---------------------------------------------------------------------------
Gentoo Weekly Newsletter
http://www.gentoo.org/news/en/gwn/current.xml
This is the Gentoo Weekly Newsletter for the week of 25 April 2005.
---------------------------------------------------------------------------
==============
1. Gentoo News
==============
Project Dolphin: Experimental rescue CD
---------------------------------------
Benjamin Judas[1] announced last Friday that the release-engineering team
has created a new experimental subproject called "Project Dolphin" in
order to provide a feature-enhanced LiveCD version targeted at system
rescue. Much like the unofficial French SysRescueCD[2] that is also based
on the Gentoo LiveCD, Project Dolphin aims at offering all the tools
needed for the recovery of broken installations, failing harddisks or
other systems in need of rescue.
1. beejay@gentoo.org
2. http://www.sysresccd.org/
Figure 1.1: Project Dolphin - LiveCD for rescue missions
http://www.gentoo.org/images/gwn/20050425_pd.png
Highlights of the CD include zsh, samba, bacula, mc, dar, mutt, xfsdump,
ide-smart, netcat, nmap, chrootkit, partimage, ncftp, centericq,
bind-tools, alsa-utils, mpg321. A very early test ISO image, actively
soliciting testers, has been made available in the experimental section of
the Gentoo mirrors[3] for download, in the /experimental/x86/livecd/x86
path. Users are strongly encouraged to submit comments to a freshly
introduced meta-bug[4], either to report problems or to request feature
additions. Thanks a lot for your support!
3. http://www.gentoo.org/main/en/mirrors.xml
4. http://bugs.gentoo.org/show_bug.cgi?id=90053
International Gentoo mailing list additions
-------------------------------------------
Two new mailing lists have been made available last week: The Dutch
version of the Gentoo Weekly Newsletter is now distributed in plain text
version via e-mail, at gentoo-gwn-nl@gentoo.org, shortly after being
translated from the English original. As all other newsletter lists, it is
for distribution only. Dutch and Flemish speaking readers of the GWN can
subscribe to the new list by sending an e-mail to
gentoo-gwn-nl-subscribe@gentoo.org and following the instructions in the
confirmation message they'll receive.
A regular support and discussion list has been set up for all Russian
Gentoo users, as Konstantin V. Arkhipov[5] announced last week.
gentoo-user-ru@gentoo.org can be subscribed by sending a blank message to
gentoo-user-ru-subscribe@gentoo.org. A full list of official Gentoo
mailing lists, both English and non-English ones, is available along with
usage instructions at the mailing list page[6].
5. voxus@gentoo.org
6. http://www.gentoo.org/main/en/lists.xml
========================
2. Developer of the week
========================
"Gentoo is Zen applied to software" -- Patrick Lauer (bonsaikitten)
-------------------------------------------------------------------
Figure 2.1: Patrick Lauer aka Bonsaikitten
http://www.gentoo.org/images/gwn/20050425_bonsaikitten.jpg
This week's featured developer is bonsaikitten[7], who goes by the name
Patrick Lauer in real life. He has no allegiance pledged to any particular
faction of Gentoo devhood, but likes to work on a bit of everything. Since
late 2004 he is also a regular contributor to the GWN, in particular the
gentoo-dev mailing list summaries and this column, the dev-of-the-week,
are usually authored by him.
7. patrick@gentoo.org
Patrick operates the gentooexperimental.org[8] server, offering ressources
for weird and unfinished ideas, including (but not limited to) tinderbox,
the script repository[9] and future (web-)rsync replacement candidates.
Planet Gentoo was first hosted on Patrick's server before being moved onto
official hardware managed by the Gentoo infrastructure team.
8. http://gentooexperimental.org
9.
During the day he's a student of Computer Science at the RWTH Aachen,
Germany, where he has started writing his thesis on "anonymous networks",
leaving precious little time for everything else, but after four and a
half years at the university he feels ready to move on. His computing
environment is a room full of crummy old hardware, a Quad Xeon, two
Athlons, and (courtesy of the CS faculty of his university) a 16-CPU
cluster.
He is a user of blackbox, firefox, licq, sometimes konqueror, and -- due
to vendor lock-in -- evolution, which seems to get less useful with every
revision, "as do all gnomes and trolls," says Patrick. He likes to work in
Python, but other languages are no problem, either - "unless they are
called Java and need longish incantations for every single statement."
When the weather permits he can be found mountainbiking in the woods and
fields around Aachen. He also enjoys good food, good (Belgian) beer, and
the presence of preferably highly intelligent and sexy women (although the
latter does not happen as often as desired). His motto is borrowed from
Alfred Lord Tennyson: "It is better to have loved and lost than never to
have loved at all."
=========================
3. Heard in the community
=========================
gentoo-dev
----------
Some new xorg ebuilds
For all those that desparately need the newest and most bleeding edge
stuff, Donnie Berkholz[10] has put some new xorg ebuilds in portage. Bug
reports are appreciated. Especially the 6.8.99.* snapshots might be
interesting to try out - but be warned, it might break ...
10. spyderous@gentoo.org
* new xorg ebuilds [11]
11. http://thread.gmane.org/gmane.linux.gentoo.devel/27145
Category rename
Since there are many proxies (but not all of them www only), the www-proxy
category might be renamed to net-proxy. All the SOCKS, www, ftp etc.
proxies will then be easy to find in their new category.
