Gentoo Archives: gentoo-gwn

From: Ulrich Plate <plate@g.o>
To: gentoo-gwn@l.g.o
Subject: [gentoo-gwn] Gentoo Weekly Newsletter 25 April 2005
Date: Mon, 25 Apr 2005 23:26:21
Gentoo Weekly Newsletter
This is the Gentoo Weekly Newsletter for the week of 25 April 2005.
1. Gentoo News
Project Dolphin: Experimental rescue CD
Benjamin Judas[1] announced last Friday that the release-engineering team 
has created a new experimental subproject called "Project Dolphin" in 
order to provide a feature-enhanced LiveCD version targeted at system 
rescue. Much like the unofficial French SysRescueCD[2] that is also based 
on the Gentoo LiveCD, Project Dolphin aims at offering all the tools 
needed for the recovery of broken installations, failing harddisks or 
other systems in need of rescue. 

 1. beejay@g.o
Figure 1.1: Project Dolphin - LiveCD for rescue missions
Highlights of the CD include zsh, samba, bacula, mc, dar, mutt, xfsdump, 
ide-smart, netcat, nmap, chrootkit, partimage, ncftp, centericq, 
bind-tools, alsa-utils, mpg321. A very early test ISO image, actively 
soliciting testers, has been made available in the experimental section of 
the Gentoo mirrors[3] for download, in the /experimental/x86/livecd/x86 
path. Users are strongly encouraged to submit comments to a freshly 
introduced meta-bug[4], either to report problems or to request feature 
additions. Thanks a lot for your support! 

International Gentoo mailing list additions
Two new mailing lists have been made available last week: The Dutch 
version of the Gentoo Weekly Newsletter is now distributed in plain text 
version via e-mail, at gentoo-gwn-nl@g.o, shortly after being 
translated from the English original. As all other newsletter lists, it is 
for distribution only. Dutch and Flemish speaking readers of the GWN can 
subscribe to the new list by sending an e-mail to 
gentoo-gwn-nl-subscribe@g.o and following the instructions in the 
confirmation message they'll receive. 
A regular support and discussion list has been set up for all Russian 
Gentoo users, as Konstantin V. Arkhipov[5] announced last week. 
gentoo-user-ru@g.o can be subscribed by sending a blank message to 
gentoo-user-ru-subscribe@g.o. A full list of official Gentoo 
mailing lists, both English and non-English ones, is available along with 
usage instructions at the mailing list page[6]. 

 5. voxus@g.o
2. Developer of the week
"Gentoo is Zen applied to software" -- Patrick Lauer (bonsaikitten)
Figure 2.1: Patrick Lauer aka Bonsaikitten
This week's featured developer is bonsaikitten[7], who goes by the name 
Patrick Lauer in real life. He has no allegiance pledged to any particular 
faction of Gentoo devhood, but likes to work on a bit of everything. Since 
late 2004 he is also a regular contributor to the GWN, in particular the 
gentoo-dev mailing list summaries and this column, the dev-of-the-week, 
are usually authored by him. 

 7. patrick@g.o
Patrick operates the[8] server, offering ressources 
for weird and unfinished ideas, including (but not limited to) tinderbox, 
the script repository[9] and future (web-)rsync replacement candidates. 
Planet Gentoo was first hosted on Patrick's server before being moved onto 
official hardware managed by the Gentoo infrastructure team. 

During the day he's a student of Computer Science at the RWTH Aachen, 
Germany, where he has started writing his thesis on "anonymous networks", 
leaving precious little time for everything else, but after four and a 
half years at the university he feels ready to move on. His computing 
environment is a room full of crummy old hardware, a Quad Xeon, two 
Athlons, and (courtesy of the CS faculty of his university) a 16-CPU 
He is a user of blackbox, firefox, licq, sometimes konqueror, and -- due 
to vendor lock-in -- evolution, which seems to get less useful with every 
revision, "as do all gnomes and trolls," says Patrick. He likes to work in 
Python, but other languages are no problem, either - "unless they are 
called Java and need longish incantations for every single statement." 
When the weather permits he can be found mountainbiking in the woods and 
fields around Aachen. He also enjoys good food, good (Belgian) beer, and 
the presence of preferably highly intelligent and sexy women (although the 
latter does not happen as often as desired). His motto is borrowed from 
Alfred Lord Tennyson: "It is better to have loved and lost than never to 
have loved at all." 
3. Heard in the community
Some new xorg ebuilds
For all those that desparately need the newest and most bleeding edge 
stuff, Donnie Berkholz[10] has put some new xorg ebuilds in portage. Bug 
reports are appreciated. Especially the 6.8.99.* snapshots might be 
interesting to try out - but be warned, it might break ... 

