called text frames) and arrange them so that text flows automatically from one frame to another. This feature allows the automation of complicated layouts, such as folded brochures or newsletters in which a story begins on one page and ends on the next. Beyond a doubt, knowing how to format text frames can give your document design an extra edge."

Comments (none posted)

Linux in Government: LAMP Solution for the '9/11 Commission Report' Recommendation (Linux Journal)

Tom Adelstein counters terrorism using open-source software, in this Linux Journal article. "Fortunately, a viable Linux solution to the task of connecting disparate databases over the networks is in existence today. This extant system connects a variety of government databases with a LAMP Web services application that is freely downloadable from the Internet. It allows one to search disparate databases in disparate geographical locations."

Comments (1 posted)

PHP as a General-Purpose Language (Linux Journal)

This Linux Journal article says that PHP isn't just for web scripting any more. "Although most people use PHP primarily as a Web development scripting system, it possesses all the characteristics of a proper general-purpose language that can be useful in a variety of other environments. In this article, I illustrate how it's possible to use the command-line version of PHP to perform complex shell operations, such as manipulating data files, reading and parsing remote XML documents and scheduling important tasks through cron."

Comments (6 posted)

Reviews

Mail Server Performance Monitoring with Mailgraph (O'ReillyNet)

O'ReillyNet looks at a mail server using Mailgraph. "In a nutshell, installing Mailgraph will allow us to see how our mail server performs through neatly laid-out graphical and numerical representations of mail traffic flowing through a particular mail server. If you've ever used a similar tool that can display graphs, such as MRTG, you know that graphs often speak volumes of invaluable information when trying to diagnose a problem quickly. Graphs can portray information about the past, present, and sometimes even the future."

Comments (1 posted)

At the Sounding Edge: LilyPond, Part 2 (Linux Journal)

Linux Journal takes a dip in the LilyPond. "Last month we looked at some of the the basic operations of the LilyPond music typesetting software. We saw that LilyPond is a TeX-based language specifying the complexities of Western music notation and capable of producing excellent PostScript printable output. This month, we look at three GUI front-ends for LilyPond: the Rosegarden sequencer, the NoteEdit music notation editor and the Denemo LilyPond file preparation utility. I've also appended a brief account of the music and sound topic presentations made at this year's Libre Software Meeting."

Comments (none posted)

Miscellaneous

DVD Jon cracks Airport music streaming (Register)

The Register examines the latest efforts by Jon Johansen. "Norwegian programmer Jon Lech Johansen has decrypted and published the key that Apple's wireless hi-fi bridge, Airport Express, uses to protect music streams. He's also released the source code to a small Windows command-line tool he calls JustePort. In essence his crack opens the door for other applications to broadcast music to your hi-fi over a home WLAN network using Express, rather than just iTunes 4.6. For users on Linux machines, or with WMA or OGG format files, this could be a boon, as iTunes supports neither format out of the box."

Comments (1 posted)

Perens readies old-school Linux, but who wants it? (vnunet)

vnunet has posted an article suggesting that uptake on UserLinux will be small. "HP and IBM have no plans to support the distribution. According to HP, too many distributions could confuse users. 'Having too many competitors is not good for the market,' said a spokeswoman for the company. IBM said it already offered users plenty of choice by supporting and providing certification for Red Hat and SuSE. Oracle declined to comment."

Comments (15 posted)

Linux Games Drive Linux Desktop Growth (LinuxWorld.com)

LinuxWorld Magazine takes exception to Linux Journal's choice of "Best Game". "Trying to get major game publishers take Linux gamers seriously is a difficult task, and when publications that much of the Linux community reads such as yours basically blow games off and give a game award to a non-game, you make the task far more arduous."

Comments (7 posted)

Page editor: Forrest Cook

Announcements

Non-Commercial announcements

California Performance Review recommends open source

The California Performance Review is the result of a massive committee effort; it seeks to advise the state on how to become more efficient and responsive to its residents. One of the reports many recommendations is this suggestion that the state should use more free software. "In summary, open source is not just about cost savings. Since the code is open, it offers the flexibility for organizations to modify the code as needed for specific uses. Many also feel that open source is more reliable and secure than closed source. In closed source software, the code is hidden from the user so it is difficult to identify potential security risks in advance and to work proactively to make the system more secure. Also, bug fixes and patches must be distributed from the originating developer rather than originating from the users who have identified the problem. In this regard, open source can provide superior security than closed source."