* Category rename [12]
12. http://thread.gmane.org/gmane.linux.gentoo.devel/27153
Gentoo as a development platform
Daniel Drake[13] starts a discussion on how to use Gentoo as a development
platform where you usually have to pull in various fixes from CVS. How do
you keep everything under portage's control while still being able to fix
things? Does portage support live CVS ebuilds in a sane fashion? Read on
to find out more.
13. dsd@gentoo.org
* Gentoo as development platform [14]
14. http://thread.gmane.org/gmane.linux.gentoo.devel/27088
Apache problems
As some of you might have noticed, the Gentoo Apache team has done some
quite extensive changes to the newest versions of Apache. This was done
for various reasons, including (but not limited to) easier maintenance.
This has caused various problems since there is no easy migration path,
and most users don't want to throw away their apache config and start from
scratch. Because of this the newest versions are package.mask'ed until
this situation is resolved.
* package.mask'ing the new apache ebuilds [15]
* new apache stuff in testing[16]
15. http://thread.gmane.org/gmane.linux.gentoo.devel/27071
16. http://thread.gmane.org/gmane.linux.gentoo.devel/27208
=======================
4. Gentoo International
=======================
Switzerland: Pentoo - Gentoo-based intrusion detection LiveCD
-------------------------------------------------------------
"Pentoo"[17] is an acronym for "PENetration on genTOO". It is based on
kernel version 2.6.10, uses the Gnome desktop environment, and aims to
provide a complete platform for intrusion detection, penetration-testing
and security assessment. The content of the LiveCD can be updated,
allowing for up-to-date fingerprint and vulnerability databases, for tools
that require regular updates like the Nessus plugins, or scanner
fingerprint files, metasploit etc. Users can optionaly store data on USB
sticks for non-volatile storage support. Pentoo's author, Michael
Zanetta[18], emphasizes that "it has to be considered beta as I have not
much time to test it carefully," so feedback and comments are very
welcome, at bugs@pentoo.ch. A roadmap for the project[19] is available,
too.
17. http://www.netsc.ch/pentoo/
18. grimmlin@pentoo.ch
19. http://www.netsc.ch/pentoo/project.txt
Figure 4.1: Penetration testing based on Gentoo: Swiss 'Pentoo'
http://www.gentoo.org/images/gwn/20050425_pentoo.png
======================
5. Gentoo in the press
======================
Somos libres (25 April 2005, in Spanish)
----------------------------------------
Today's edition of the Peruvian "Free and Open Software User Group"
website at Somos Libres has an interview with Daniel Oliveira,[20] one of
the heads of the Gentoo spin-off project Ututo[21] developed at and around
the university of Buenos Aires in neighboring Argentina. Oliveira, who
represents a core team of 37 developers busy pushing Ututo to individual
users, but also into municipal services and small and medium enterprises
in Argentina, explains the history and the current status of the project.
20. http://somoslibres.org/modules.php?name=News&file=article&sid=518
21. https://e.ututo.org.ar/indexes.html
===========================
6. Moves, adds, and changes
===========================
Moves
-----
The following developers recently left the Gentoo team:
* None this week
Adds
----
The following developers recently joined the Gentoo Linux team:
* Herbie Hopkins (Herbs) - AMD64
Changes
-------
The following developers recently changed roles within the Gentoo Linux
project:
* None this week
==================
7. Gentoo security
==================
phpMyAdmin: Cross-site scripting vulnerability
----------------------------------------------
phpMyAdmin is vulnerable to a cross-site scripting attack.
For more information, please see the GLSA Announcement[22]
22. http://www.gentoo.org/security/en/glsa/glsa-200504-08.xml
Axel: Vulnerability in HTTP redirection handling
------------------------------------------------
A buffer overflow vulnerability has been found in Axel which could lead to
the execution of arbitrary code.
For more information, please see the GLSA Announcement[23]
23. http://www.gentoo.org/security/en/glsa/glsa-200504-09.xml
Gld: Remote execution of arbitrary code
---------------------------------------
Gld contains several serious vulnerabilities, potentially resulting in the
execution of arbitrary code as the root user.
For more information, please see the GLSA Announcement[24]
24. http://www.gentoo.org/security/en/glsa/glsa-200504-10.xml
JunkBuster: Multiple vulnerabilities
------------------------------------
JunkBuster is vulnerable to a heap corruption vulnerability, and under
certain configurations may allow an attacker to modify settings.
For more information, please see the GLSA Announcement[25]
25. http://www.gentoo.org/security/en/glsa/glsa-200504-11.xml
rsnapshot: Local privilege escalation
-------------------------------------
rsnapshot allows a local user to take ownership of local files, resulting
in privilege escalation.
For more information, please see the GLSA Announcement[26]
26. http://www.gentoo.org/security/en/glsa/glsa-200504-12.xml
OpenOffice.Org: DOC document Heap Overflow
------------------------------------------
OpenOffice.Org is vulnerable to a heap overflow when processing DOC
documents, which could lead to arbitrary code execution.
For more information, please see the GLSA Announcement[27]
27. http://www.gentoo.org/security/en/glsa/glsa-200504-13.xml
monkeyd: Multiple vulnerabilities
---------------------------------
Format string and Denial of Service vulnerabilities have been discovered
in the monkeyd HTTP server, potentially resulting in the execution of
arbitrary code.
For more information, please see the GLSA Announcement[28]
28. http://www.gentoo.org/security/en/glsa/glsa-200504-14.xml
PHP: Multiple vulnerabilities
-----------------------------
Several vulnerabilities were found and fixed in PHP image handling
functions, potentially resulting in Denial of Service conditions or the
remote execution of arbitrary code.