 10. spyderous@g.o
 * new xorg ebuilds [11] 

Category rename
Since there are many proxies (but not all of them www only), the www-proxy 
category might be renamed to net-proxy. All the SOCKS, www, ftp etc. 
proxies will then be easy to find in their new category. 
 * Category rename [12] 

Gentoo as a development platform
Daniel Drake[13] starts a discussion on how to use Gentoo as a development 
platform where you usually have to pull in various fixes from CVS. How do 
you keep everything under portage's control while still being able to fix 
things? Does portage support live CVS ebuilds in a sane fashion? Read on 
to find out more. 

 13. dsd@g.o
 * Gentoo as development platform [14] 

Apache problems
As some of you might have noticed, the Gentoo Apache team has done some 
quite extensive changes to the newest versions of Apache. This was done 
for various reasons, including (but not limited to) easier maintenance. 
This has caused various problems since there is no easy migration path, 
and most users don't want to throw away their apache config and start from 
scratch. Because of this the newest versions are package.mask'ed until 
this situation is resolved. 
 * package.mask'ing the new apache ebuilds [15] 
 * new apache stuff in testing[16] 

4. Gentoo International
Switzerland: Pentoo - Gentoo-based intrusion detection LiveCD
"Pentoo"[17] is an acronym for "PENetration on genTOO". It is based on 
kernel version 2.6.10, uses the Gnome desktop environment, and aims to 
provide a complete platform for intrusion detection, penetration-testing 
and security assessment. The content of the LiveCD can be updated, 
allowing for up-to-date fingerprint and vulnerability databases, for tools 
that require regular updates like the Nessus plugins, or scanner 
fingerprint files, metasploit etc. Users can optionaly store data on USB 
sticks for non-volatile storage support. Pentoo's author, Michael 
Zanetta[18], emphasizes that "it has to be considered beta as I have not 
much time to test it carefully," so feedback and comments are very 
welcome, at bugs@××××××.ch. A roadmap for the project[19] is available, 

 18. grimmlin@××××××.ch
Figure 4.1: Penetration testing based on Gentoo: Swiss 'Pentoo'
5. Gentoo in the press
Somos libres (25 April 2005, in Spanish)
Today's edition of the Peruvian "Free and Open Software User Group" 
website at Somos Libres has an interview with Daniel Oliveira,[20] one of 
the heads of the Gentoo spin-off project Ututo[21] developed at and around 
the university of Buenos Aires in neighboring Argentina. Oliveira, who 
represents a core team of 37 developers busy pushing Ututo to individual 
users, but also into municipal services and small and medium enterprises 
in Argentina, explains the history and the current status of the project. 

6. Moves, adds, and changes
The following developers recently left the Gentoo team: 
 * None this week  
The following developers recently joined the Gentoo Linux team: 
 * Herbie Hopkins (Herbs) - AMD64  
The following developers recently changed roles within the Gentoo Linux 
 * None this week  
7. Gentoo security
phpMyAdmin: Cross-site scripting vulnerability
phpMyAdmin is vulnerable to a cross-site scripting attack. 
For more information, please see the GLSA Announcement[22] 

Axel: Vulnerability in HTTP redirection handling
A buffer overflow vulnerability has been found in Axel which could lead to 
the execution of arbitrary code. 
For more information, please see the GLSA Announcement[23] 

Gld: Remote execution of arbitrary code
Gld contains several serious vulnerabilities, potentially resulting in the 
execution of arbitrary code as the root user. 
For more information, please see the GLSA Announcement[24] 

JunkBuster: Multiple vulnerabilities
JunkBuster is vulnerable to a heap corruption vulnerability, and under 
certain configurations may allow an attacker to modify settings. 
For more information, please see the GLSA Announcement[25] 

rsnapshot: Local privilege escalation
rsnapshot allows a local user to take ownership of local files, resulting 
in privilege escalation. 
For more information, please see the GLSA Announcement[26] 

OpenOffice.Org: DOC document Heap Overflow
OpenOffice.Org is vulnerable to a heap overflow when processing DOC 
documents, which could lead to arbitrary code execution. 
For more information, please see the GLSA Announcement[27] 

monkeyd: Multiple vulnerabilities
Format string and Denial of Service vulnerabilities have been discovered 
in the monkeyd HTTP server, potentially resulting in the execution of 
arbitrary code. 
For more information, please see the GLSA Announcement[28] 

PHP: Multiple vulnerabilities
Several vulnerabilities were found and fixed in PHP image handling 
functions, potentially resulting in Denial of Service conditions or the 
remote execution of arbitrary code. 
For more information, please see the GLSA Announcement[29] 

CVS: Multiple vulnerabilities
Several serious vulnerabilities have been found in CVS, which may allow an 
attacker to remotely compromise a CVS server or cause a DoS. 
For more information, please see the GLSA Announcement[30] 