Comments (2 posted)

Different way for donations from GB to FSFE

In an effort to circumvent excessive banking fees on donations, the Free Software Foundation Europe has set up a program that allows contributors in Great Britain to donate locally. "Due to substantial bank fees charged for international money transfers, small donations or standing orders are too expensive to be sent directly to the Free Software Foundation Europe bank account. To rectify this, FSFE in July 2004 entered into an agreement with UK based associate organisation AFFS to collect donations and transfer them in larger batches."

Full Story (comments: none)

Introducing Wilhelm Tux, the new FSFE associate

Wilhelm Tux, a Swiss Free Software organization, has officially become an associate of the Free Software Foundation Europe. ""This is indeed great news for all members and friends of Wilhelm Tux, as this adds a new brick to the road ahead promoting Free Software in Switzerland. We are eager to continue raising the interest for Free Software in a Free Society, especially in Switzerland universally known as a land of Freedom", says Myriam Schweingruber, president of Wilhelm Tux."

Full Story (comments: none)

ITTIA launches db.*, a free, open source embedded database

ITTIA has launched db.*, an open source, small footprint embedded database for open-source platforms. db.* is the open source version of a database engine that has been developed and tested for more than 20 years, and been used successfully in tens of thousands of applications. ITTIA is making it available to the public in order to promote its tech support and consulting business, and to promote Club ITTIA, its embedded database community.

Full Story (comments: 8)

Commercial announcements

F-Secure And BlueCat Networks Debut Anti-Virus for Linux

F-Secure Corporation has announced that BlueCat Networks, Inc. has licensed F-Secure Anti-Virus for Linux to embed into their Meridius Security Gateway appliance.

Full Story (comments: none)

F-Secure's RSS feed for virus notification

F-Secure has announced their new RSS feed with announcements of all of the latest virus reports. It looks like most of the viruses listed don't affect Linux systems.

Full Story (comments: none)

Lindows gives up on IPO

Lindows has sent out a press release stating that it has put its initial public offering process on hold for now. "'Lindows won't be forced into a cut-rate IPO by a fickle stock market. We are fortunate to have cash in the bank, and we owe it to our stockholders to wait until market conditions and public company valuations improve before we proceed with a public offering,' said Michael Robertson, chairman and chief executive officer of Lindows, Inc." That $20 million from Microsoft sure came in at the right time.

Comments (1 posted)

New Linux Networx Computer Systems Help DoD Simulate Battlefield

Linux Networx has announced delivery of two 256-processor Evolocity Linux Networx cluster computing systems at US Department of Defense computing centers. "Joint Forces Command (J9) will utilize the clusters to simulate combat operations on a world-wide virtual battlefield. Military personnel at J9, and other distributed sites around the country, will interact directly with the computers at MHPCC and ASC as they participate in large scale, high resolution simulations not possible before the delivery of the new cluster computers."

Comments (none posted)

Mandrakesoft: Shareholder meeting for a transfer to a regulated market

MandrakeSoft has announced a shareholder meeting that deals with transferring the company to a regulated market.

Full Story (comments: none)

New Books

"Enterprise JavaBeans, Fourth Edition" Released by O'Reilly

O'Reilly has published the book Enterprise JavaBeans, Fourth Edition by Richard Monson-Haefel, Bill Burke, and Sacha Labourey.

Full Story (comments: none)

"Mono: A Developer's Notebook" Released by O'Reilly

O'Reilly has published the book Mono: A Developer's Notebook by Edd Dumbill and Niel M. Bornstein.

Full Story (comments: none)

Resources

The LDP Weekly News

The August 8, 2004 edition of the Linux Documentation Project Weekly News is online with the latest new documentation releases.

Full Story (comments: none)

The User Guide to Using the Linux Desktop

The UNDP-APDIP International Open Source Network has put together an introductory book called the User Guide to Using the Linux Desktop. It is available as a series of PDF files, and is released under the Creative Commons Attribution 2.0 license. "The main aim is to provide a self-learning guide on how to use a modern Linux desktop system. It assumes that the user has no prior knowledge of Linux or PC usage."

Comments (none posted)

aKademy: Samba3, OpenLDAP und Kolab 2 Tutorials (KDE.News)

Three tutorials from the KDE Community World Summit 2004 are available. Topics include Kolab 2, the OpenLDAP directory server and Samba 3.

Comments (none posted)

Research and Markets: Defining The Market For Full-Feature Handsets

Research and Markets has announced a new report on the mobile phone handset market. "Linux will Threaten Symbian Dominance. While Symbian will be the market share leader in the next 24 to 36 months, thanks to its endorsement by market makers Nokia and NTT DoCoMo, Linux will threaten for long-term dominance. Linux leads other platforms in openness and low cost - factors that are essentials to success in a market defined by tight margins, rapid innovation, and standards adherence."