For more information, please see the GLSA Announcement[29]
29. http://www.gentoo.org/security/en/glsa/glsa-200504-15.xml
CVS: Multiple vulnerabilities
-----------------------------
Several serious vulnerabilities have been found in CVS, which may allow an
attacker to remotely compromise a CVS server or cause a DoS.
For more information, please see the GLSA Announcement[30]
30. http://www.gentoo.org/security/en/glsa/glsa-200504-16.xml
XV: Multiple vulnerabilities
----------------------------
Multiple vulnerabilities have been discovered in XV, potentially resulting
in the execution of arbitrary code.
For more information, please see the GLSA Announcement[31]
31. http://www.gentoo.org/security/en/glsa/glsa-200504-17.xml
Mozilla Firefox, Mozilla Suite: Multiple vulnerabilities
--------------------------------------------------------
New Mozilla Firefox and Mozilla Suite releases fix new security
vulnerabilities, including memory disclosure and various ways of executing
JavaScript code with elevated privileges.
For more information, please see the GLSA Announcement[32]
32. http://www.gentoo.org/security/en/glsa/glsa-200504-18.xml
MPlayer: Two heap overflow vulnerabilities
------------------------------------------
Two vulnerabilities have been found in MPlayer which could lead to the
remote execution of arbitrary code.
For more information, please see the GLSA Announcement[33]
33. http://www.gentoo.org/security/en/glsa/glsa-200504-19.xml
openMosixview: Insecure temporary file creation
-----------------------------------------------
openMosixview and the openMosixcollector daemon are vulnerable to symlink
attacks, potentially allowing a local user to overwrite arbitrary files.
For more information, please see the GLSA Announcement[34]
34. http://www.gentoo.org/security/en/glsa/glsa-200504-20.xml
RealPlayer, Helix Player: Buffer overflow vulnerability
-------------------------------------------------------
RealPlayer and Helix Player are vulnerable to a buffer overflow that could
lead to remote execution of arbitrary code.
For more information, please see the GLSA Announcement[35]
35. http://www.gentoo.org/security/en/glsa/glsa-200504-21.xml
KDE kimgio: PCX handling buffer overflow
----------------------------------------
KDE fails to properly validate input when handling PCX images, potentially
resulting in the execution of arbitrary code.
For more information, please see the GLSA Announcement[36]
36. http://www.gentoo.org/security/en/glsa/glsa-200504-22.xml
Kommander: Insecure remote script execution
-------------------------------------------
Kommander executes remote scripts without confirmation, potentially
resulting in the execution of arbitrary code.
For more information, please see the GLSA Announcement[37]
37. http://www.gentoo.org/security/en/glsa/glsa-200504-23.xml
===========
8. Bugzilla
===========
Summary
-------
* Statistics
* Closed bug ranking
* New bug rankings
Statistics
----------
The Gentoo community uses Bugzilla (bugs.gentoo.org[38]) to record and
track bugs, notifications, suggestions and other interactions with the
development team. Between 17 April 2005 and 24 April 2005, activity on the
site has resulted in:
38. http://bugs.gentoo.org
* 817 new bugs during this period
* 493 bugs closed or resolved during this period
* 14 previously closed bugs were reopened this period
Of the 8497 currently open bugs: 89 are labeled 'blocker', 231 are labeled
'critical', and 628 are labeled 'major'.
Closed bug rankings
-------------------
The developers and teams who have closed the most bugs during this period
are:
* media-video herd[39], with 44 closed bugs[40]
* AMD64 Porting Team[41], with 43 closed bugs[42]
* Gentoo Sound Team[43], with 19 closed bugs[44]
* Gentoo Security[45], with 18 closed bugs[46]
* Jeremy Huddleston[47], with 16 closed bugs[48]
* Java team[49], with 13 closed bugs[50]
* Gentoo Science Related Packages[51], with 12 closed bugs[52]
* Daniel Black[53], with 12 closed bugs[54]
39. media-video@gentoo.org
40.
http://bugs.gentoo.org/buglist.cgi?bug_status=RESOLVED&bug_status=CLOSED&chfield=bug_status&chfieldfrom=2005-04-17&chfieldto=2005-04-24&resolution=FIXED&assigned_to=media-video@gentoo.org
41. amd64@gentoo.org
42.
http://bugs.gentoo.org/buglist.cgi?bug_status=RESOLVED&bug_status=CLOSED&chfield=bug_status&chfieldfrom=2005-04-17&chfieldto=2005-04-24&resolution=FIXED&assigned_to=amd64@gentoo.org
43. sound@gentoo.org
44.
http://bugs.gentoo.org/buglist.cgi?bug_status=RESOLVED&bug_status=CLOSED&chfield=bug_status&chfieldfrom=2005-04-17&chfieldto=2005-04-24&resolution=FIXED&assigned_to=sound@gentoo.org
45. security@gentoo.org
46.
http://bugs.gentoo.org/buglist.cgi?bug_status=RESOLVED&bug_status=CLOSED&chfield=bug_status&chfieldfrom=2005-04-17&chfieldto=2005-04-24&resolution=FIXED&assigned_to=security@gentoo.org
47. eradicator@gentoo.org
48.
