Gentoo Logo

Gentoo Weekly Newsletter: February 24th, 2003

Content:

1.  Gentoo News

Summary

Gentoo Linux partners with NeTraverse

The Gentoo Linux project recently reached an agreement with NeTraverse to bring Win4Lin to Gentoo users at a reduced price. Win4Lin lets you run Windows applications under Gentoo Linux at native speeds and can help bridge the gap between the stability of Linux and the vast number of Windows applications.

Gentoo users who purchase the Gentoo Edition of Win4Lin enjoy a $10 discount off the regular $89.99 price. Additionally, each purchase helps support further development of Gentoo Linux. There is also a 30-day trial version of Win4Lin available in the Portage tree.

Gentoo Linux 1.4 Update

We reported back in January that Gentoo Linux 1.4_rc3 was due to be released on January 14th, based on the timeline laid out by the newly-adopted Formal Release Process. Obviously, this release has yet to make it out the door and users and developers alike have increasingly complained about the recurring delays, stale Portage tree and general confusion that seems to surround the release process. Fortunately, with the recent appointment of Brad Cowen as the Gentoo Release Coordinator, the 1.4 release process seems to have regained some of its lost momentum. Brad recently updated the Gentoo developer team regarding the status of the next release candidate, 1.4_rc3:

I just wanted to take a moment and let everyone know where we stand as far as a release goes. Plans are to release an official RC3 on Thursday the 27th. This rc will include stages from the sparc, x86, and ppc teams. The x86 port will be a limited release meaning a single "one size fits all" compiled set of stages and no GRP will be packaged.

Brad went on to say that, after the rc3 release, he plans to adhere closely to the formal release process. This also means that, post rc3, the Portage tree will be unfrozen for a period of 2 weeks or so where developers will be able to migrate masked packages over to an unmasked state.

Pictures of FOSDEM

As reported earlier, Gentoo Linux was at FOSDEM and, by all accounts, the event was a success. As with LinuxWorld in New York, many of the attendees were previously unfamiliar with Gentoo Linux, so this was a great opportunity to help spread the word about Gentoo Linux in Europe and also meet lots of other free software developers. Daniel Robbins also had the opportunity to speak with Richard Stallman at length, where they discussed...free software, of course :). Here are some photos of the event for those who were unable to attend in person.


Figure 1.1: Jack Morgan, Verwilst and Popsickle at Fosdem -- or is this a Coke commercial?

Fig. 1: Jack Morgan, Verwilst and Popsickle at Fosdem -- or is this a Coke commercial?


Figure 1.1: Wout Mertens and Daniel Robbins discover a quantum singularity

Fig. 1: Wout Mertens and Daniel Robbins discover a quantum singularity

2.  Gentoo Security

Summary

GLSA: webmin

Webmin contain a vulnerability which could permit unauthenticated access. No exploits in the wild have been reported.

  • Severity: Critical - Remote Access with Administrative Privileges
  • Packages Affected: app-admin/webmin versions prior to webmin-1.070
  • Rectification: Synchronize and emerge -u webmin, emerge clean.
  • Advisory

GLSA: openssl

OpenSSL may permit an attacker, by performing a man-in-the-middle attack and measuring the relative times for rejection of modified cipher texts, to determine which error condition (padding or verification) caused the modified texts to be rejected. This information is adequate to initiate an adaptive attack which may result in exposure of the plaintext. The attack has been demonstrated in principle.

  • Severity: Critical - Remote Encryption Compromise
  • Packages Affected: dev-libs/openssl versions prior to openssl-0.96i or openssl-0.9.7a
  • Rectification: Synchronize and emerge -u openssl, emerge clean.
  • GLSA Announcement
  • Advisory

GLSA: bitchx

Bitchx may be caused to segfault with a malformed packet, exposing a denial-of-service vulnerability.

  • Severity: Moderate - Remote DOS for non-critical service.
  • Packages Affected: net-irc/bitchx versions prior to bitchx-1.0.19-r4
  • Rectification: Synchronize and emerge -u bitchx, emerge clean.
  • GLSA Announcement
  • Advisory

GLSA: mod_php

PHP 4.3.0 introduced a bug which prevents the cgi-security options '--enable-force-cgi-redirect' and 'cgi.force_redirect'. This could permit an attacker to gain access to the server file system using the web server's privileges on systems that use the PHP CGI module.

  • Severity: High - Remote Exposure of Filesystem
  • Packages Affected: dev-php/mod_php-4.3.0
  • Rectification: Synchronize and emerge -u mod_php, emerge clean.
  • GLSA Announcement
  • Advisory

GLSA: nethack

Nethack contains a buffer overflow vulnerability that may permit elevation of the player's privileges to that of the game's uid. An exploit has been published. The primary use of this exploit would be to modify the high score and character files. However, any privilege elevation is a security fault, and could be dangerous if nethack's uid has additional permissions.

  • Severity: Low - Privilege Elevation to A Game
  • Packages Affected: app-games/nethack versions prior to nethack-3.4.0-r6
  • Rectification: Synchronize and emerge -u nethack, emerge clean.
  • GLSA Announcement
  • Advisory

GLSA: w3m

The w3m browser (a text-based browser sometimes used within emacs) fails to properly escape img tags in html. This vulnerability could be exploited by a carefully crafted web page to access files on the local machine.

  • Severity: High - Remote Exposure of Filesystem
  • Packages Affected: net-www/w3m versions prior to w3m-0.3.2.2
  • Rectification: Synchronize and emerge -u w3m, emerge clean.
  • GLSA Announcement

GLSA: syslinux

The syslinux bootloader exposes several security flaws when run with root privileges. The code has been modified to use the mtools package for accessing the disk. Syslinux should not be run with setuid.

  • Severity: High - Root Privilege Exposure.
  • Packages Affected: sys-apps/syslinux versions prior to syslinux-2.02
  • Rectification: Synchronize and emerge -u syslinux, emerge clean.
  • GLSA Announcement

GLSA: mailman

The default error page in the mailman list server web interface exposes a cross-site scripting vulnerability that could permit remote execution of code using the server's privilege level.

  • Severity: High - Remote Execution of Code.
  • Packages Affected: net-mail/mailman versions prior to mailman-2.1.1
  • Rectification: Synchronize and emerge -u mailman, emerge clean.
  • GLSA Announcement
  • Advisory

New Security Bug Reports

The following new security bugs were posted this week:

3.  Featured Developer of the Week

John P. Davis


Figure 3.1: John P. Davis

Fig. 1: John P. Davis

John P. Davis, this week's featured developer, is Senior Developer/Coordinator for the Gentoo Linux Documentation team and the administrator of Gentoo's Bugzilla system. John, who started off by writing the Gentoo Linux Printing HOWTO, coordinates developers and translators on documentation and hacks on the Bugzilla source to make it as functional as possible. He takes pride in making the Bugzilla system as useful as possible to users and devs, and is amazed at how the documentation team is shaping up. For now Gentoo is the only OSS project John has worked on, but he hopes to change that in the future.

John has an Athlon XP workstation running RAID0 and an Athlon server which hosts uberdavis.com, his playpen. (currently undergoing renovations) He uses Enlightenment with an Aqua theme, Sylheed for mail, and likes iconv, iptables, grep, sed, the GIMP, and nmap. During the day John studies computer science at Mount Union College in Alliance, OH, as well as working at his college's help desk. He enjoys spending time with his girlfriend Mary, drinking Bawls, mountain biking, skiing, scuba diving, as well as college life in general.

4.  Heard In The Community

Web Forums

Mother Tongue Campaigning

The message is simple: First you need to achieve critical mass by posting into a thread that registers how many people would be interested in a separate forum conducted in their own language, then the FAQ and a few other documents need translation, a moderator or two needs to volunteer, and if sufficiently convincing evidence for a lively community has built up, just watch that admin machine go. The Italians were off to a quick start last week and are gaining momentum, but the Japanese community isn't anywhere near critical mass and needs some serious campaigning before a Japanese language forum can be set up. Lack of interest is unlikely, but a lot of the guys on the #gentoo-jp IRC channel don't seem to have a forum ID yet...

Emulating the Unspeakable

The gamers were the first class of users to discuss which emulator or virtual machine wins the Windows look-a-like contest, but running commercial Windows applications in Linux has become a widespread pattern since the more serious desktop publishing crowd has made inroads into Open Source operating systems, while requiring the use of professional software from vendors who so far have bluntly refused to code for Linux. It's not as if there was a lack of choice in terms of tools to do so, between Wine and Plex86 or Bochs (fresh version 2.0.2 released just a week ago) on the free-of-charge side of things, and the more powerful commercial equivalents Crossover, WineX, Win4Lin and VMware on their flipside, the only remaining problem is to pick one. Flame wars of the past used erupt over whether one should do that or not, but for some time the debate has been centered on a more pragmatic question: how to do it most efficiently. The forums reflect all this and more, including Netraverse, the company behind Win4Lin, stepping forward with a special Gentooified build at a significant markdown...

