1 |
--------------------------------------------------------------------------- |
2 |
Gentoo Weekly Newsletter |
3 |
http://www.gentoo.org/news/en/gwn/current.xml |
4 |
This is the Gentoo Weekly Newsletter for the week of 27 March 2006. |
5 |
--------------------------------------------------------------------------- |
6 |
|
7 |
============== |
8 |
1. Gentoo news |
9 |
============== |
10 |
|
11 |
Security team recruiting campaign |
12 |
--------------------------------- |
13 |
|
14 |
Security has always been one of the Gentoo project's strongest aspects. To |
15 |
prevent the quality of GLSAs from dropping, the security team has started |
16 |
to actively look for additional help among existing and future developers. |
17 |
This recruitment campaign aims to compensate for the potential problems |
18 |
that can delay the fixing of security bugs, including missing or inactive |
19 |
package maintainers, but also a lack of GLSA coordinators. Other areas |
20 |
that need more support are the KISS project (kernel security advisory |
21 |
system) and glsa-check integration into Portage. If you're able and |
22 |
willing to help with any of these security-related issues, please contact |
23 |
one of the following project/subproject leaders: |
24 |
|
25 |
* GLSA team: Sune Kloppenborg Jeppesen[1] or Stefan Cornelius[2] (who |
26 |
replaces Thierry Carrez as operational co-lead) |
27 |
* Kernel team: Tim Yamin[3] |
28 |
* Audit team: Tavis Ormandy[4] |
29 |
1. jaervosz@g.o |
30 |
2. dercorny@g.o |
31 |
3. plasmaroo@g.o |
32 |
4. taviso@g.o |
33 |
|
34 |
|
35 |
Note: See the latest security team meeting report for more details. |
36 |
|
37 |
Bugzilla category change for the installer project |
38 |
-------------------------------------------------- |
39 |
|
40 |
The maintainers of bugs.gentoo.org[5] have removed the old "Gentoo Linux |
41 |
Installer" (GLI) component inside the "Gentoo Linux" category. Instead |
42 |
they have added an "Installer" component as a "Gentoo Release Media" |
43 |
subcategory. All the old bugs are already reassigned, and if you would |
44 |
like to file a bug regarding the installer, please use the new component! |
45 |
|
46 |
5. http://bugs.gentoo.org |
47 |
|
48 |
Ruby on Rails 1.1 RC1 hits Portage |
49 |
---------------------------------- |
50 |
|
51 |
The first release candidate of Ruby on Rails[6] 1.1 is now in Portage. For |
52 |
users running ~arch, it will add the new versions to their gem |
53 |
installations without removing the old ones. They will be able to make use |
54 |
of the new version, and can still lock their code to the old version if |
55 |
they need to. The Portage versions all end in .4008, which represents |
56 |
upstream's subversion repository commit number for the 1.1_RC1 release. |
57 |
|
58 |
6. http://www.rubyonrails.com |
59 |
|
60 |
Users who are interested in trying out the new versions are encouraged to |
61 |
do so, and file bugs to either Gentoo[7] or http://dev.rubyonrails.org[8] |
62 |
as appropriate. Those who want to lock their existing Rails applications |
63 |
to a specific version, they can see the following URLs for information on |
64 |
how to do so: |
65 |
|
66 |
7. http://bugs.gentoo.org |
67 |
8. http://dev.rubyonrails.org |
68 |
|
69 |
* RC 1 announcement[9] |
70 |
* How to lock to specific Rails versions[10] |
71 |
9. |
72 |
http://weblog.rubyonrails.com/articles/2006/03/22/rails-1-1-release-candidate-1-available |
73 |
10. |
74 |
http://wiki.rubyonrails.com/rails/pages/HowtoLockToSpecificRailsVersions |
75 |
|
76 |
|
77 |
========================= |
78 |
2. Heard in the community |
79 |
========================= |
80 |
|
81 |
Web forums |
82 |
---------- |
83 |
|
84 |
Timezone down under |
85 |
|
