Gentoo Logo

Gentoo Weekly Newsletter: September 6, 2004

Content:

1.  Gentoo News

New BugDay website

We're very pleased to announce the new BugDay website, where you'll find a list of bugs that the BugDay team have compiled for the benefit of BugDay participants. Many of these bugs shouldn't be too difficult to fix, so this might be a good way for you to get started if you're new to development. We'd like to thank Bjarke Istrup Pedersen, the BugDay participant who made the page. The next BugDay will be held on October 2nd; contact Bryan Ostergaard with any questions.

2.  Projects Update

Devrel

The monthly bugday has a new webpage to help co-ordinate community activities. Packages with known bugs are categorized and linked to help users find things to work on.

Releng

Release Engineering has started work on the 2004.3 release. The initial version of the 2004.3 Release Information Page is online and is expected to change a few times during the release cycle. Goals for 2004.3 include minimizing the size of the LiveCD, especially the minimal LiveCD, using only a single 2.6 kernel for both x86 and amd64, switching to udev as the device manager on the LiveCD itself, using cascading profiles by default across all architectures, and fixing any bugs from the 2004.2 release.

Security

Security set a new productivity record by releasing 27 GLSAs last month. These security announcements documented fixes for a variety of packages, including Python and rsync, as well as potential information leaks in the kernel and glibc.

3.  Gentoo Security

vpopmail: Multiple vulnerabilities

vpopmail contains several bugs making it vulnerable to several SQL injection exploits as well as one buffer overflow and one format string exploit when using Sybase. This could lead to the execution of arbitrary code.

For more information, please see the GLSA Announcement

MySQL: Insecure temporary file creation in mysqlhotcopy

The mysqlhotcopy utility can create temporary files with predictable paths, allowing an attacker to use a symlink to trick MySQL into overwriting important data.

For more information, please see the GLSA Announcement

Python 2.2: Buffer overflow in getaddrinfo()

Python 2.2 has a vulnerability in DNS handling when IPV6 is disabled and a malformed IPV6 address is encountered by getaddrinfo().

For more information, please see the GLSA Announcement

Squid: Denial of service when using NTLM authentication

Squid is vulnerable to a denial of service attack which could crash its NTLM helpers.

For more information, please see the GLSA Announcement

Gallery: Arbitrary command execution

The Gallery image upload code contains a temporary file handling vulnerability which could lead to execution of arbitrary commands.

For more information, please see the GLSA Announcement

eGroupWare: Multiple XSS vulnerabilities

The eGroupWare software contains multiple cross site scripting vulnerabilities.

For more information, please see the GLSA Announcement

xv: Buffer overflows in image handling

xv contains multiple exploitable buffer overflows in the image handling code.

For more information, please see the GLSA Announcement

Ruby: CGI::Session creates files insecurely

When used for CGI scripting, Ruby creates session files in /tmp with the permissions of the default umask. Depending on that umask, local users may be able to read sensitive data stored in session files.

For more information, please see the GLSA Announcement

MIT krb5: Multiple vulnerabilities

MIT krb5 contains several double-free vulnerabilities, potentially allowing the execution of arbitrary code, as well as a denial of service vulnerability.

For more information, please see the GLSA Announcement

multi-gnome-terminal: Information leak

Active keystroke logging in multi-gnome-terminal has been discovered in potentially world-readable files. This could allow any authorized user on the system to read sensitive data, including passwords.

For more information, please see the GLSA Announcement

4.  Featured Developer of the Week

Deedra Waters


Figure 4.1: Deedra Waters, with Caesar and Savannah

Fig. 1: Deedra Waters, with Caesar and Savannah

This week, we are pleased to introduce Deedra Waters(dmwaters),the Operational Lead for Developer Relations, itinerant recruiter, organization Trustee, manager of Gentoo's mail infrastructure and Lead for Gentoo's Accessibility project. Deedra is also a senior staff member for the freenode IRC network, and is in the process of moving from Florida to a new job in the Open Source lab at Oregon State University, where she will be enrolling as a student this Fall.

Deedra's primary duties include identifying and recruiting new developers for the project, ensuring that developers have the resources and communication channels they need, and helping resolve any conflicts that arise. As a member of Gentoo's Board of Trustees, she is currently helping with copyright assignment and other legal niceties that are required for the smooth running of a non-commercial distro. For the accessibility project, she helps co-ordinate the identification and importation of accessibility software for handicapped Gentoo users, such as software packages for visually impaired users, or those who cannot use a standard keyboard. It is the latter endeavor that she is especially proud of having helped establish, characterizing it with the statement that "Linux is a wonderful thing for blind users for several reasons, and I think that Gentoo is the most accessible distro out there."