http://bugs.gentoo.org/buglist.cgi?bug_status=RESOLVED&bug_status=CLOSED&chfield=bug_status&chfieldfrom=2005-04-17&chfieldto=2005-04-24&resolution=FIXED&assigned_to=eradicator@gentoo.org
49. java@gentoo.org
50.
http://bugs.gentoo.org/buglist.cgi?bug_status=RESOLVED&bug_status=CLOSED&chfield=bug_status&chfieldfrom=2005-04-17&chfieldto=2005-04-24&resolution=FIXED&assigned_to=java@gentoo.org
51. sci@gentoo.org
52.
http://bugs.gentoo.org/buglist.cgi?bug_status=RESOLVED&bug_status=CLOSED&chfield=bug_status&chfieldfrom=2005-04-17&chfieldto=2005-04-24&resolution=FIXED&assigned_to=sci@gentoo.org
53. dragonheart@gentoo.org
54.
http://bugs.gentoo.org/buglist.cgi?bug_status=RESOLVED&bug_status=CLOSED&chfield=bug_status&chfieldfrom=2005-04-17&chfieldto=2005-04-24&resolution=FIXED&assigned_to=dragonheart@gentoo.org
New bug rankings
----------------
The developers and teams who have been assigned the most new bugs during
this period are:
* Gentoo Linux bug wranglers[55], with 19 new bugs[56]
* Mozilla Gentoo Team[57], with 13 new bugs[58]
* media-video herd[59], with 13 new bugs[60]
* Gentoo Sound Team[61], with 11 new bugs[62]
* Jeremy Huddleston[63], with 11 new bugs[64]
* Television related Applications in Gentoo's Portage[65], with 10 new
bugs[66]
* Gentoo KDE team[67], with 9 new bugs[68]
* Gentoo Linux Gnome Desktop Team[69], with 9 new bugs[70]
55. bug-wranglers@gentoo.org
56.
http://bugs.gentoo.org/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&chfield=assigned_to&chfieldfrom=2005-04-17&chfieldto=2005-04-24&assigned_to=bug-wranglers@gentoo.org
57. mozilla@gentoo.org
58.
http://bugs.gentoo.org/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&chfield=assigned_to&chfieldfrom=2005-04-17&chfieldto=2005-04-24&assigned_to=mozilla@gentoo.org
59. media-video@gentoo.org
60.
http://bugs.gentoo.org/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&chfield=assigned_to&chfieldfrom=2005-04-17&chfieldto=2005-04-24&assigned_to=media-video@gentoo.org
61. sound@gentoo.org
62.
http://bugs.gentoo.org/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&chfield=assigned_to&chfieldfrom=2005-04-17&chfieldto=2005-04-24&assigned_to=sound@gentoo.org
63. eradicator@gentoo.org
64.
http://bugs.gentoo.org/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&chfield=assigned_to&chfieldfrom=2005-04-17&chfieldto=2005-04-24&assigned_to=eradicator@gentoo.org
65. media-tv@gentoo.org
66.
http://bugs.gentoo.org/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&chfield=assigned_to&chfieldfrom=2005-04-17&chfieldto=2005-04-24&assigned_to=media-tv@gentoo.org
67. kde@gentoo.org
68.
http://bugs.gentoo.org/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&chfield=assigned_to&chfieldfrom=2005-04-17&chfieldto=2005-04-24&assigned_to=kde@gentoo.org
69. gnome@gentoo.org
70.
http://bugs.gentoo.org/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&chfield=assigned_to&chfieldfrom=2005-04-17&chfieldto=2005-04-24&assigned_to=gnome@gentoo.org
===============
9. GWN feedback
===============
Please send us your feedback[71] and help make the GWN better.
71. gwn-feedback@gentoo.org
================================
10. GWN subscription information
================================
To subscribe to the Gentoo Weekly Newsletter, send a blank email to
gentoo-gwn-subscribe@gentoo.org.
To unsubscribe to the Gentoo Weekly Newsletter, send a blank email to
gentoo-gwn-unsubscribe@gentoo.org from the email address you are
subscribed under.
===================
11. Other languages
===================
The Gentoo Weekly Newsletter is also available in the following languages:
* Danish[72]
* Dutch[73]
* English[74]
* German[75]
* French[76]
* Japanese[77]
* Italian[78]
* Polish[79]
* Portuguese (Brazil)[80]
* Portuguese (Portugal)[81]
* Russian[82]
* Spanish[83]
* Turkish[84]
72. http://www.gentoo.org/news/da/gwn/gwn.xml
73. http://www.gentoo.org/news/nl/gwn/gwn.xml
74. http://www.gentoo.org/news/en/gwn/gwn.xml
75. http://www.gentoo.org/news/de/gwn/gwn.xml
76. http://www.gentoo.org/news/fr/gwn/gwn.xml
77. http://www.gentoo.org/news/ja/gwn/gwn.xml
78. http://www.gentoo.org/news/it/gwn/gwn.xml
79. http://www.gentoo.org/news/pl/gwn/gwn.xml
80. http://www.gentoo.org/news/pt_br/gwn/gwn.xml
81. http://www.gentoo.org/news/pt/gwn/gwn.xml
82. http://www.gentoo.org/news/ru/gwn/gwn.xml
83. http://www.gentoo.org/news/es/gwn/gwn.xml
84. http://www.gentoo.org/news/tr/gwn/gwn.xml
Ulrich Plate <plate@gentoo.org> - Editor
Patrick Lauer <patrick@gentoo.org> - Author
--
gentoo-gwn@gentoo.org mailing list
Gentoo Weekly Newsletter
http://www.gentoo.org/news/en/gwn/current.xml
This is the Gentoo Weekly Newsletter for the week of 25 April 2005.
