Gentoo Logo

Gentoo Weekly Newsletter: 27 March 2006

Content:

1.  Gentoo news

Security team recruiting campaign

Security has always been one of the Gentoo project's strongest aspects. To prevent the quality of GLSAs from dropping, the security team has started to actively look for additional help among existing and future developers. This recruitment campaign aims to compensate for the potential problems that can delay the fixing of security bugs, including missing or inactive package maintainers, but also a lack of GLSA coordinators. Other areas that need more support are the KISS project (kernel security advisory system) and glsa-check integration into Portage. If you're able and willing to help with any of these security-related issues, please contact one of the following project/subproject leaders:

Note: See the latest security team meeting report for more details.

Bugzilla category change for the installer project

The maintainers of bugs.gentoo.org have removed the old "Gentoo Linux Installer" (GLI) component inside the "Gentoo Linux" category. Instead they have added an "Installer" component as a "Gentoo Release Media" subcategory. All the old bugs are already reassigned, and if you would like to file a bug regarding the installer, please use the new component!

Ruby on Rails 1.1 RC1 hits Portage

The first release candidate of Ruby on Rails 1.1 is now in Portage. For users running ~arch, it will add the new versions to their gem installations without removing the old ones. They will be able to make use of the new version, and can still lock their code to the old version if they need to. The Portage versions all end in .4008, which represents upstream's subversion repository commit number for the 1.1_RC1 release.

Users who are interested in trying out the new versions are encouraged to do so, and file bugs to either Gentoo or http://dev.rubyonrails.org as appropriate. Those who want to lock their existing Rails applications to a specific version, they can see the following URLs for information on how to do so:

2.  Heard in the community

Web forums

Timezone down under

Gentoo's timezone data was not updated in time to support the timezone change made for the Commonwealth Games held in Australia until the end of March. Several Australian states postponed the usual changeover to daylight saving time until 2 April. To prevent clocks from running an hour ahead of time for a whole week, check this thread:

Suddenly the dungeon collapses

Are games in Gentoo inherently unsafe? A recently discovered vulnerability in Nethack has sparked this lively debate. The vulnerability isn't in Nethack though. It is caused by the way Gentoo handles games and was not a problem for any other distro. Should we find a new way to handle the games group? Come and join the debate!

3.  Gentoo in the press

ZDNet France (20 March 2006, in French)

"Renaissance" is the title of an animated movie by Christian Volckman set in the year 2054 in Paris. A young scientist is being kidnapped, and an obscure police officer is trying to get her back. While real human actors were involved in the making of this "animated Matrix", it was merely to capture their movements and have those transformed into computer-generated black-and-white images -- rendered entirely on a cluster of 200 Gentoo Linux servers. The French ZDNet website clearly thought this was worth an article, which is based on an interview with Julien Doussot, a technical director of "Attitude Studio", the creative team behind the scenes. In cinemas in France since last week.

Newsforge (21 March 2006)

"A distro of power" is what Joseph Quigley calls Gentoo Linux in his testimonial, published last Tuesday as the latest addition to Newsforge's "My Desktop OS" mini-series. In spite of using Gentoo on what he calls a "low-end system," he was impressed that he "could watch a DVD and compile KDE simultaneously with few interruptions or glitches." There are those who'd disagree on his 1.58GHz Sempron 2300 with 512MB of RAM being on the low end of things, but then again: "If you have a higher-end system, you won't be disappointed either," says Quigley.

4.  Gentoo developer moves

Moves

The following developers recently left the Gentoo project:

  • None this week

Adds

The following developers recently joined the Gentoo project:

  • None this week

Changes

The following developers recently changed roles within the Gentoo project:

  • Thierry Carrez (koon) - stepped down as operational security co-lead
  • Stefan Cornelius (DerCorny) - new operational security co-lead

5.  Gentoo Security

PeerCast: Buffer overflow

PeerCast is vulnerable to a buffer overflow that may lead to the execution of arbitrary code.

For more information, please see the GLSA Announcement

Pngcrush: Buffer overflow

Pngcrush is vulnerable to a buffer overflow which could potentially lead to the execution of arbitrary code.

For more information, please see the GLSA Announcement

cURL/libcurl: Buffer overflow in the handling of TFTP URLs

libcurl is affected by a buffer overflow in the handling of URLs for the TFTP protocol, which could be exploited to compromise a user's system.

For more information, please see the GLSA Announcement

Macromedia Flash Player: Arbitrary code execution

Multiple vulnerabilities have been identified that allows arbitrary code execution on a user's system via the handling of malicious SWF files.

For more information, please see the GLSA Announcement

Sendmail: Race condition in the handling of asynchronous signals

Sendmail is vulnerable to a race condition which could lead to the execution of arbitrary code with sendmail privileges.

For more information, please see the GLSA Announcement

PHP: Format string and XSS vulnerabilities

Multiple vulnerabilities in PHP allow remote attackers to inject arbitrary HTTP headers, perform cross site scripting or in some cases execute arbitrary code.

For more information, please see the GLSA Announcement

NetHack, Slash'EM, Falcon's Eye: Local privilege escalation

NetHack, Slash'EM and Falcon's Eye are vulnerable to local privilege escalation vulnerabilities that could potentially allow the execution of arbitrary code as other users.

For more information, please see the GLSA Announcement

RealPlayer: Buffer overflow vulnerability

RealPlayer is vulnerable to a buffer overflow that could lead to remote execution of arbitrary code.

For more information, please see the GLSA Announcement

6.  Bugzilla

Statistics

The Gentoo community uses Bugzilla (bugs.gentoo.org) to record and track bugs, notifications, suggestions and other interactions with the development team. Between 19 March 2006 and 26 March 2006, activity on the site has resulted in:

  • 832 new bugs during this period
  • 481 bugs closed or resolved during this period
  • 27 previously closed bugs were reopened this period

Of the 9756 currently open bugs: 66 are labeled 'blocker', 150 are labeled 'critical', and 536 are labeled 'major'.

Closed bug rankings

The developers and teams who have closed the most bugs during this period are:

New bug rankings

The developers and teams who have been assigned the most new bugs during this period are:

7.  GWN feedback

Please send us your feedback and help make the GWN better.

8.  GWN subscription information

To subscribe to the Gentoo Weekly Newsletter, send a blank email to gentoo-gwn+subscribe@gentoo.org.

To unsubscribe to the Gentoo Weekly Newsletter, send a blank email to gentoo-gwn+unsubscribe@gentoo.org from the email address you are subscribed under.

9.  Other languages

The Gentoo Weekly Newsletter is also available in the following languages:



Print

Page updated March 27, 2006

Summary: This is the Gentoo Weekly Newsletter for the week of 27 March 2006.

Ulrich Plate
Editor

Andrew Gaffney
Author

Curtis Napier
Author

Caleb Tennis
Author

Donate to support our development efforts.

Copyright 2001-2014 Gentoo Foundation, Inc. Questions, Comments? Contact us.