86 |
Gentoo's timezone data was not updated in time to support the timezone |
87 |
change made for the Commonwealth Games held in Australia until the end of |
88 |
March. Several Australian states postponed the usual changeover to |
89 |
daylight saving time until 2 April. To prevent clocks from running an hour |
90 |
ahead of time for a whole week, check this thread: |
91 |
|
92 |
* Newb: How to patch for Commonwealth Games DST[11] |
93 |
11. http://forums.gentoo.org/viewtopic-t-423456.html |
94 |
|
95 |
|
96 |
Suddenly the dungeon collapses |
97 |
|
98 |
Are games in Gentoo inherently unsafe? A recently discovered vulnerability |
99 |
in Nethack has sparked this lively debate. The vulnerability isn't in |
100 |
Nethack though. It is caused by the way Gentoo handles games and was not a |
101 |
problem for any other distro. Should we find a new way to handle the games |
102 |
group? Come and join the debate! |
103 |
|
104 |
* Gentoo games group leads to security hole - big surprise(!)[12] |
105 |
12. http://forums.gentoo.org/viewtopic-t-446415.html |
106 |
|
107 |
|
108 |
====================== |
109 |
3. Gentoo in the press |
110 |
====================== |
111 |
|
112 |
ZDNet France (20 March 2006, in French) |
113 |
--------------------------------------- |
114 |
|
115 |
"Renaissance"[13] is the title of an animated movie by Christian Volckman |
116 |
set in the year 2054 in Paris. A young scientist is being kidnapped, and |
117 |
an obscure police officer is trying to get her back. While real human |
118 |
actors were involved in the making of this "animated Matrix", it was |
119 |
merely to capture their movements and have those transformed into |
120 |
computer-generated black-and-white images -- rendered entirely on a |
121 |
cluster of 200 Gentoo Linux servers. The French ZDNet website clearly |
122 |
thought this was worth an article[14], which is based on an interview with |
123 |
Julien Doussot, a technical director of "Attitude Studio"[15], the |
124 |
creative team behind the scenes. In cinemas in France since last week. |
125 |
|
126 |
13. http://www.renaissance-lefilm.com |
127 |
14. http://www.zdnet.fr/actualites/informatique/0,39040745,39332299,00.htm |
128 |
15. http://www.attitude-studio.com |
129 |
|
130 |
Newsforge (21 March 2006) |
131 |
------------------------- |
132 |
|
133 |
"A distro of power"[16] is what Joseph Quigley calls Gentoo Linux in his |
134 |
testimonial, published last Tuesday as the latest addition to Newsforge's |
135 |
"My Desktop OS" mini-series. In spite of using Gentoo on what he calls a |
136 |
"low-end system," he was impressed that he "could watch a DVD and compile |
137 |
KDE simultaneously with few interruptions or glitches." There are those |
138 |
who'd disagree on his 1.58GHz Sempron 2300 with 512MB of RAM being on the |
139 |
low end of things, but then again: "If you have a higher-end system, you |
140 |
won't be disappointed either," says Quigley. |
141 |
|
142 |
16. http://os.newsforge.com/os/06/03/15/228227.shtml |
143 |
|
144 |
========================= |
145 |
4. Gentoo developer moves |
146 |
========================= |
147 |
|
148 |
Moves |
149 |
----- |
150 |
|
151 |
The following developers recently left the Gentoo project: |
152 |
|
153 |
* None this week |
154 |
|
155 |
Adds |
156 |
---- |
157 |
|
158 |
The following developers recently joined the Gentoo project: |
159 |
|
160 |
* None this week |
161 |
|
162 |
Changes |
163 |
------- |
164 |
|
165 |
The following developers recently changed roles within the Gentoo project: |
166 |
|
167 |
* Thierry Carrez (koon) - stepped down as operational security co-lead |
168 |
* Stefan Cornelius (DerCorny) - new operational security co-lead |
169 |
|
170 |
