ModSecurity: Denial of Service
Two vulnerabilities in ModSecurity might lead to a Denial of Service.
See GLSA 200907-02 for more information.

libwmf: User-assisted execution of arbitrary code
libwmf bundles an old GD version which contains a "use-after-free" vulnerability.
See GLSA 200907-01 for more information.

Wireshark: Multiple vulnerabilities
Multiple vulnerabilities have been discovered in Wireshark which allow for Denial of Service or remote code execution.
See GLSA 200906-05 for more information.

Apache Tomcat JK Connector: Information disclosure
An error in the Apache Tomcat JK Connector might allow for an information disclosure flaw.
See GLSA 200906-04 for more information.

phpMyAdmin: Multiple vulnerabilities
Multiple errors in phpMyAdmin might allow the remote execution of arbitrary code or a Cross-Site Scripting attack.
See GLSA 200906-03 for more information.

Ruby: Denial of Service
A flaw in the Ruby standard library might allow remote attackers to cause a Denial of Service attack.
See GLSA 200906-02 for more information.

libpng: Information disclosure
A vulnerability has been discovered in libpng that allows for information disclosure.
See GLSA 200906-01 for more information.

LinuxTag 2009 runs from June 24th to June 27th in Berlin, Germany. With almost 12,000 visitors last year, it is one of the biggest Linux and open source events in Europe.

You will find the Gentoo booth at Hall 7.2a, Booth 101a, right next to the entrance. Come and visit us! You will meet many of our developers and users, talk with us, plus get some of the Gentoo merchandise you have always wanted.

Discuss this!

Robert Buchholz and Alex Legler contributed the draft for this announcement.

libsndfile: User-assisted execution of arbitrary code
Multiple heap-based buffer overflow vulnerabilities in libsndfile might allow remote attackers to execute arbitrary code.
See GLSA 200905-09 for more information.

NTP: Remote execution of arbitrary code
Multiple errors in the NTP client and server programs might allow for the remote execution of arbitrary code.
See GLSA 200905-08 for more information.

Gentoo has been accepted for its 4th consecutive year in the Google Summer of Code! Check out our GSoC 2009 homepage if you are interested in this year's GSoC for Gentoo.

If you'd like to apply to be a mentor, you can do so on the webapp. Please read the mentoring guide before applying.

Interested students can browse Gentoo's project ideas and student applications will be accepted starting March 23rd.

The Gentoo embedded team would like to announce that we will be automatically building and releasing stages for ARM and SuperH/SH. We hope these stages will help out people interested in developing embedded linux applications.

On the ARM side, we are currently releasing stages for the following CHOSTs:

• arm-unknown-linux-gnu (old ABI, in progress)
• armv4l-unknown-linux-gnu (old ABI, in progress)
• armv4tl-softfloat-linux-gnueabi (EABI)
• armv5tel-softfloat-linux-gnueabi (EABI)

On the SuperH/SH side, we are currently releasing stages for the following processors:

• sh4
• sh4a

The stages are available under the /releases/arm/autobuilds directory for ARM and /releases/sh/autobuilds for SH at your favorite mirror.

Because building stages for these architectures takes a while, we plan on releasing stages on a monthly or bi-monthly basis. If you would like to talk about Gentoo on those architectures, please join us on #gentoo-embedded @ irc.freenode.net.

We would like to thank QNAP Inc. and Marvell Technology Group for providing us with support and hardware for ARM based chips. However we would like to expand our ARM support to the armv6 and armv7 processors. If you or your company can provide us with some hardware we would greatly appreciate it. Please contact the Gentoo ARM team if you or your company are able to assist us.

We would like to also thank Renesas Technology Corp. who has graciously provided us hardware and support for the SuperH platform.

As you can see, your favorite website now displays more information, reflecting the activity that's been going on behind the scenes all along. Thanks to popular demand, the latest blog posts from planet.gentoo.org, packages from packages.gentoo.org and security announcements are summed up on Gentoo's home page.

Discuss this!

What: Gentoo contributors get together to help each other fix bugs

Where: irc.freenode.net, #gentoo-bugs

When: Saturday, January 3, in a timezone near you

What do you need to bring?

• A Gentoo system, an Internet connection and an IRC client
• Your bug. If you don't have one, we will find you one to suit your area of interest and your skills
• Your favorite editor
• A way to test that your bug is fixed (asking people counts!)
• You don't need to know C, C++, or bash

What's a bug? Gentoo's way of tracking change requests. A change request can be anything from "I've found a typo in foo" to "I've built this really useful program called bar but there's no ebuild for it." Bugs have various levels of helpfulness, from identifying the existence of a problem to localizing the problem to providing the patch to fix it.

There are bugs in documentation such as man pages as well as ebuilds and the source code that Gentoo distributes. These bugs are problem reports. Bugs for things Gentoo doesn't do yet but you think should be done are feature requests. Bugday is more about fixing problems than adding features, but you won't be turned away if you want help with a new feature.

Want to know more about Bugday? It's held on the first Saturday of every month. It's an opportunity for everyone to contribute to making Gentoo better, and eventually you might even become a Gentoo developer. See the Bugday project page for more details.

Bugday is about community spirit. Gentoo is a community—there is no "me" and "them", there is only "we," so instead of lobbying for "them" to fix your particular bug, work together to fix it! Bugday is an opportunity to get help to help yourself.

If you've been wanting to get involved but weren't sure how, Bugday is a great way for you to see what goes on in making a distribution and get involved in Gentoo.

Discuss this!

Roy Bamford contributed the draft for this announcement.

The time has come! Our release engineers have been refining their automated builds of the minimal CD and stage3 tarballs, and the first builds are uploaded to our mirrors. Select your favorite mirror and navigate to the /experimental/ directory. Under the x86, amd64, ia64, alpha, and sparc64 architectures, the autobuilds directory contains stages. So far, minimal CD images are only available for x86 and amd64.

We're still working to add automated builds for ppc, ppc64 and hppa as well as CD images for architectures lacking them. We built the stage3 tarballs from the latest stable packages. Fresh builds will show up every week, although sometimes we might skip a week if build problems crop up.

Because these builds are automated, they have not been rigorously tested as the old releases. Occasionally, you might run into problems. If that happens, just try a file from a different week.

Please try out these new builds and leave your feedback on the forums. As always, please report any bugs on Bugzilla.

Happy holidays!

Discuss this!

Ben de Groot contributed the draft for this announcement.

The November issue of the Gentoo Monthly Newsletter has been released. In this month's issue: Kernel team, Incognito, Gentoo-wiki returns, and more!

Discuss This!

The September issue of the Gentoo Monthly Newsletter has been released. In this month's issue: EAPI-2 approved, Gentoo-Quebec training, learn to use iotop, and more!

Discuss This!

In future releases, Gentoo will focus on a more back-to-basics approach that will give you up-to-date install media on a regular basis and make much better use of our human resources. We're looking into automated weekly builds of the minimal CDs and stage tarballs as well as maybe an annual LiveCD release. We will keep you updated as we decide on the details of this new approach.

Consequently, we're canceling the 2008.1 release. The release engineering team has to reconsider its priorities—we overstretched our human resources during the prolonged 2008.0 release process. This caused too much stress for our release engineers and multiple postponements of the release.

You can help! The release engineering team is looking for new volunteers because it perpetually has a severe lack of manpower. We are particularly looking for people with a good grasp of ebuild development and the ability to debug/fix problems that crop up during building and testing of the stage tarballs and ISO images. We will update the staffing needs page with more details.

Discuss this!

Ben de Groot contributed the draft for this announcement.