---------------------------------------------------------------------------
==============
1. Gentoo News
==============
Project Dolphin: Experimental rescue CD
---------------------------------------
Benjamin Judas[1] announced last Friday that the release-engineering team
has created a new experimental subproject called "Project Dolphin" in
order to provide a feature-enhanced LiveCD version targeted at system
rescue. Much like the unofficial French SysRescueCD[2] that is also based
on the Gentoo LiveCD, Project Dolphin aims at offering all the tools
needed for the recovery of broken installations, failing harddisks or
other systems in need of rescue.
1. beejay@gentoo.org
2. http://www.sysresccd.org/
Figure 1.1: Project Dolphin - LiveCD for rescue missions
http://www.gentoo.org/images/gwn/20050425_pd.png
Highlights of the CD include zsh, samba, bacula, mc, dar, mutt, xfsdump,
ide-smart, netcat, nmap, chrootkit, partimage, ncftp, centericq,
bind-tools, alsa-utils, mpg321. A very early test ISO image, actively
soliciting testers, has been made available in the experimental section of
the Gentoo mirrors[3] for download, in the /experimental/x86/livecd/x86
path. Users are strongly encouraged to submit comments to a freshly
introduced meta-bug[4], either to report problems or to request feature
additions. Thanks a lot for your support!
3. http://www.gentoo.org/main/en/mirrors.xml
4. http://bugs.gentoo.org/show_bug.cgi?id=90053
International Gentoo mailing list additions
-------------------------------------------
Two new mailing lists have been made available last week: The Dutch
version of the Gentoo Weekly Newsletter is now distributed in plain text
version via e-mail, at gentoo-gwn-nl@gentoo.org, shortly after being
translated from the English original. As all other newsletter lists, it is
for distribution only. Dutch and Flemish speaking readers of the GWN can
subscribe to the new list by sending an e-mail to
gentoo-gwn-nl-subscribe@gentoo.org and following the instructions in the
confirmation message they'll receive.
A regular support and discussion list has been set up for all Russian
Gentoo users, as Konstantin V. Arkhipov[5] announced last week.
gentoo-user-ru@gentoo.org can be subscribed by sending a blank message to
gentoo-user-ru-subscribe@gentoo.org. A full list of official Gentoo
mailing lists, both English and non-English ones, is available along with
usage instructions at the mailing list page[6].
5. voxus@gentoo.org
6. http://www.gentoo.org/main/en/lists.xml
========================
2. Developer of the week
========================
"Gentoo is Zen applied to software" -- Patrick Lauer (bonsaikitten)
-------------------------------------------------------------------
Figure 2.1: Patrick Lauer aka Bonsaikitten
http://www.gentoo.org/images/gwn/20050425_bonsaikitten.jpg
This week's featured developer is bonsaikitten[7], who goes by the name
Patrick Lauer in real life. He has no allegiance pledged to any particular
faction of Gentoo devhood, but likes to work on a bit of everything. Since
late 2004 he is also a regular contributor to the GWN, in particular the
gentoo-dev mailing list summaries and this column, the dev-of-the-week,
are usually authored by him.
7. patrick@gentoo.org
Patrick operates the gentooexperimental.org[8] server, offering ressources
for weird and unfinished ideas, including (but not limited to) tinderbox,
the script repository[9] and future (web-)rsync replacement candidates.
Planet Gentoo was first hosted on Patrick's server before being moved onto
official hardware managed by the Gentoo infrastructure team.
8. http://gentooexperimental.org
9.
During the day he's a student of Computer Science at the RWTH Aachen,
Germany, where he has started writing his thesis on "anonymous networks",
leaving precious little time for everything else, but after four and a
half years at the university he feels ready to move on. His computing
environment is a room full of crummy old hardware, a Quad Xeon, two
Athlons, and (courtesy of the CS faculty of his university) a 16-CPU
cluster.
He is a user of blackbox, firefox, licq, sometimes konqueror, and -- due
to vendor lock-in -- evolution, which seems to get less useful with every
revision, "as do all gnomes and trolls," says Patrick. He likes to work in
Python, but other languages are no problem, either - "unless they are
called Java and need longish incantations for every single statement."
When the weather permits he can be found mountainbiking in the woods and
fields around Aachen. He also enjoys good food, good (Belgian) beer, and
the presence of preferably highly intelligent and sexy women (although the
latter does not happen as often as desired). His motto is borrowed from
Alfred Lord Tennyson: "It is better to have loved and lost than never to
have loved at all."
=========================
3. Heard in the community
=========================
gentoo-dev
----------
Some new xorg ebuilds
For all those that desparately need the newest and most bleeding edge
stuff, Donnie Berkholz[10] has put some new xorg ebuilds in portage. Bug
reports are appreciated. Especially the 6.8.99.* snapshots might be
interesting to try out - but be warned, it might break ...
10. spyderous@gentoo.org
* new xorg ebuilds [11]
11. http://thread.gmane.org/gmane.linux.gentoo.devel/27145
Category rename
Since there are many proxies (but not all of them www only), the www-proxy
category might be renamed to net-proxy. All the SOCKS, www, ftp etc.
proxies will then be easy to find in their new category.
