Gentoo Weekly Newsletter: September 22, 2003

1.  Gentoo News

Summary

• Gentoo 1.4 maintenance release 1 for x86
• Experimental IA-64 stage1 available

Gentoo 1.4 maintenance release 1 for x86

New 20030911 builds of Gentoo 1.4 are now available on mirrors and at the Gentoo Store so this may be a good time to reburn your CDs or to order some copies of the LiveCDs. This maintenance build has the same functionality as the 1.4 release but fixes many bugs. Also, if you installed Gentoo with the 1.4 release there's no need to worry because the releases are only relevant for the LiveCDs and GRPs; run emerge rsync; emerge -u world and your Gentoo system will be as up-to-date as anyone else's.

Experimental IA-64 stage1 available

The IA-64 port can now be fully built from stage1, and an experimental IA-64 stage1 tarball is now available under experimental/ia64. There's no LiveCD, but users are encouraged to try building a system, see how it works, and submit bugs to Bugzilla.

2.  Gentoo Security

Summary

• GLSA: mysql
• GLSA: exim
• GLSA: pine
• GLSA: openssh
• GLSA: sendmail

GLSA: mysql

Quote from advisory:

"Anyone with global administrative privileges on a MySQL server may execute arbitrary code even on a host he isn't supposed to have a shell on, with the privileges of the system account running the MySQL server."

• Severity: High - execute arbitrary code.
• Packages Affected: <mysql-3.23.57-r1 <mysql-4.0.13-r4 >=mysql-4.0.14-r2(masked)
• Rectification: emerge sync; emerge dev-db/mysql/<mysql version>; emerge clean
• GLSA Announcement

GLSA: exim

"There's a heap overflow in all versions of exim3 and exim4 prior to version 4.21. It can be exercised by anyone who can make an SMTP connection to the exim daemon."

• Severity: Low - heap overflow
• Packages Affected: <exim-4.21
• Rectification: Synchronize and emerge exim, emerge clean.
• GLSA Announcement

GLSA: pine

"A remotely exploitable buffer overflow exists within the parsing of the message/external-body type attribute name/value pairs. Failure to check that the length of the longest attribute is less than the space available allows a maliciously formed e-mail message to overwrite control structures."

• Severity: High - Remotely exploitable buffer overflow
• Packages Affected: <pine-4.58
• Rectification: Synchronize and emerge pine, emerge clean.
• GLSA Announcement

GLSA: openssh

"All versions of OpenSSH's sshd prior to 3.7.1_p1 contain a buffer management error. It is uncertain whether this error is potentially exploitable, however, we prefer to see bugs fixed proactively."

• Severity: Low - Buffer Management error
• Packages Affected: <openssh-3.7.1_p1
• Rectification: Synchronize and emerge ssh, emerge clean.
• GLSA Announcement
• GLSA Announcement Update

GLSA: sendmail

"Fix a buffer overflow in address parsing. Problem detected by Michal Zalewski, patch from Todd C. Miller of Courtesan Consulting."

Fix a potential buffer overflow in ruleset parsing. This problem is not exploitable in the default sendmail configuration; only if non-standard rulesets recipient (2), final (4), or mailer-specific envelope recipients rulesets are used then a problem may occur. Problem noted by Timo Sirainen."

• Severity: High - Buffer Overflow
• Packages Affected: <sendmail-8.2.10
• Rectification: Synchronize and emerge sendmail, emerge clean.
• GLSA Announcement

New Security Bug Reports

There were no new security bugs opened this week.

3.  Featured Developer of the Week

Brian Jackson

Figure 3.1: Brian Jackson

We are pleased to present Brian Jackson, who has gone by the handle iggy for the better part of a decade. Brian maintains the courier MTA package, as well as working on the gentoo-cluster project and assisting with patch maintenance for the kernel team. He modestly describes his duties as "mostly bug-fixing" and kernel "patch monkey", and keeps an eye peeled for prospective new developers while participating in the recently-inaugurated Gentoo Bugdays.

Brian lives in Montgomery, Texas, just outside Houston. His home enjoys a surfeit of mammals: three cats, 300 lbs of Great Dane (in two discrete packages) and a wife share the space. He also seems to have an infestation of computers, with an Athlon XP 2600 (2 GB, NForce2) main workstation, Athlon XP 1800 (1 Gb, Radeon) media server, P2 450 file server, two Epia boxen for cluster testing and a pair of test servers. Given the situation, his lament that he has "poor air conditioning" seems particularly poignant.

He is a professional network administrator and programmer who has unfortunately recently been numbered among the victims of IT startup failures - a situation unlikely to continue for long. He currently works from a home office decorated with a lava lamp and a sumo penguin. Brian attended the US Navy's Nuclear Power School, and enjoys working with sport compact cars when not working on his computers. When he finds time, he is a skilled cook. He also spends a lot of time with his pets, and generally starts his day by letting the dogs out before retiring to his office and computers.

Brian first began using Linux in the mid-1990's, trying out Red Hat and SuSE before a friend firmly admonished him to start using Slackware. He first heard about Gentoo on a Linux news-site about a year ago, and migrated to it once he had confirmed that lilo was available as a bootloader. Brian is a KDE user, generally having KMail and a number of Konsoles open at any given time. One of the Konsoles is invariably connected to a screen'd IRSSI client running on one of his servers. In addition, he uses Kate for editing, courier for his MTA, and is fond of the djbdns DNS server. When asked to provide a favorite quote, Brian cited Edmond Burke: "All that is necessary for the triumph of evil is that good men do nothing."