Deedra began using Linux with Debian in 2001, and was given a self-directed crash course when the friend who had installed it for her left the country. When Kurt Lieber introduced her to Gentoo (or, as she says, "bribed her to use it") last year, she switched over to using Gentoo. Shortly thereafter, she volunteered to help out, and began working on managing the mailing lists for the Infrastructure team, and later was named a Developer to assist with implementing accessibility features.

Some of our standard interview questions, such as "what Desktop Engine do you prefer?" were mooted by the fact that Deedra is totally blind - which many people who have encountered her online will be surprised to hear. This has affected her choice of favorite apps, which tend to be "best-of-breed" console apps such as mutt, pine, irssi, zinf, subversion and keychain. She uses SpeakUp for converting text to speech. She took a few moments to talk about people's reactions: "I'm totally blind, and have been since I was born.Some people feel sorry for me when they hear that, or feel bad for asking me questions about it, but it's one of those things that don't bother me. The way I explain it to people is a bit like 'I don't really care about not being able to see. I've never been able to, so I don't miss it.'" Which is enough about that.

5.  Heard in the Community

Web Forums

Gmail Tools

Well, no, Gmail stands not for Gentoo Mail, unfortunately. But Google's invited-beta-testers-only, 1GB-per-inbox webmail system has attracted many Gentoo users, who are now busy trying to figure out what to do with their accounts. Some things are barely legal (mounting the Gmail disk space as a file system most certainly isn't in compliance with Google's license agreement), others are more subtle in offering alert mechanisms for new messages in your Gmail inbox, for example. Not surprisingly, every change in the settings over at the Gmail servers breaks gtray and assorted other desklets, but they're suspected to catch up, of course. There's even an ebuild for libgmail, the foundation for any of those utilities, but the Gentoo developers have made it clear at the same time that it will not be part of Portage unless Google says it's ok to do so. In case you don't have a Gmail account yet, check towards the end of the "anyone want gmail?" thread, there are always Gentoo forum users offering fresh invitations.

gentoo-user

Message User Agents

This week, gentoo-user list member David Vincent posed a few questions on his conversion from Microsoft Outlook to KDE's Kmail application. Where could he change settings for message color tagging? What about not immediately deleting messages? What about allowing HTML emails from only senders you specify? His questions were answered; but in typical community fashion it also spawned a varied discussion on how to accomplish these things and more with all types of messaging agents.

Gentoo Not LSB Compliant?

Isn't Gentoo linux compliant with LSB standards? Read comments on just how closely gentoo follows the linuxbase specification.

The other emerge.log

Wondering what ebuild messages you missed during a long running emerge? This thread reminds us of a handy portage feature and how you can log those important messages for later review.

Reiser4

Considering moving to Reiser4? Check out the good and bad experiences of several fellow users.

6.  Gentoo International

UK: Triple Nomination for Gentoo in Linux Format Magazine Awards

Linux Format, a magazine published by Future Publications in the UK, is currently taking votes on their 2004 awards for best open source software projects. Gentoo figures no less than three times among the nominees, as best project, best , and the Gentoo Forums in their own category, best support platform! Place your vote here.

7.  Bugzilla

Summary

Statistics

The Gentoo community uses Bugzilla (bugs.gentoo.org) to record and track bugs, notifications, suggestions and other interactions with the development team. Between 29 August 2004 and 03 September 2004, activity on the site has resulted in:

  • 612 new bugs during this period
  • 407 bugs closed or resolved during this period
  • 12 previously closed bugs were reopened this period

Of the 6925 currently open bugs: 141 are labeled 'blocker', 198 are labeled 'critical', and 551 are labeled 'major'.

Closed Bug Rankings

The developers and teams who have closed the most bugs during this period are:

New Bug Rankings

The developers and teams who have been assigned the most new bugs during this period are:

8.  Tips and Tricks

This section is always looking for volunteers to submit their favourite Linux shortcuts, bash scripting tricks and other ideas to make life with Gentoo Linux a little more comfortable. If you have anything you'd like to share with other users, please submit it to the GWN team.