================== |
171 |
5. Gentoo Security |
172 |
================== |
173 |
|
174 |
PeerCast: Buffer overflow |
175 |
------------------------- |
176 |
|
177 |
PeerCast is vulnerable to a buffer overflow that may lead to the execution |
178 |
of arbitrary code. |
179 |
|
180 |
For more information, please see the GLSA Announcement[17] |
181 |
|
182 |
17. http://www.gentoo.org/security/en/glsa/glsa-200603-17.xml |
183 |
|
184 |
Pngcrush: Buffer overflow |
185 |
------------------------- |
186 |
|
187 |
Pngcrush is vulnerable to a buffer overflow which could potentially lead |
188 |
to the execution of arbitrary code. |
189 |
|
190 |
For more information, please see the GLSA Announcement[18] |
191 |
|
192 |
18. http://www.gentoo.org/security/en/glsa/glsa-200603-18.xml |
193 |
|
194 |
cURL/libcurl: Buffer overflow in the handling of TFTP URLs |
195 |
---------------------------------------------------------- |
196 |
|
197 |
libcurl is affected by a buffer overflow in the handling of URLs for the |
198 |
TFTP protocol, which could be exploited to compromise a user's system. |
199 |
|
200 |
For more information, please see the GLSA Announcement[19] |
201 |
|
202 |
19. http://www.gentoo.org/security/en/glsa/glsa-200603-19.xml |
203 |
|
204 |
Macromedia Flash Player: Arbitrary code execution |
205 |
------------------------------------------------- |
206 |
|
207 |
Multiple vulnerabilities have been identified that allows arbitrary code |
208 |
execution on a user's system via the handling of malicious SWF files. |
209 |
|
210 |
For more information, please see the GLSA Announcement[20] |
211 |
|
212 |
20. http://www.gentoo.org/security/en/glsa/glsa-200603-20.xml |
213 |
|
214 |
Sendmail: Race condition in the handling of asynchronous signals |
215 |
---------------------------------------------------------------- |
216 |
|
217 |
Sendmail is vulnerable to a race condition which could lead to the |
218 |
execution of arbitrary code with sendmail privileges. |
219 |
|
220 |
For more information, please see the GLSA Announcement[21] |
221 |
|
222 |
21. http://www.gentoo.org/security/en/glsa/glsa-200603-21.xml |
223 |
|
224 |
PHP: Format string and XSS vulnerabilities |
225 |
------------------------------------------ |
226 |
|
227 |
Multiple vulnerabilities in PHP allow remote attackers to inject arbitrary |
228 |
HTTP headers, perform cross site scripting or in some cases execute |
229 |
arbitrary code. |
230 |
|
231 |
For more information, please see the GLSA Announcement[22] |
232 |
|
233 |
22. http://www.gentoo.org/security/en/glsa/glsa-200603-22.xml |
234 |
|
235 |
NetHack, Slash'EM, Falcon's Eye: Local privilege escalation |
236 |
----------------------------------------------------------- |
237 |
|
238 |
NetHack, Slash'EM and Falcon's Eye are vulnerable to local privilege |
239 |
escalation vulnerabilities that could potentially allow the execution of |
240 |
arbitrary code as other users. |
241 |
|
242 |
For more information, please see the GLSA Announcement[23] |
243 |
|
244 |
23. http://www.gentoo.org/security/en/glsa/glsa-200603-23.xml |
245 |
|
246 |
RealPlayer: Buffer overflow vulnerability |
247 |
----------------------------------------- |
248 |
|
249 |
RealPlayer is vulnerable to a buffer overflow that could lead to remote |
250 |
execution of arbitrary code. |
251 |
|
252 |
For more information, please see the GLSA Announcement[24] |
253 |
|
254 |
24. http://www.gentoo.org/security/en/glsa/glsa-200603-24.xml |
255 |
|
256 |
=========== |
257 |
6. Bugzilla |
258 |
=========== |
259 |
|
260 |
Statistics |
261 |
---------- |
262 |
|
263 |
The Gentoo community uses Bugzilla (bugs.gentoo.org[25]) to record and |
264 |
track bugs, notifications, suggestions and other interactions with the |
