Gentoo Weekly Newsletter: September 22, 2003
Gentoo 1.4 maintenance release 1 for x86
New 20030911 builds of Gentoo 1.4 are now available on mirrors and at the Gentoo Store so this may be a good time to reburn your CDs or to order some copies of the LiveCDs. This maintenance build has the same functionality as the 1.4 release but fixes many bugs. Also, if you installed Gentoo with the 1.4 release there's no need to worry because the releases are only relevant for the LiveCDs and GRPs; run emerge rsync; emerge -u world and your Gentoo system will be as up-to-date as anyone else's.
Experimental IA-64 stage1 available
The IA-64 port can now be fully built from stage1, and an experimental IA-64 stage1 tarball is now available under experimental/ia64. There's no LiveCD, but users are encouraged to try building a system, see how it works, and submit bugs to Bugzilla.
Quote from advisory:
"Anyone with global administrative privileges on a MySQL server may execute arbitrary code even on a host he isn't supposed to have a shell on, with the privileges of the system account running the MySQL server."
- Severity: High - execute arbitrary code.
- Packages Affected: <mysql-3.23.57-r1 <mysql-4.0.13-r4 >=mysql-4.0.14-r2(masked)
- Rectification: emerge sync; emerge dev-db/mysql/<mysql version>; emerge clean
- GLSA Announcement
"There's a heap overflow in all versions of exim3 and exim4 prior to version 4.21. It can be exercised by anyone who can make an SMTP connection to the exim daemon."
- Severity: Low - heap overflow
- Packages Affected: <exim-4.21
- Rectification: Synchronize and emerge exim, emerge clean.
- GLSA Announcement
"A remotely exploitable buffer overflow exists within the parsing of the message/external-body type attribute name/value pairs. Failure to check that the length of the longest attribute is less than the space available allows a maliciously formed e-mail message to overwrite control structures."
- Severity: High - Remotely exploitable buffer overflow
- Packages Affected: <pine-4.58
- Rectification: Synchronize and emerge pine, emerge clean.
- GLSA Announcement
"All versions of OpenSSH's sshd prior to 3.7.1_p1 contain a buffer management error. It is uncertain whether this error is potentially exploitable, however, we prefer to see bugs fixed proactively."
"Fix a buffer overflow in address parsing. Problem detected by Michal Zalewski, patch from Todd C. Miller of Courtesan Consulting."
Fix a potential buffer overflow in ruleset parsing. This problem is not exploitable in the default sendmail configuration; only if non-standard rulesets recipient (2), final (4), or mailer-specific envelope recipients rulesets are used then a problem may occur. Problem noted by Timo Sirainen."
- Severity: High - Buffer Overflow
- Packages Affected: <sendmail-8.2.10
- Rectification: Synchronize and emerge sendmail, emerge clean.
- GLSA Announcement
New Security Bug Reports
There were no new security bugs opened this week.
Featured Developer of the Week
Figure 3.1: Brian Jackson
We are pleased to present Brian
Jackson, who has gone by the handle iggy for the better
part of a decade. Brian maintains the courier MTA package, as well as
working on the gentoo-cluster
project and assisting with patch maintenance for the kernel
team. He modestly describes his duties as "mostly bug-fixing" and
kernel "patch monkey", and keeps an eye peeled for prospective new
developers while participating in the recently-inaugurated Gentoo
Brian lives in Montgomery, Texas, just outside Houston. His home
enjoys a surfeit of mammals: three cats, 300 lbs of Great Dane (in two
discrete packages) and a wife share the space. He also seems to have
an infestation of computers, with an Athlon XP 2600 (2 GB, NForce2)
main workstation, Athlon XP 1800 (1 Gb, Radeon) media server, P2 450
file server, two Epia boxen for cluster testing and a pair of test
servers. Given the situation, his lament that he has "poor
air conditioning" seems particularly poignant.
He is a professional network administrator and programmer who has
unfortunately recently been numbered among the victims of IT startup
failures - a situation unlikely to continue for long. He currently
works from a home office decorated with a lava lamp and a sumo
penguin. Brian attended the US Navy's Nuclear Power School, and enjoys
working with sport compact cars when not working on his computers.
When he finds time, he is a skilled cook. He also spends a lot of
time with his pets, and generally starts his day by letting the dogs
out before retiring to his office and computers.
Brian first began using Linux in the mid-1990's, trying out Red Hat
and SuSE before a friend firmly admonished him to start using
Slackware. He first heard about Gentoo on a Linux news-site about a
year ago, and migrated to it once he had confirmed that lilo was
available as a bootloader. Brian is a KDE user, generally having
KMail and a number of Konsoles open at any given time. One of the
Konsoles is invariably connected to a screen'd IRSSI client running on
one of his servers. In addition, he uses Kate for editing, courier for
his MTA, and is fond of the djbdns DNS server. When asked to provide
a favorite quote, Brian cited Edmond Burke: "All that is necessary
for the triumph of evil is that good men do nothing."