* Category rename [12]
12. http://thread.gmane.org/gmane.linux.gentoo.devel/27153
Gentoo as a development platform
Daniel Drake[13] starts a discussion on how to use Gentoo as a development
platform where you usually have to pull in various fixes from CVS. How do
you keep everything under portage's control while still being able to fix
things? Does portage support live CVS ebuilds in a sane fashion? Read on
to find out more.
13. dsd@gentoo.org
* Gentoo as development platform [14]
14. http://thread.gmane.org/gmane.linux.gentoo.devel/27088
Apache problems
As some of you might have noticed, the Gentoo Apache team has done some
quite extensive changes to the newest versions of Apache. This was done
for various reasons, including (but not limited to) easier maintenance.
This has caused various problems since there is no easy migration path,
and most users don't want to throw away their apache config and start from
scratch. Because of this the newest versions are package.mask'ed until
this situation is resolved.
* package.mask'ing the new apache ebuilds [15]
* new apache stuff in testing[16]
15. http://thread.gmane.org/gmane.linux.gentoo.devel/27071
16. http://thread.gmane.org/gmane.linux.gentoo.devel/27208
=======================
4. Gentoo International
=======================
Switzerland: Pentoo - Gentoo-based intrusion detection LiveCD
-------------------------------------------------------------
"Pentoo"[17] is an acronym for "PENetration on genTOO". It is based on
kernel version 2.6.10, uses the Gnome desktop environment, and aims to
provide a complete platform for intrusion detection, penetration-testing
and security assessment. The content of the LiveCD can be updated,
allowing for up-to-date fingerprint and vulnerability databases, for tools
that require regular updates like the Nessus plugins, or scanner
fingerprint files, metasploit etc. Users can optionaly store data on USB
sticks for non-volatile storage support. Pentoo's author, Michael
Zanetta[18], emphasizes that "it has to be considered beta as I have not
much time to test it carefully," so feedback and comments are very
welcome, at bugs@pentoo.ch. A roadmap for the project[19] is available,
too.
17. http://www.netsc.ch/pentoo/
18. grimmlin@pentoo.ch
19. http://www.netsc.ch/pentoo/project.txt
Figure 4.1: Penetration testing based on Gentoo: Swiss 'Pentoo'
http://www.gentoo.org/images/gwn/20050425_pentoo.png
======================
5. Gentoo in the press
======================
Somos libres (25 April 2005, in Spanish)
----------------------------------------
Today's edition of the Peruvian "Free and Open Software User Group"
website at Somos Libres has an interview with Daniel Oliveira,[20] one of
the heads of the Gentoo spin-off project Ututo[21] developed at and around
the university of Buenos Aires in neighboring Argentina. Oliveira, who
represents a core team of 37 developers busy pushing Ututo to individual
users, but also into municipal services and small and medium enterprises
in Argentina, explains the history and the current status of the project.
20. http://somoslibres.org/modules.php?name=News&file=article&sid=518
21. https://e.ututo.org.ar/indexes.html
===========================
6. Moves, adds, and changes
===========================
Moves
-----
The following developers recently left the Gentoo team:
* None this week
Adds
----
The following developers recently joined the Gentoo Linux team:
* Herbie Hopkins (Herbs) - AMD64
Changes
-------
The following developers recently changed roles within the Gentoo Linux
project:
* None this week
==================
7. Gentoo security
==================
phpMyAdmin: Cross-site scripting vulnerability
----------------------------------------------
phpMyAdmin is vulnerable to a cross-site scripting attack.
For more information, please see the GLSA Announcement[22]
22. http://www.gentoo.org/security/en/glsa/glsa-200504-08.xml
Axel: Vulnerability in HTTP redirection handling
------------------------------------------------
A buffer overflow vulnerability has been found in Axel which could lead to
the execution of arbitrary code.
For more information, please see the GLSA Announcement[23]
23. http://www.gentoo.org/security/en/glsa/glsa-200504-09.xml
Gld: Remote execution of arbitrary code
---------------------------------------
Gld contains several serious vulnerabilities, potentially resulting in the
execution of arbitrary code as the root user.
For more information, please see the GLSA Announcement[24]
24. http://www.gentoo.org/security/en/glsa/glsa-200504-10.xml
JunkBuster: Multiple vulnerabilities
------------------------------------
JunkBuster is vulnerable to a heap corruption vulnerability, and under
certain configurations may allow an attacker to modify settings.
For more information, please see the GLSA Announcement[25]
25. http://www.gentoo.org/security/en/glsa/glsa-200504-11.xml
rsnapshot: Local privilege escalation
-------------------------------------
rsnapshot allows a local user to take ownership of local files, resulting
in privilege escalation.
For more information, please see the GLSA Announcement[26]
26. http://www.gentoo.org/security/en/glsa/glsa-200504-12.xml
OpenOffice.Org: DOC document Heap Overflow
------------------------------------------
OpenOffice.Org is vulnerable to a heap overflow when processing DOC
documents, which could lead to arbitrary code execution.
For more information, please see the GLSA Announcement[27]
27. http://www.gentoo.org/security/en/glsa/glsa-200504-13.xml
monkeyd: Multiple vulnerabilities
---------------------------------
Format string and Denial of Service vulnerabilities have been discovered
in the monkeyd HTTP server, potentially resulting in the execution of
arbitrary code.
For more information, please see the GLSA Announcement[28]
28. http://www.gentoo.org/security/en/glsa/glsa-200504-14.xml
PHP: Multiple vulnerabilities
-----------------------------
Several vulnerabilities were found and fixed in PHP image handling
functions, potentially resulting in Denial of Service conditions or the
remote execution of arbitrary code.