265 |
development team. Between 19 March 2006 and 26 March 2006, activity on the |
266 |
site has resulted in: |
267 |
|
268 |
25. http://bugs.gentoo.org |
269 |
|
270 |
* 832 new bugs during this period |
271 |
* 481 bugs closed or resolved during this period |
272 |
* 27 previously closed bugs were reopened this period |
273 |
|
274 |
Of the 9756 currently open bugs: 66 are labeled 'blocker', 150 are labeled |
275 |
'critical', and 536 are labeled 'major'. |
276 |
|
277 |
Closed bug rankings |
278 |
------------------- |
279 |
|
280 |
The developers and teams who have closed the most bugs during this period |
281 |
are: |
282 |
|
283 |
* Gentoo Games[26], with 47 closed bugs[27] |
284 |
* Gentoo Linux Gnome Desktop Team[28], with 21 closed bugs[29] |
285 |
* Gentoo X-windows packagers[30], with 19 closed bugs[31] |
286 |
* AMD64 Project[32], with 18 closed bugs[33] |
287 |
* X11 External Driver Maintainers[34], with 14 closed bugs[35] |
288 |
* Gentoo's Team for Core System packages[36], with 13 closed bugs[37] |
289 |
* Gentoo KDE team[38], with 12 closed bugs[39] |
290 |
* Gentoo Security[40], with 11 closed bugs[41] |
291 |
26. games@g.o |
292 |
27. |
293 |
http://bugs.gentoo.org/buglist.cgi?bug_status=RESOLVED&bug_status=CLOSED&chfield=bug_status&chfieldfrom=2006-03-19&chfieldto=2006-03-26&resolution=FIXED&assigned_to=games@g.o |
294 |
28. gnome@g.o |
295 |
29. |
296 |
http://bugs.gentoo.org/buglist.cgi?bug_status=RESOLVED&bug_status=CLOSED&chfield=bug_status&chfieldfrom=2006-03-19&chfieldto=2006-03-26&resolution=FIXED&assigned_to=gnome@g.o |
297 |
30. x11@g.o |
298 |
31. |
299 |
http://bugs.gentoo.org/buglist.cgi?bug_status=RESOLVED&bug_status=CLOSED&chfield=bug_status&chfieldfrom=2006-03-19&chfieldto=2006-03-26&resolution=FIXED&assigned_to=x11@g.o |
300 |
32. amd64@g.o |
301 |
33. |
302 |
http://bugs.gentoo.org/buglist.cgi?bug_status=RESOLVED&bug_status=CLOSED&chfield=bug_status&chfieldfrom=2006-03-19&chfieldto=2006-03-26&resolution=FIXED&assigned_to=amd64@g.o |
303 |
34. x11-drivers@g.o |
304 |
35. |
305 |
http://bugs.gentoo.org/buglist.cgi?bug_status=RESOLVED&bug_status=CLOSED&chfield=bug_status&chfieldfrom=2006-03-19&chfieldto=2006-03-26&resolution=FIXED&assigned_to=x11-drivers@g.o |
306 |
36. base-system@g.o |
307 |
37. |
308 |
http://bugs.gentoo.org/buglist.cgi?bug_status=RESOLVED&bug_status=CLOSED&chfield=bug_status&chfieldfrom=2006-03-19&chfieldto=2006-03-26&resolution=FIXED&assigned_to=base-system@g.o |
309 |
38. kde@g.o |
310 |
39. |
311 |
http://bugs.gentoo.org/buglist.cgi?bug_status=RESOLVED&bug_status=CLOSED&chfield=bug_status&chfieldfrom=2006-03-19&chfieldto=2006-03-26&resolution=FIXED&assigned_to=kde@g.o |
312 |
40. security@g.o |
313 |
41. |
314 |
http://bugs.gentoo.org/buglist.cgi?bug_status=RESOLVED&bug_status=CLOSED&chfield=bug_status&chfieldfrom=2006-03-19&chfieldto=2006-03-26&resolution=FIXED&assigned_to=security@g.o |
315 |
|
316 |
|
317 |
New bug rankings |
318 |
---------------- |
319 |
|
320 |
The developers and teams who have been assigned the most new bugs during |
321 |
this period are: |
322 |
|
323 |
* Default Assignee for New Packages[42], with 32 new bugs[43] |
324 |
* AMD64 Project[44], with 14 new bugs[45] |
325 |
* Gentoo's Team for Core System packages[46], with 11 new bugs[47] |
326 |
* Gentoo Sound Team[48], with 10 new bugs[49] |
327 |
* Default Assignee for Orphaned Packages[50], with 10 new bugs[51] |
328 |
* Gentoo Science Related Packages[52], with 7 new bugs[53] |
329 |
* media-video herd[54], with 7 new bugs[55] |
330 |
* Gentoo Toolchain Maintainers[56], with 6 new bugs[57] |
331 |
42. maintainer-wanted@g.o |
332 |
43. |
333 |