4.  Heard in the Community

Web Forums

Life on the Bleeding Edge

Accepting the ~x86 keyword is usually not near as unstable as people might think. Nonetheless: on occasion, very nasty things are known to happen. They may not be that big a deal if you're a developer and used to your system breaking apart every now and then, but ~x86 is being followed by newbyish to intermediate Gentooists, too. They like to stick to it to get the latest and greatest software across all genres, even if they know they could be in for a bumpy ride. Nothing wrong with that as long as you manage to stay in the saddle, but on occasion the horse turns its head and delivers some very painful bites...

• Problems with gcc 3.3.1-r2?

KDE 3.1.4 and 3.2 Alpha

The forums have been teeming with threads about KDE last week, with the appearance of both KDE 3.1.4 (including a brief episode of chicken-and-egg blocking of Qt 3.2.1 ebuilds), and - more importantly - the first alpha version of the next major minor release bump scheduled for early December: KDE 3.2. The ebuilds for the latter are still masked, but Gentoo KDE lead caleb who started both forum threads encourages people to test the new version...

• KDE 3.1.4 now out - Qt 3.2 unmasked

• KDE 3.2 now in portage

gentoo-dev

Where we come from.

Ever wondered where Gentoo came from? The tales of its journeys? The frivolous fantasies that have followed its growth? Well have a look here! After a post to gentoo-dev on what gentoo hopes to achieve, this short history was posted.

5.  Gentoo International

Germany: Regional Gentoo Meetings

Separated by only 24 hours and 98,5 kilometres, two regional German Gentooist gatherings are going to take place in October. The Ruhrgebiet - a sprawl of dozens of loosely connected cities with a total of 5,5 million inhabitants - Gentoo faction elected a quite appropriately oversized steel and glass complex located in Oberhausen, the Centro, as their venue on 8 October, 19:00 hours. Meanwhile, the Bonn bunch has (tentatively) decided to meet on 9 October in a classic grassroots community location, the Netzladen, just one day later, on 9 October. Details for both meetings are being swapped via forum threads, click here for Oberhausen or here for Bonn. Busy week for people who'd also like to attend the Practical Linux day in Gießen two days later - and another 155,6 kilometres west...

6.  Portage Watch

Portage Watch is on hiatus this week.

7.  Bugzilla

Summary

• Statistics
• Closed Bug Ranking
• New Bug Rankings

Statistics

The Gentoo community uses Bugzilla (bugs.gentoo.org) to record and track bugs, notifications, suggestions and other interactions with the development team. Between 12 September 2003 and 18 September 2003, activity on the site has resulted in:

• 539 new bugs during this period
• 281 bugs closed or resolved during this period
• 4 previously closed bugs were reopened this period

Of the 3942 currently open bugs: 90 are labeled 'blocker', 198 are labeled 'critical', and 295 are labeled 'major'.

Closed Bug Rankings

The developers and teams who have closed the most bugs during this period are:

• Gentoo Games, with 24 closed bugs
• Seemant Kulleen, with 22 closed bugs
• Text-Markup Team, with 20 closed bugs
• Gentoo Linux Gnome Desktop Team, with 19 closed bugs
• Gentoo Sound Team, with 18 closed bugs

New Bug Rankings

The developers and teams who have been assigned the most new bugs during this period are:

• GCC Porting Team, with 34 new bugs
• Text-Markup Team, with 29 new bugs
• Rob Holland, with 17 new bugs
• Gentoo Linux Gnome Desktop Team, with 14 new bugs
• Martin Schlemmer, with 14 new bugs

8.  Tips and Tricks

An introduction to info

This week's tip introduces the info command. Just about everyone has used the man command to look up information on a command, but the info command is less well known. However, it's actually the preferred documentation method of many programmers. So if man doesn't have what you're looking for, try using info instead.

info uses the concept of nodes for information. Each page of information on a topic is a node and you can navigate between nodes using n to move forward and p to move backwards. To get started with info, just type info at the command prompt. There's an easy to follow tutorial you can view by typing h or, for just a list of available commands, type ?.

If you're looking for documentation on a specific command, you can use info command (e.g. info tar). If you're not quite sure what the command name is, but want to search, add the --apropos=STRING option. For example, if you're looking for documentation on mysqld, you could use info --apropos=mysqld. This displays a list of nodes with information on mysqld.

This is just an introduction to info, but hopefully it will help you get to know your system a little better. Remember, to get started with the primer, use info and the press h.

9.  Moves, Adds and Changes

Moves

The following developers recently left the Gentoo team:

• none this week

Adds

The following developers recently joined the Gentoo Linux team:

• Wolfram Schlich (wschlich) -- virus scanning
• Hallgrimur H. Gunnarsson (hhg) -- daemontools
• Marius Mauch (genone) -- portage
• Douglas Russell (puggy) -- repoman
• Markus Nigbur (pYrania) -- portage, general bugfixing
• Ian Leitch (port001) -- general bugfixing

Changes

The following developers recently changed roles within the Gentoo Linux project.

• none this week

10.  Contribute to GWN

Interested in contributing to the Gentoo Weekly Newsletter? Send us an email.

11.  GWN Feedback

Please send us your feedback and help make the GWN better.

12.  GWN Subscription Information

To subscribe to the Gentoo Weekly Newsletter, send a blank email to gentoo-gwn-subscribe@gentoo.org.

To unsubscribe to the Gentoo Weekly Newsletter, send a blank email to gentoo-gwn-unsubscribe@gentoo.org from the email address you are subscribed under.

13.  Other Languages

The Gentoo Weekly Newsletter is also available in the following languages:

• Dutch
• English
• German
• French
• Japanese
• Italian
• Polish
• Portuguese (Brazil)
• Portuguese (Portugal)
• Russian
• Spanish
• Turkish