9.  Moves, Adds, and Changes

Moves

The following developers recently left the Gentoo team:

  • None this week

Adds

The following developers recently joined the Gentoo Linux team:

  • None this week

Changes

The following developers recently changed roles within the Gentoo Linux project:

  • None this week

10.  Contribute to GWN

Interested in contributing to the Gentoo Weekly Newsletter? Send us an email.

11.  GWN Feedback

Please send us your feedback and help make the GWN better.

12.  GWN Subscription Information

To subscribe to the Gentoo Weekly Newsletter, send a blank email to gentoo-gwn-subscribe@gentoo.org.

To unsubscribe to the Gentoo Weekly Newsletter, send a blank email to gentoo-gwn-unsubscribe@gentoo.org from the email address you are subscribed under.

13.  Other Languages

The Gentoo Weekly Newsletter is also available in the following languages:



Print

Page updated 6 September 2004

Summary: This is the Gentoo Weekly Newsletter for the week of September 6th, 2004.

Yuji Carlos Kosugi
Editor

AJ Armstrong
Contributor

Brian Downey
Contributor

Kurt Lieber
Contributor

David Narayan
Contributor

Ulrich Plate
Contributor

Sven Vermeulen
Contributor

Simon Holm Thagersen
Danish Translation

Jesper Brodersen
Danish Translation

Arne Mejlholm
Danish Translation

Hendrik Eeckhaut
Dutch Translation

Jorn Eilander
Dutch Translation

Bernard Kerckenaere
Dutch Translation

Peter ter Borg
Dutch Translation

Jochen Maes
Dutch Translation

Roderick Goessen
Dutch Translation

Gerard van den Berg
Dutch Translation

Matthieu Montaudouin
French Translation

Xavier Neys
French Translation

Martin Prieto
French Translation

Antoine Raillon
French Translation

Sebastien Cevey
French Translation

Jean-Christophe Choisy
French Translation

Thomas Raschbacher
German Translation

Steffen Lassahn
German Translation

Matthias F. Brandstetter
German Translation

Lukas Domagala
German Translation

Tobias Scherbaum
German Translation

Daniel Gerholdt
German Translation

Marc Herren
German Translation

Tobias Matzat
German Translation

Marco Mascherpa
Italian Translation

Claudio Merloni
Italian Translation

Stefano Lucidi
Italian Translation

Katuyuki Konno
Japanese Translation

Hiroyuki Takeda
Japanese Translation

Masato Hatakeyama
Japanese Translation

Shigehiro Idani
Japanese Translation

Masayoshi Nakamura
Japanese Translation

Tomoyuki Sakurai
Japanese Translation

Lukasz Strzygowski
Polish Translation

Karol Goralski
Polish Translation

Atila "Jedi" Bohlke Vasconcelos
Portuguese (Brazil) Translation

Eduardo Belloti
Portuguese (Brazil) Translation

João Rafael Moraes Nicola
Portuguese (Brazil) Translation

Marcelo Gonçalves de Azambuja
Portuguese (Brazil) Translation

Otavio Rodolfo Piske
Portuguese (Brazil) Translation

Pablo N. Hess -- NatuNobilis
Portuguese (Brazil) Translation

Pedro de Medeiros
Portuguese (Brazil) Translation

Ventura Barbeiro
Portuguese (Brazil) Translation

Bruno Ferreira
Portuguese (Portugal) Translation

Gustavo Felisberto
Portuguese (Portugal) Translation

José Costa
Portuguese (Portugal) Translation

Luis Medina
Portuguese (Portugal) Translation

Ricardo Loureiro
Portuguese (Portugal) Translation

Aleksandr Martyncev
Russian Translator

Sergey Galkin
Russian Translator

Sergey Kuleshov
Russian Translator

Alex Spirin
Russian Translator

Denis Zaletov
Russian Translator

Guillermo Juarez
Spanish Translation

Fernando J. Pereda
Spanish Translation

Juan Diego Gutiérrez Gallardo
Spanish Translation

Nicolas Silva
Spanish Translation

Aycan Irican
Turkish Translation

Bugra Cakir
Turkish Translation

Cagil Seker
Turkish Translation

Emre Kazdagli
Turkish Translation

Evrim Ulu
Turkish Translation

Gursel Kaynak
Turkish Translation

Donate to support our development efforts.

Copyright 2001-2014 Gentoo Foundation, Inc. Questions, Comments? Contact us.