Heard in the Community
Life on the Bleeding Edge
Accepting the ~x86 keyword is usually not near as unstable as people might think. Nonetheless: on occasion, very nasty things are known to happen. They may not be that big a deal if you're a developer and used to your system breaking apart every now and then, but ~x86 is being followed by newbyish to intermediate Gentooists, too. They like to stick to it to get the latest and greatest software across all genres, even if they know they could be in for a bumpy ride. Nothing wrong with that as long as you manage to stay in the saddle, but on occasion the horse turns its head and delivers some very painful bites...
KDE 3.1.4 and 3.2 Alpha
The forums have been teeming with threads about KDE last week, with the appearance of both KDE 3.1.4 (including a brief episode of chicken-and-egg blocking of Qt 3.2.1 ebuilds), and - more importantly - the first alpha version of the next major minor release bump scheduled for early December: KDE 3.2. The ebuilds for the latter are still masked, but Gentoo KDE lead caleb who started both forum threads encourages people to test the new version...
Where we come from.
Ever wondered where Gentoo came from? The tales of its journeys? The frivolous fantasies that have followed its growth? Well have a look
here! After a post to gentoo-dev on what gentoo hopes to achieve, this short history was posted.
Germany: Regional Gentoo Meetings
Separated by only 24 hours and 98,5 kilometres, two regional German Gentooist gatherings are going to take place in October. The Ruhrgebiet - a sprawl of dozens of loosely connected cities with a total of 5,5 million inhabitants - Gentoo faction elected a quite appropriately oversized steel and glass complex located in Oberhausen, the Centro, as their venue on 8 October, 19:00 hours. Meanwhile, the Bonn bunch has (tentatively) decided to meet on 9 October in a classic grassroots community location, the Netzladen, just one day later, on 9 October. Details for both meetings are being swapped via forum threads, click here for Oberhausen or here for Bonn. Busy week for people who'd also like to attend the Practical Linux day in Gießen two days later - and another 155,6 kilometres west...
Portage Watch is on hiatus this week.
The Gentoo community uses Bugzilla (bugs.gentoo.org) to record and track
bugs, notifications, suggestions and other interactions with the development team. Between 12 September 2003 and 18 September 2003, activity
on the site has resulted in:
- 539 new bugs during this period
- 281 bugs closed or resolved during this period
- 4 previously closed bugs were reopened this period
Of the 3942 currently open bugs: 90 are labeled 'blocker', 198 are labeled 'critical', and 295 are labeled 'major'.
Closed Bug Rankings
The developers and teams who have closed the most bugs during this period are:
New Bug Rankings
The developers and teams who have been assigned the most new bugs during this period are:
Tips and Tricks
An introduction to info
This week's tip introduces the info command. Just about everyone
has used the man command to look up information on a command, but
the info command is less well known. However, it's actually the
preferred documentation method of many programmers. So if man
doesn't have what you're looking for, try using info instead.
info uses the concept of nodes for information. Each page of
information on a topic is a node and you can navigate between nodes using
n to move forward and p to move backwards. To get started
with info, just type info at the command prompt. There's an easy to
follow tutorial you can view by typing h or, for just a list of
available commands, type ?.
If you're looking for documentation on a specific command, you can use
info command (e.g. info tar). If you're not quite sure what
the command name is, but want to search, add the --apropos=STRING
option. For example, if you're looking for documentation on mysqld, you
could use info --apropos=mysqld. This displays a list of nodes with
information on mysqld.
This is just an introduction to info, but hopefully it will help you
get to know your system a little better. Remember, to get started with
the primer, use info and the press h.
Moves, Adds and Changes
The following developers recently left the Gentoo team:
The following developers recently joined the Gentoo Linux team:
- Wolfram Schlich (wschlich) -- virus scanning
- Hallgrimur H. Gunnarsson (hhg) -- daemontools
- Marius Mauch (genone) -- portage
- Douglas Russell (puggy) -- repoman
- Markus Nigbur (pYrania) -- portage, general bugfixing
- Ian Leitch (port001) -- general bugfixing
The following developers recently changed roles within the Gentoo Linux project.
Contribute to GWN
Interested in contributing to the Gentoo Weekly Newsletter? Send us an email.
Please send us your feedback and help make the GWN better.
GWN Subscription Information
To subscribe to the Gentoo Weekly Newsletter, send a blank email to firstname.lastname@example.org.
To unsubscribe to the Gentoo Weekly Newsletter, send a blank email to email@example.com from the email address you are subscribed under.
The Gentoo Weekly Newsletter is also available in the following languages: