Gentoo Logo

Gentoo Weekly Newsletter: September 9, 2003

Content:

1.  Gentoo News

Summary

Second Gentoo BugDay a success

Another smashing success, participants in this weeks BugDay, held on September 6, bravely squashed a total of 124 bugs. Only in its second month, BugDay atrracted a total of 171 unique bug hunters, with a record of 149 simultaneous attendees in #gentoo-bugs, surpassing last months inaugeral BugDay by a large margin (130 bug quashers participated last month). Among the crowd were many people eager to lend their expertise and learn from others. Users got to interact with Gentoo developers in a unique way, and some new potential developers were spotted. We'd like to thank everyone who came out and made this months BugDay a huge success, and we hope to see you next month: Same bug time, same bug channel!

2.  Gentoo Security

Summary

GLSA: pam_smb

Quote from advisory:

"If a long password is supplied, this can cause a buffer overflow which could be exploited to execute arbitrary code with the privileges of the process which invokes PAM services."

  • Severity: High - remote execute of code.
  • Packages Affected: <pam_smb-2.0.0_rc5
  • Rectification: emerge sync; emerge pam_smb; emerge clean
  • GLSA Announcement

GLSA: vmware

Quote from advisory:

The previous GLSA 200308-03 was wrong when it stated that vmware-workstation-4.0.1-5289 would fix the problems described in the advisory.

  • Severity: High - local full host access.
  • Packages Affected: <vmware-workstation-4.0.2.5592
  • Rectification: emerge sync; emerge vmware-workstation-4.0.2.5592>; emerge clean
  • GLSA Announcement

GLSA: horde

Quote from advisory:

"An attacker could send an email to the victim who ago use of HORDE MTA in order to push it to visit a website. The website in issue log all the accesses and describe in the particular the origin of every victim."

  • Severity: High - session hijacking.
  • Packages Affected: <horde-2.2.4_rc2
  • Rectification: emerge sync; emerge horde; emerge clean
  • GLSA Announcement

GLSA: eroaster

Previous eroaster versions allowwed local users to overwrite arbitrary files via a symlink attack on a temporary file that is used as a lockfile.

  • Severity: Medium - symlink attack.
  • Packages Affected: <eroaster-2.1.0-r2
  • Rectification: emerge sync; emerge eroaster; emerge clean
  • GLSA Announcement

GLSA: phpwebsite

phpwebsite contains an sql injection vulnerability in the calendar module which allows the attacker to execute sql queries. In addition phpwebsite is also vulnerable to XSS, more information can be found in the full advisory.

  • Severity: High - SQL Injection, DoS and XSS Vulnerabilities.
  • Packages Affected: <phpwebsite-0.9.3_p1
  • Rectification: emerge sync; emerge phpwebsite; emerge clean
  • GLSA Announcement

GLSA: mindi

Mindi creates files in /tmp which could allow local user to overwrite arbitrary files

  • Severity: Medium - insecure file creations.
  • Packages Affected: <mindi-0.86
  • Rectification: emerge sync; emerge mindi; emerge clean
  • GLSA Announcement

GLSA: gallery

Quote from advisory:

"Cross-site scripting (XSS) vulnerability in search.php of Gallery 1.1 through 1.3.4 allows remote attackers to insert arbitrary web script via the searchstring parameter."

  • Severity: High - cross site scripting.
  • Packages Affected: <gallery-1.3.4_p1
  • Rectification: emerge sync; emerge gallery; emerge clean
  • GLSA Announcement

GLSA: atari800

atar800 contains a buffer overflow which could be used by an attacker to gain root privileges. Altough the atari800 package in Gentoo does not install any files suid root we encourage our users to upgrade.

  • Severity: Low - buffer overflow.
  • Packages Affected: <atari800-1.3.0-r1
  • Rectification: emerge sync; emerge atari800; emerge clean
  • GLSA Announcement

New Security Bug Reports

The following new security bugs were posted in the past week:

3.  User stories

User stories is on hiatus this week. Remember to send us your bizarre, hilarious, or incredible Gentoo stories so they can be featured here!

4.  Featured Developer of the Week

Thomas Pedley


Figure 4.1: Thomas Pedley

Fig. 1: Thomas Pedley

This week's featured dev is Thomas Pedley (shallax), who is singularly responsible for the most ironic of Gentoo ports: Gentoox (Gentoo for the XBox). Thomas is the only official developer for the project, but he claims this reduces the number of developer conflicts. His responsibilities run the gamut through kernel hacking, user support, distro maintenance, building binary packages, dealing with legal issues, and maintaining the gentoox web site. Appropriately, gentoox.shallax.com and forums.shallax.com were recently moved to an XBox host.

Thomas' work came to the attention of the Gentoo community with his post to the forums in March. Although other people had managed to get Gentoo up and running on a modded XBox, Thomas was the first to put together a formal distribution and documentation - which has greatly facilitated the growth of Gentoo on the heavily subsidized Microsoft gaming platform. The idea of using the XBox as a cheap multimedia PC has been enthralling Linux fans for months. Our subject's proudest accomplishment came with the succesful hacking of the XBox's Cromwell bios to permit loading of a larger initrd file, and the subsequent cleaning up of the boot process in Gentoox. Thomas now runs two XBoxen: the continuously up web server and another that is, tragically, periodically taken down to play games with.

In addition to the XBoxen, Thomas runs a 1.8 GHz P4 desktop, and a 533 MHz Celeron server. He likes KDE, but uses the lower footprint WindowMaker when on an XBox. He is a bit of a messaging addict, launching Gaim and XChat when he first boots (or Trillian and mIRC if booting into the other OS). He first heard of Gentoo back in 2001, but was daunted by its learning curve until 2002 and completed the transition to Gentoo for his servers this year. His favorite applications are gcc and emerge, and prefers pico/nano as an editor. He does a lot of his development work using bash scripting, and chose to implement the Gentoox patch system (which works alongside portage for XBox implementations) in bash.

Thomas recently completed 6th Form at the Simon Balle school, and will start Computer Science studies at the University of Hertfordshire in a few weeks. He also works at a local supermarket in order to generate the funds he needs for acquiring XBoxen and maintaining his beloved Peugot 205. He lives in Hertfordshire, England, just outside London.

When asked for a favourite quote, Thomas offered a Beastie Boy lyric: "DIY, that means do it yourself - I don't sit around waiting for someone's help, I don't sit back and say good enough, I keep on striving, reinventing.", which seems quite appropriate. He also observed that "Gentoo is the most solid distribution I have had the pleasure of using, and the user base is friendly and willing to help each other out." He also wanted to take an opportunity to thank all those who have helped out with the Gentoox project - interested readers are directed to the Gentoox README to hear about their contributions.

5.  Heard in the Community

Web Forums

Gentoo on the Pegasos PPC

Being one of the rare Gentoo devs with a Pegasos G3/600 MHz at home, dholm has succesfully Gentooified that particular non-Macintosh, yet PowerPC-based platform. The next LiveCD will contain an official build, but dholm's kernel is ready for testing by anyone who'd like to try their hands. In the same thread, PPC-lead-developer pvdabeel has announced that Gentoo will run on the AmigaOne, too.

Making an Effort

Besides browsing the overview of individual forums, people tend to look for topics via the "posts since last visit" link or input text strings in the quick search field related to whatever problem they have. One of the less popular features of the phpBB forum interface is a link located to the top right of the page that simply says: "View unanswered posts". At currently almost 10,000 of those, among a lot of garbage there's a much larger amount of newbie questions that went unanswered, sometimes because the title wasn't too clear, the problem too obscure, or maybe not very interesting to the regulars on board. Gentoomen, have you helped a newbie today?

gentoo-user

$100 UPSes for Linux

For those of us that absolutely NEED to run Gentoo--electric service or not--an uninterruptable power supply could be just what you're looking for. Gentoo user Chip Marshall started the $100 Linux UPS Challenge to see if anyone knew of Linux-compatible UPSes that could be bought for roughly $100. Read on for all the great suggestions.

qpkg Tips

Ever wondered which ebuild supplied a certain file on your hard drive? This thread from the -user list week offered up a quick and cool tip on qpkg to do just that. Check it out here .

gentoo-dev

Gentoo Games.

Who said there weren't any games on linux? Well we definately prove them wrong here at Gentoo, with the number of games packages in app-games now outnumbering those in dev-perl! Break them up a little you say? Well you're too late! Mike Frysinger is a step ahead of you! Have a look to see where the discussion went.

Portage is your friend.

Although some of us are more than happy to just type in emerge myprogram, some people actually like to know how these things work. Grant Goodyear is one such person, who decided that a little walkthrough would be appropriate. Have a look here.

6.  Gentoo International

Japan: Gentoo Navi Log

Mamoru Komachi, better known as Usata, a Gentoo dev at large and maintainer of the pTeX package, has started a weblog that keeps track of new ebuilds and contains news and tidbits centered around the needs of Japanese Gentooists. Some of the more interesting recent developments already feature prominently on his page, including Botond Botyanszki's new Japanese input method im-ja or the new GTK2 variant of Sylpheed, for example. Best of all: the blog is open to audience participation, everyone willing to commit one or the other concise newsbit about Gentoo is welcome to add to the logbook. Check Usata's page - only if your Japanese is up to the task, of course...

7.  Portage Watch

The following stable packages were updated or added to portage in the last two weeks:

Total categories: 96

Total packages: 5558

8.  Bugzilla

Summary

Statistics

The Gentoo community uses Bugzilla (bugs.gentoo.org) to record and track bugs, notifications, suggestions and other interactions with the development team. Between 29 August 2003 and 04 September 2003, activity on the site has resulted in:

  • 384 new bugs during this period
  • 182 bugs closed or resolved during this period
  • 8 previously closed bugs were reopened this period

Of the 3837 currently open bugs: 94 are labeled 'blocker', 196 are labeled 'critical', and 287 are labeled 'major'.

Closed Bug Rankings

The developers and teams who have closed the most bugs during this period are:

New Bug Rankings

The developers and teams who have been assigned the most new bugs during this period are:

9.  Tips and Tricks

Using SSH for remote commands

This week's tip shows a less common use of SSH. Most people use SSH to login to servers or boxes remotely. However, you can also use SSH to issue commands on remote servers without opening a full login shell.

Note: To use SSH without having to enter a password all the time, use Keychain.

To issue commands through SSH, simply type the command after the normal SSH login information (e.g. ssh user@host command). The following example shows you how to view log files on a remote web server.

Code Listing 9.1: Viewing an Apache2 access_log

% ssh david@www.example.com tail /var/log/apache2/access_log
  

Alternatively, you could change passwords over SSH (although using public key authentication with SSH is recommended over passwords).

Code Listing 9.2: Remotely changing a password

% ssh david@example.com passwd
(current) UNIX password: password
New UNIX password: new_password
Retype new UNIX password: new_password
Changing password for david
  

This should get you started with remote command execution. See the SSH man pages for more options.

10.  Featured Quote/Signature of the Week

Featured Quote/Signature is taking a break this week.

11.  Moves, Adds and Changes

Moves

The following developers recently left the Gentoo team:

  • none this week

Adds

The following developers recently joined the Gentoo Linux team:

  • none this week

Changes

The following developers recently changed roles within the Gentoo Linux project.

  • none this week

12.  Contribute to GWN

Interested in contributing to the Gentoo Weekly Newsletter? Send us an email.

13.  GWN Feedback

Please send us your feedback and help make the GWN better.

14.  GWN Subscription Information

To subscribe to the Gentoo Weekly Newsletter, send a blank email to gentoo-gwn-subscribe@gentoo.org.

To unsubscribe to the Gentoo Weekly Newsletter, send a blank email to gentoo-gwn-unsubscribe@gentoo.org from the email address you are subscribed under.

15.  Other Languages

The Gentoo Weekly Newsletter is also available in the following languages:



Print

Page updated 9 September 2003

Summary: This is the Gentoo Weekly Newsletter for the week of September 9th, 2003.

Yuji Carlos Kosugi
Editor

AJ Armstrong
Contributor

Brian Downey
Contributor

Cal Evans
Contributor

Chris Gavin
Contributor

Luke Giuliani
Contributor

Shawn Jonnet
Contributor

Michael Kohl
Contributor

Kurt Lieber
Contributor

Rafael Cordones Marcos
Contributor

David Narayan
Contributor

Gerald J Normandin Jr.
Contributor

Ulrich Plate
Contributor

Mathy Vanvoorden
Dutch Translation

Hendrik Eeckhaut
Dutch Translation

Jorn Eilander
Dutch Translation

Bernard Kerckenaere
Dutch Translation

Peter ter Borg
Dutch Translation

Jochen Maes
Dutch Translation

Roderick Goessen
Dutch Translation

Gerard van den Berg
Dutch Translation

Matthieu Montaudouin
French Translation

Martin Prieto
French Translation

Antoine Raillon
French Translation

Sebastien Cevey
French Translation

Jean-Christophe Choisy
French Translation

Steffen Lassahn
German Translation

Matthias F. Brandstetter
German Translation

Thomas Raschbacher
German Translation

Klaus-J. Wolf
German Translation

Marco Mascherpa
Italian Translation

Claudio Merloni
Italian Translation

Christian Apolloni
Italian Translation

Stefano Lucidi
Italian Translation

Yoshiaki Hagihara
Japanese Translation

Katsuyuki Konno
Japanese Translation

Yuji Carlos Kosugi
Japanese Translation

Yasunori Fukudome
Japanese Translation

Takashi Ota
Japanese Translation

Radoslaw Janeczko
Polish Translation

Lukasz Strzygowski
Polish Translation

Michal Drobek
Polish Translation

Adam Lyjak
Polish Translation

Krzysztof Klimonda
Polish Translation

Atila "Jedi" Bohlke Vasconcelos
Portuguese (Brazil) Translation

Eduardo Belloti
Portuguese (Brazil) Translation

João Rafael Moraes Nicola
Portuguese (Brazil) Translation

Marcelo Gonçalves de Azambuja
Portuguese (Brazil) Translation

Otavio Rodolfo Piske
Portuguese (Brazil) Translation

Pablo N. Hess -- NatuNobilis
Portuguese (Brazil) Translation

Pedro de Medeiros
Portuguese (Brazil) Translation

Ventura Barbeiro
Portuguese (Brazil) Translation

Bruno Ferreira
Portuguese (Portugal) Translation

Gustavo Felisberto
Portuguese (Portugal) Translation

José Costa
Portuguese (Portugal) Translation

Luis Medina
Portuguese (Portugal) Translation

Ricardo Loureiro
Portuguese (Portugal) Translation

Sergey Galkin
Russian Translator

Sergey Kuleshov
Russian Translator

Alex Spirin
Russian Translator

Dmitry Suzdalev
Russian Translator

Anton Vorovatov
Russian Translator

Denis Zaletov
Russian Translator

Lanark
Spanish Translation

Fernando J. Pereda
Spanish Translation

Lluis Peinado Cifuentes
Spanish Translation

Zephryn Xirdal T
Spanish Translation

Guillermo Juarez
Spanish Translation

Jesús García Crespo
Spanish Translation

Carlos Castillo
Spanish Translation

Julio Castillo
Spanish Translation

Sergio Gómez
Spanish Translation

Aycan Irican
Turkish Translation

Bugra Cakir
Turkish Translation

Cagil Seker
Turkish Translation

Emre Kazdagli
Turkish Translation

Evrim Ulu
Turkish Translation

Gursel Kaynak
Turkish Translation

Donate to support our development efforts.

Copyright 2001-2014 Gentoo Foundation, Inc. Questions, Comments? Contact us.