http://bugs.gentoo.org/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&chfield=assigned_to&chfieldfrom=2006-03-19&chfieldto=2006-03-26&assigned_to=maintainer-wanted@g.o |
334 |
44. amd64@g.o |
335 |
45. |
336 |
http://bugs.gentoo.org/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&chfield=assigned_to&chfieldfrom=2006-03-19&chfieldto=2006-03-26&assigned_to=amd64@g.o |
337 |
46. base-system@g.o |
338 |
47. |
339 |
http://bugs.gentoo.org/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&chfield=assigned_to&chfieldfrom=2006-03-19&chfieldto=2006-03-26&assigned_to=base-system@g.o |
340 |
48. sound@g.o |
341 |
49. |
342 |
http://bugs.gentoo.org/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&chfield=assigned_to&chfieldfrom=2006-03-19&chfieldto=2006-03-26&assigned_to=sound@g.o |
343 |
50. maintainer-needed@g.o |
344 |
51. |
345 |
http://bugs.gentoo.org/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&chfield=assigned_to&chfieldfrom=2006-03-19&chfieldto=2006-03-26&assigned_to=maintainer-needed@g.o |
346 |
52. sci@g.o |
347 |
53. |
348 |
http://bugs.gentoo.org/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&chfield=assigned_to&chfieldfrom=2006-03-19&chfieldto=2006-03-26&assigned_to=sci@g.o |
349 |
54. media-video@g.o |
350 |
55. |
351 |
http://bugs.gentoo.org/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&chfield=assigned_to&chfieldfrom=2006-03-19&chfieldto=2006-03-26&assigned_to=media-video@g.o |
352 |
56. toolchain@g.o |
353 |
57. |
354 |
http://bugs.gentoo.org/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&chfield=assigned_to&chfieldfrom=2006-03-19&chfieldto=2006-03-26&assigned_to=toolchain@g.o |
355 |
|
356 |
|
357 |
=============== |
358 |
7. GWN feedback |
359 |
=============== |
360 |
|
361 |
Please send us your feedback[58] and help make the GWN better. |
362 |
|
363 |
58. gwn-feedback@g.o |
364 |
|
365 |
=============================== |
366 |
8. GWN subscription information |
367 |
=============================== |
368 |
|
369 |
To subscribe to the Gentoo Weekly Newsletter, send a blank email to |
370 |
gentoo-gwn+subscribe@g.o. |
371 |
|
372 |
To unsubscribe to the Gentoo Weekly Newsletter, send a blank email to |
373 |
gentoo-gwn+unsubscribe@g.o from the email address you are |
374 |
subscribed under. |
375 |
|
376 |
================== |
377 |
9. Other languages |
378 |
================== |
379 |
|
380 |
The Gentoo Weekly Newsletter is also available in the following languages: |
381 |
|
382 |
* Danish[59] |
383 |
* Dutch[60] |
384 |
* English[61] |
385 |
* German[62] |
386 |
* French[63] |
387 |
* Korean[64] |
388 |
* Japanese[65] |
389 |
* Italian[66] |
390 |
* Polish[67] |
391 |
* Portuguese (Brazil)[68] |
392 |
* Portuguese (Portugal)[69] |
393 |
* Russian[70] |
394 |
* Spanish[71] |
395 |
* Turkish[72] |
396 |
59. http://www.gentoo.org/news/da/gwn/gwn.xml |
397 |
60. http://www.gentoo.org/news/nl/gwn/gwn.xml |
398 |
61. http://www.gentoo.org/news/en/gwn/gwn.xml |
399 |
62. http://www.gentoo.org/news/de/gwn/gwn.xml |
400 |
63. http://www.gentoo.org/news/fr/gwn/gwn.xml |
401 |
64. http://www.gentoo.org/news/ko/gwn/gwn.xml |
402 |
65. http://www.gentoo.org/news/ja/gwn/gwn.xml |
403 |
66. http://www.gentoo.org/news/it/gwn/gwn.xml |
404 |
67. http://www.gentoo.org/news/pl/gwn/gwn.xml |
405 |
68. http://www.gentoo.org/news/pt_br/gwn/gwn.xml |
406 |
69. http://www.gentoo.org/news/pt/gwn/gwn.xml |
407 |
70. http://www.gentoo.org/news/ru/gwn/gwn.xml |
408 |
71. http://www.gentoo.org/news/es/gwn/gwn.xml |
409 |
72. http://www.gentoo.org/news/tr/gwn/gwn.xml |
410 |
|
411 |
|
412 |
Ulrich Plate <plate@g.o> - Editor |
413 |
Andrew Gaffney <agaffney@g.o> - Author |
414 |
Curtis Napier <curtis119@g.o> - Author |
415 |
Caleb Tennis <caleb@g.o> - Author |
416 |
-- |
417 |
gentoo-gwn@g.o mailing list |