Yet Another Architecture: Gentoo on MIPS

Last week the usually rather calm Alternate Architectures forum saw an influx of people who reported about Gentoo Linux on SGI Indy and Indigo2. About two months into the latest initiative to port Gentoo to MIPS machines, successful installations so far include R4400 and R5000 driven models. If you own an Elan or Extreme or maybe an O2 and wonder what else than Irix you can run on it, join the Indy posse on their new IRC channel, #gentoo-mips on irc.freenode.net, and in one or both of these threads (top for evangelism, bottom for caveats):

gentoo-user

Hardware Issues

Combining components from leaking capaciters to hot CPUs often makes it hard to diagnose hardware problems. Sipping coffee, closing your eyes and seeing the faulty component is a great method, although it may not work for non Jedi Masters. Bruno Lustosa has been suffering from suspicious failed compiles in a number of threads. Is it the bios? Memory? CPU? Evil Kernel? After many supportive suggestions, Bruno appears on the verge of victory. Ernie Shroder, in particular, reminded us of a great article by the man himself, Dr. Daniel Robbins. The article makes a worth-while read as Robbins takes us through the ins and outs of diagnosing CPU and RAM problems on a linux system.

RedHatism

Upon asking about kivo, of all things, the tool epm was brought up. EPM is available as an ebuild (sys-apps/epm) with the description: rpm workalike for Gentoo Linux. This is meant to provide for easier transistion from a Red Hat system, allowing Red Hatters to feel at home by typing 'epm -qf `which kivio'.

More RedHatism

An extremely grueling discussion took place involving the Gentoo init system. Remarkably, the details of Gentoo's system versus other SysV implementations hardly surfaced. What was at stake was Phil Barnet's apparent demand for "abstraction" scripts, in particular the 'service' script, available in other distributions. The counter point expressed typical Gentoo mannerism, offered in one of Andrew Dacey's many rebuttals, "The whole point of Gentoo is to be configurable, almost nothing is forced onto the user. With this in mind, no abstraction layer from another OS or distro should be included by default, no matter how common that OS or distro is". Suggestions for ebuilds were offerend as the debate waged on.

5.  Gentoo International

Regional Gentoo User Meetings in Europe

The Viennese Gentooists have agreed on a date and a venue: Tuesday, 4 March 2003, 19:00 onwards at the Siebensternbräu, Siebensterngasse 19 in 1070 Wien. If you're free and in the area that day and would like to join them, announce your intentions with a reply to this thread in the forums for a headcount. Meanwhile, users from Northern Germany are looking into opportunities for a meeting this week in or around Hamburg, but the details didn't make it in time for this newsletter. They, too, have a thread in the forums to coordinate the exact date and venue.

Svenska Gentoo IRC Hemsida

http://gentoo.linux.se is the shiny new address for the Swedish Gentoo web presence, so far "only" a web appendix to the notorious IRC channel. It includes the channel statistics, some user profiles of a few IRC regulars, and a pastebot for uploading a quick config file or error message from a borked ebuild, and generating a URL for it to be pasted into the #gentoo-se channel on irc.freenode.net.

Italian Documentation Taskforce

While his compatriots are busy campaigning for an Italian forum, Marco Mascherpa has set up a mailing list for Italian translators to join in the effort of going through the entire pile of Gentoo documentation and creating new or embellishing existing Italian versions. If your Italian is up to the task and you would like to help, send an email to Marco today.

6.  Portage Watch

The following stable packages were added to portage this week

Note: Because of the pending release of 1.4_final, the Portage tree is currently frozen. As such, no new stable packages were introduced to Portage this week

Updates to notable packages

  • sys-apps/portage - portage-2.0.47-r2.ebuild;
  • gnome-base/gnome - gnome-2.2-r2.ebuild;
  • sys-kernel/* - aa-sources-2.4.21_pre4-r3.ebuild; development-sources-2.5.60-r2.ebuild; development-sources-2.5.61-r1.ebuild; development-sources-2.5.61.ebuild; development-sources-2.5.62.ebuild; gs-sources-2.4.21_pre4.ebuild; hppa-sources-2.4.20_p27.ebuild; lolo-sources-2.4.20.2_pre2.ebuild; redhat-sources-2.4.18.24.8.0.ebuild;
  • dev-db/mysql - mysql-4.0.10.ebuild;
  • dev-php/php - php-4.3.1.ebuild;
  • sys-devel/perl - perl-5.6.1-r11.ebuild;

7.  Bugzilla

Summary

Statistics

The Gentoo community uses Bugzilla (bugs.gentoo.org) to record and track bugs, notifications, suggestions and other interactions with the development team. In the last 7 days, activity on the site has resulted in:

  • 294 new bugs this week
  • 336 bugs closed or resolved this week
  • 8 previously closed bugs were reopened this week.
  • 1796 total bugs currently marked 'new'
  • 558 total bugs curently assigned to developers
There are currently 2411 bugs open in bugzilla. Of these: 46 are labelled 'blocker', 82 are labelled 'critical', and 171 are labelled 'major'.

Closed Bug Rankings

The developers and teams who have closed the most bugs this week are:

New Bug Rankings

The developers and teams who have been assigned the most new bugs this week are:

8.  Tips and Tricks

Mirror, Mirror On The Wall

As Gentoo's userbase grows, a common complaint is the slowdown of its primary mirrors. Many people in the community have responded, adding more mirrors to help distribute the load. So where do you find these mirrors? One way is to look on the website at http://www.gentoo.org/main/en/mirrors.xml. The other (easier) way is to use the handy mirrorselect tool. MirrorSelect is a simple ncurses interface that allows you to select which mirror(s) you want to use for your machine.

MirrorSelect is available in Portage, so a simple emerge is all that's necessary to install it.

Code Listing 1.1: Installing MirrorSelect

# emerge mirrorselect

To use MirrorSelect, simply run mirrorselect at a terminal prompt and then select your preferred mirror(s).

Code Listing 1.1: Using MirrorSelect

# mirrorselect

Figure 1.1: Using MirrorSelect

Fig. 1: mirrorselect

When you're done selecting mirrors, select OK, and your /etc/make.conf will be updated with your new mirrors.

Code Listing 1.1

Selected: ftp://ftp.gtlib.cc.gatech.edu/pub/gentoo http://gentoo.oregonstate.edu http://distro.ibiblio.org/gentoo 
Mirrors set successfully

9.  Moves, Adds and Changes

Moves

The following developers recently left the Gentoo team:

  • none this week

Adds

The following developers recently joined the Gentoo team:

  • Robert Coie (rac) -- perl, bughunting
  • James Boddington (Aiken) -- Gentoo/SPARC, Gentoo/ARM
  • Jon Ellis (jje) -- music stuffs
  • Alastair Tse (liquidx) -- python, GNOME, Gentoo/ARM
  • Ken Nowack (antifa) -- Gentoo Documentation

Changes

The following developers recently changed roles within the Gentoo project.

  • none this week

10.  Contribute to GWN

Interested in contributing to the Gentoo Weekly Newsletter? Send us an email.

11.  GWN Feedback

Please send us your feedback and help make GWN better.

12.  Other Languages

The Gentoo Weekly Newsletter is also available in the following languages:



Print

Page updated 24th Feb 2003

Summary: This is the Gentoo Weekly Newsletter for the week of February 24th, 2003.

Kurt Lieber
Editor

AJ Armstrong
Contributor

Brice Burgess
Contributor

Yuji Carlos Kosugi
Contributor

Rafael Cordones Marcos
Contributor

David Narayan
Contributor

Ulrich Plate
Contributor

Peter Sharp
Contributor

Mathy Vanvoorden
Dutch Translation

Tom Van Laerhoven
Dutch Translation

Roel Adriaans
Dutch Translation

Peter Dijkstra
Dutch Translation

Nicolas Ledez
French Translation

Guillaume Plessis
French Translation

Eric St-Georges
French Translation

John Berry
French Translation

Martin Prieto
French Translation

Michael Kohl
German Translation

Steffen Lassahn
German Translation

Matthias F. Brandstetter
German Translation

Thomas Raschbacher
German Translation

Marco Mascherpa
Italian Translation

Claudio Merloni
Italian Translation

Daniel Ketel
Japanese Translation

Yoshiaki Hagihara
Japanese Translation

Andy Hunne
Japanese Translation

Yuji Carlos Kosugi
Japanese Translation

Yasunori Fukudome
Japanese Translation

Ventura Barbeiro
Portuguese (Brazil) Translation

Bruno Ferreira
Portuguese (Portugal) Translation

Gustavo Felisberto
Portuguese (Portugal) Translation

Ricardo Jorge Louro
Portuguese (Portugal) Translation

Lanark
Spanish Translation

Rafael Cordones Marcos
Spanish Translation

Julio Castillo
Spanish Translation

Sergio Gómez
Spanish Translation

Pablo Pita Leira
Spanish Translation

Carlos Castillo
Spanish Translation

Tirant
Spanish Translation

Jaime Freire
Spanish Translation

Lucas Sallovitz
Spanish Translation

Donate to support our development efforts.

Copyright 2001-2014 Gentoo Foundation, Inc. Questions, Comments? Contact us.