Comments (none posted)

SPECviewperf 8 Adds Four New Viewsets

Version 8 of the SPECviewperf graphics performance benchmark has been announced. "SPEC/GPC's OpenGL Performance Characterization (SPECopc) project group has released SPECviewperf 8, a major new version of its software that measures graphics performance for systems running popular CAD/CAM, digital content creation, and visualization applications. Windows, Linux and Unix versions of SPECviewperf 8 can be downloaded without charge on the SPEC/GPC web site (www.spec.org/gpc)."

Comments (none posted)

Bioinformatics Benchmark System version 3 released (Bioinformatics.org)

Bioinformatics.org has an announcement for version 3 of the Bioinformatics Benchmark System "Many new features, bug fixes, and suggested changes have been made. New benchmarks have been added and updated for mpiBLAST, HMMer, NCBI BLAST, and others. Benchmarks are described by XML documents. Output is via an XML document, which is manipulated by various tools for display, output, analysis, and submission."

Comments (none posted)

Upcoming Events

OSCOM.4 registration opens

Registration has opened for the Open Source CMS Conference 4. The event will be held in Zurich, Switzerland on September 29 - October 1, 2004.

Full Story (comments: none)

CFP: 7th German Perl Workshop '05 (use Perl)

Use Perl has a Call for Participation for the The 7th German Perl workshop. The event is tentativley scheduled for February 8-11, 2005, proposals are due by October 31.

Comments (none posted)

Software Freedom Day

The first international Software Freedom Day is being organized at the Menlyn Park Events Arena in Pretoria, South Africa on August 28, 2004. "The format of the event is still very flexible and will depend on the exhibitors and attendees, but I'd love to have a combination of exhibitions and technology showcases that will attract attention, n 'install fest', public addresses by roleplayers and live ntertainment offered by South Africa's best young talent. In short the idea is to blow people's hair back!"

Full Story (comments: none)

Events: August 19 - October 14, 2004

Date	Event	Location
August 21 - 29, 2004	KDE Community World Summit 2004(aKademy)	(Filmakademie Ludwigsburg)Ludwigsburg (Stuttgart Region), Germany
September 2 - 3, 2004	Python for Scientific Computing(SciPy)	(CalTech)Pasadena, CA
September 2 - 4, 2004	2nd Swiss Unix Conference	(Technopark)Zurich, Switzerland
September 9 - 10, 2004	Linux Expo Shanghai	(Shanghai Exhibition Center)Shanghai, China
September 13 - 16, 2004	Embedded Systems Conference	(Hynes Convention Center)Boston, MA
September 15 - 17, 2004	YAPC::Europe 2004	Belfast, Northern Ireland
September 20 - 23, 2004	New Security Paradigms Workshop(NSPW)	(White Point Beach Resort)Nova Scotia
September 20 - 22, 2004	Plone Conference 2004	Vienna, Austria.
September 22 - 24, 2004	OpenOffice.org Conference(OOoCon 2004)	(Humboldt University)Berlin, Germany
September 22 - 24, 2004	php|works 2004	(Holiday Inn Yorkdale Hotel & Conference Centre)Toronto, Canada
September 27 - October 1, 2004	4th International SANE Conference(SANE)	(Amsterdam RAI Centre)Amsterdam, The Netherlands
September 27 - 29, 2004	ConSec '04	(J.J.Pickle Research Center)Austin, Texas
September 29 - October 1, 2004	OSCOM 4	(Swiss Federal Institute of Technology)Zurich, Switzerland
October 2, 2004	Ohio LinuxFest	Columbus, Ohio
October 6 - 7, 2004	LinuxWorld Conference and Expo	(Olympia Exhibition Centre)London, England, UK
October 8 - 10, 2004	Linucon	(Red Lion Hotel)Austin, TX
October 10 - 17, 2004	MySQL Swell	Across the Mediterranean

Comments (none posted)

Software announcements

This week's software announcements

Here are the software announcements, courtesy of Freshmeat.net. They are available in two formats:

• Sorted alphabetically,
• Sorted by license.

Comments (none posted)

Miscellaneous

Free Dog

The Open Collector site has an announcement for a new group of open-source electronics enthusiasts at MIT, known as Free Dog. "Free Dog is an association of like-minded hackers and engineers interested in free and open EDA tools. We hold monthly meetings at MIT (Cambridge, MA, USA) featuring informal networking, speakers, and an after-hours gathering at a local watering hole. Our goals are to learn more about EDA software, share ideas about our current projects, and -- most importantly -- have fun with like-minded people."

Comments (none posted)

Page editor: Forrest Cook