For more information, please see the GLSA Announcement[29]
29. http://www.gentoo.org/security/en/glsa/glsa-200504-15.xml
CVS: Multiple vulnerabilities
-----------------------------
Several serious vulnerabilities have been found in CVS, which may allow an
attacker to remotely compromise a CVS server or cause a DoS.
For more information, please see the GLSA Announcement[30]
30. http://www.gentoo.org/security/en/glsa/glsa-200504-16.xml
XV: Multiple vulnerabilities
----------------------------
Multiple vulnerabilities have been discovered in XV, potentially resulting
in the execution of arbitrary code.
For more information, please see the GLSA Announcement[31]
31. http://www.gentoo.org/security/en/glsa/glsa-200504-17.xml
Mozilla Firefox, Mozilla Suite: Multiple vulnerabilities
--------------------------------------------------------
New Mozilla Firefox and Mozilla Suite releases fix new security
vulnerabilities, including memory disclosure and various ways of executing
JavaScript code with elevated privileges.
For more information, please see the GLSA Announcement[32]
32. http://www.gentoo.org/security/en/glsa/glsa-200504-18.xml
MPlayer: Two heap overflow vulnerabilities
------------------------------------------
Two vulnerabilities have been found in MPlayer which could lead to the
remote execution of arbitrary code.
For more information, please see the GLSA Announcement[33]
33. http://www.gentoo.org/security/en/glsa/glsa-200504-19.xml
openMosixview: Insecure temporary file creation
-----------------------------------------------
openMosixview and the openMosixcollector daemon are vulnerable to symlink
attacks, potentially allowing a local user to overwrite arbitrary files.
For more information, please see the GLSA Announcement[34]
34. http://www.gentoo.org/security/en/glsa/glsa-200504-20.xml
RealPlayer, Helix Player: Buffer overflow vulnerability
-------------------------------------------------------
RealPlayer and Helix Player are vulnerable to a buffer overflow that could
lead to remote execution of arbitrary code.
For more information, please see the GLSA Announcement[35]
35. http://www.gentoo.org/security/en/glsa/glsa-200504-21.xml
KDE kimgio: PCX handling buffer overflow
----------------------------------------
KDE fails to properly validate input when handling PCX images, potentially
resulting in the execution of arbitrary code.
For more information, please see the GLSA Announcement[36]
36. http://www.gentoo.org/security/en/glsa/glsa-200504-22.xml
Kommander: Insecure remote script execution
-------------------------------------------
Kommander executes remote scripts without confirmation, potentially
resulting in the execution of arbitrary code.
For more information, please see the GLSA Announcement[37]
37. http://www.gentoo.org/security/en/glsa/glsa-200504-23.xml
===========
8. Bugzilla
===========
Summary
-------
* Statistics
* Closed bug ranking
* New bug rankings
Statistics
----------
The Gentoo community uses Bugzilla (bugs.gentoo.org[38]) to record and
track bugs, notifications, suggestions and other interactions with the
development team. Between 17 April 2005 and 24 April 2005, activity on the
site has resulted in:
38. http://bugs.gentoo.org
* 817 new bugs during this period
* 493 bugs closed or resolved during this period
* 14 previously closed bugs were reopened this period
Of the 8497 currently open bugs: 89 are labeled 'blocker', 231 are labeled
'critical', and 628 are labeled 'major'.
Closed bug rankings
-------------------
The developers and teams who have closed the most bugs during this period
are:
* media-video herd[39], with 44 closed bugs[40]
* AMD64 Porting Team[41], with 43 closed bugs[42]
* Gentoo Sound Team[43], with 19 closed bugs[44]
* Gentoo Security[45], with 18 closed bugs[46]
* Jeremy Huddleston[47], with 16 closed bugs[48]
* Java team[49], with 13 closed bugs[50]
* Gentoo Science Related Packages[51], with 12 closed bugs[52]
* Daniel Black[53], with 12 closed bugs[54]
39. media-video@gentoo.org
40.
http://bugs.gentoo.org/buglist.cgi?bug_status=RESOLVED&bug_status=CLOSED&chfield=bug_status&chfieldfrom=2005-04-17&chfieldto=2005-04-24&resolution=FIXED&assigned_to=media-video@gentoo.org
41. amd64@gentoo.org
42.
http://bugs.gentoo.org/buglist.cgi?bug_status=RESOLVED&bug_status=CLOSED&chfield=bug_status&chfieldfrom=2005-04-17&chfieldto=2005-04-24&resolution=FIXED&assigned_to=amd64@gentoo.org
43. sound@gentoo.org
44.
http://bugs.gentoo.org/buglist.cgi?bug_status=RESOLVED&bug_status=CLOSED&chfield=bug_status&chfieldfrom=2005-04-17&chfieldto=2005-04-24&resolution=FIXED&assigned_to=sound@gentoo.org
45. security@gentoo.org
46.
http://bugs.gentoo.org/buglist.cgi?bug_status=RESOLVED&bug_status=CLOSED&chfield=bug_status&chfieldfrom=2005-04-17&chfieldto=2005-04-24&resolution=FIXED&assigned_to=security@gentoo.org
47. eradicator@gentoo.org
48.
http://bugs.gentoo.org/buglist.cgi?bug_status=RESOLVED&bug_status=CLOSED&chfield=bug_status&chfieldfrom=2005-04-17&chfieldto=2005-04-24&resolution=FIXED&assigned_to=eradicator@gentoo.org
49. java@gentoo.org
50.
http://bugs.gentoo.org/buglist.cgi?bug_status=RESOLVED&bug_status=CLOSED&chfield=bug_status&chfieldfrom=2005-04-17&chfieldto=2005-04-24&resolution=FIXED&assigned_to=java@gentoo.org
51. sci@gentoo.org
52.
http://bugs.gentoo.org/buglist.cgi?bug_status=RESOLVED&bug_status=CLOSED&chfield=bug_status&chfieldfrom=2005-04-17&chfieldto=2005-04-24&resolution=FIXED&assigned_to=sci@gentoo.org
53. dragonheart@gentoo.org
54.
http://bugs.gentoo.org/buglist.cgi?bug_status=RESOLVED&bug_status=CLOSED&chfield=bug_status&chfieldfrom=2005-04-17&chfieldto=2005-04-24&resolution=FIXED&assigned_to=dragonheart@gentoo.org
New bug rankings
----------------
The developers and teams who have been assigned the most new bugs during
this period are:
* Gentoo Linux bug wranglers[55], with 19 new bugs[56]
* Mozilla Gentoo Team[57], with 13 new bugs[58]
* media-video herd[59], with 13 new bugs[60]
* Gentoo Sound Team[61], with 11 new bugs[62]
* Jeremy Huddleston[63], with 11 new bugs[64]
* Television related Applications in Gentoo's Portage[65], with 10 new
bugs[66]
* Gentoo KDE team[67], with 9 new bugs[68]
* Gentoo Linux Gnome Desktop Team[69], with 9 new bugs[70]
55. bug-wranglers@gentoo.org
56.
http://bugs.gentoo.org/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&chfield=assigned_to&chfieldfrom=2005-04-17&chfieldto=2005-04-24&assigned_to=bug-wranglers@gentoo.org
57. mozilla@gentoo.org
58.
http://bugs.gentoo.org/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&chfield=assigned_to&chfieldfrom=2005-04-17&chfieldto=2005-04-24&assigned_to=mozilla@gentoo.org
59. media-video@gentoo.org
60.
http://bugs.gentoo.org/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&chfield=assigned_to&chfieldfrom=2005-04-17&chfieldto=2005-04-24&assigned_to=media-video@gentoo.org
61. sound@gentoo.org
62.
http://bugs.gentoo.org/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&chfield=assigned_to&chfieldfrom=2005-04-17&chfieldto=2005-04-24&assigned_to=sound@gentoo.org
63. eradicator@gentoo.org
64.
http://bugs.gentoo.org/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&chfield=assigned_to&chfieldfrom=2005-04-17&chfieldto=2005-04-24&assigned_to=eradicator@gentoo.org
65. media-tv@gentoo.org
66.
http://bugs.gentoo.org/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&chfield=assigned_to&chfieldfrom=2005-04-17&chfieldto=2005-04-24&assigned_to=media-tv@gentoo.org
67. kde@gentoo.org
68.
http://bugs.gentoo.org/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&chfield=assigned_to&chfieldfrom=2005-04-17&chfieldto=2005-04-24&assigned_to=kde@gentoo.org
69. gnome@gentoo.org
70.
http://bugs.gentoo.org/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&chfield=assigned_to&chfieldfrom=2005-04-17&chfieldto=2005-04-24&assigned_to=gnome@gentoo.org
===============
9. GWN feedback
===============
Please send us your feedback[71] and help make the GWN better.
71. gwn-feedback@gentoo.org
================================
10. GWN subscription information
================================
To subscribe to the Gentoo Weekly Newsletter, send a blank email to
gentoo-gwn-subscribe@gentoo.org.
To unsubscribe to the Gentoo Weekly Newsletter, send a blank email to
gentoo-gwn-unsubscribe@gentoo.org from the email address you are
subscribed under.
===================
11. Other languages
===================
The Gentoo Weekly Newsletter is also available in the following languages:
* Danish[72]
* Dutch[73]
* English[74]
* German[75]
* French[76]
* Japanese[77]
* Italian[78]
* Polish[79]
* Portuguese (Brazil)[80]
* Portuguese (Portugal)[81]
* Russian[82]
* Spanish[83]
* Turkish[84]
72. http://www.gentoo.org/news/da/gwn/gwn.xml
73. http://www.gentoo.org/news/nl/gwn/gwn.xml
74. http://www.gentoo.org/news/en/gwn/gwn.xml
75. http://www.gentoo.org/news/de/gwn/gwn.xml
76. http://www.gentoo.org/news/fr/gwn/gwn.xml
77. http://www.gentoo.org/news/ja/gwn/gwn.xml
78. http://www.gentoo.org/news/it/gwn/gwn.xml
79. http://www.gentoo.org/news/pl/gwn/gwn.xml
80. http://www.gentoo.org/news/pt_br/gwn/gwn.xml
81. http://www.gentoo.org/news/pt/gwn/gwn.xml
82. http://www.gentoo.org/news/ru/gwn/gwn.xml
83. http://www.gentoo.org/news/es/gwn/gwn.xml
84. http://www.gentoo.org/news/tr/gwn/gwn.xml
Ulrich Plate <plate@gentoo.org> - Editor
Patrick Lauer <patrick@gentoo.org> - Author
--
gentoo-gwn@gentoo.org mailing list