XV: Multiple vulnerabilities
Multiple vulnerabilities have been discovered in XV, potentially resulting 
in the execution of arbitrary code. 
For more information, please see the GLSA Announcement[31] 

Mozilla Firefox, Mozilla Suite: Multiple vulnerabilities
New Mozilla Firefox and Mozilla Suite releases fix new security 
vulnerabilities, including memory disclosure and various ways of executing 
JavaScript code with elevated privileges. 
For more information, please see the GLSA Announcement[32] 

MPlayer: Two heap overflow vulnerabilities
Two vulnerabilities have been found in MPlayer which could lead to the 
remote execution of arbitrary code. 
For more information, please see the GLSA Announcement[33] 

openMosixview: Insecure temporary file creation
openMosixview and the openMosixcollector daemon are vulnerable to symlink 
attacks, potentially allowing a local user to overwrite arbitrary files. 
For more information, please see the GLSA Announcement[34] 

RealPlayer, Helix Player: Buffer overflow vulnerability
RealPlayer and Helix Player are vulnerable to a buffer overflow that could 
lead to remote execution of arbitrary code. 
For more information, please see the GLSA Announcement[35] 

KDE kimgio: PCX handling buffer overflow
KDE fails to properly validate input when handling PCX images, potentially 
resulting in the execution of arbitrary code. 
For more information, please see the GLSA Announcement[36] 

Kommander: Insecure remote script execution
Kommander executes remote scripts without confirmation, potentially 
resulting in the execution of arbitrary code. 
For more information, please see the GLSA Announcement[37] 

8. Bugzilla
 * Statistics 
 * Closed bug ranking 
 * New bug rankings 
The Gentoo community uses Bugzilla ([38]) to record and 
track bugs, notifications, suggestions and other interactions with the 
development team. Between 17 April 2005 and 24 April 2005, activity on the 
site has resulted in: 

 * 817 new bugs during this period 
 * 493 bugs closed or resolved during this period 
 * 14 previously closed bugs were reopened this period 
Of the 8497 currently open bugs: 89 are labeled 'blocker', 231 are labeled 
'critical', and 628 are labeled 'major'. 
Closed bug rankings
The developers and teams who have closed the most bugs during this period 
 * media-video herd[39], with 44 closed bugs[40]  
 * AMD64 Porting Team[41], with 43 closed bugs[42]  
 * Gentoo Sound Team[43], with 19 closed bugs[44]  
 * Gentoo Security[45], with 18 closed bugs[46]  
 * Jeremy Huddleston[47], with 16 closed bugs[48]  
 * Java team[49], with 13 closed bugs[50]  
 * Gentoo Science Related Packages[51], with 12 closed bugs[52]  
 * Daniel Black[53], with 12 closed bugs[54]  
 39. media-video@g.o
 41. amd64@g.o
 43. sound@g.o
 45. security@g.o
 47. eradicator@g.o
 49. java@g.o
 51. sci@g.o
 53. dragonheart@g.o

New bug rankings
The developers and teams who have been assigned the most new bugs during 
this period are: 
 * Gentoo Linux bug wranglers[55], with 19 new bugs[56]  
 * Mozilla Gentoo Team[57], with 13 new bugs[58]  
 * media-video herd[59], with 13 new bugs[60]  
 * Gentoo Sound Team[61], with 11 new bugs[62]  
 * Jeremy Huddleston[63], with 11 new bugs[64]  
 * Television related Applications in Gentoo's Portage[65], with 10 new 
 * Gentoo KDE team[67], with 9 new bugs[68]  
 * Gentoo Linux Gnome Desktop Team[69], with 9 new bugs[70]  
 55. bug-wranglers@g.o
 57. mozilla@g.o
 59. media-video@g.o
 61. sound@g.o
 63. eradicator@g.o
 65. media-tv@g.o
 67. kde@g.o
 69. gnome@g.o

9. GWN feedback
Please send us your feedback[71] and help make the GWN better.

 71. gwn-feedback@g.o
10. GWN subscription information
To subscribe to the Gentoo Weekly Newsletter, send a blank email to 
To unsubscribe to the Gentoo Weekly Newsletter, send a blank email to 
gentoo-gwn-unsubscribe@g.o from the email address you are 
subscribed under. 
11. Other languages
The Gentoo Weekly Newsletter is also available in the following languages:
 * Danish[72]  
 * Dutch[73]  
 * English[74]  
 * German[75]  
 * French[76]  
 * Japanese[77]  
 * Italian[78]  
 * Polish[79]  
 * Portuguese (Brazil)[80]  
 * Portuguese (Portugal)[81]  
 * Russian[82]  
 * Spanish[83]  
 * Turkish[84]  

Ulrich Plate <plate@g.o> - Editor
Patrick Lauer <patrick@g.o> - Author

gentoo-gwn@g.o mailing list