[gentoo-gwn] Gentoo Weekly Newsletter 27 March 2006

[Ulrich Plate <plate@gentoo.org>]

---------------------------------------------------------------------------
Gentoo Weekly Newsletter
http://www.gentoo.org/news/en/gwn/current.xml
This is the Gentoo Weekly Newsletter for the week of 27 March 2006.
---------------------------------------------------------------------------
 
==============
1. Gentoo news
==============
  
Security team recruiting campaign
---------------------------------
  
Security has always been one of the Gentoo project's strongest aspects. To 
prevent the quality of GLSAs from dropping, the security team has started 
to actively look for additional help among existing and future developers. 
This recruitment campaign aims to compensate for the potential problems 
that can delay the fixing of security bugs, including missing or inactive 
package maintainers, but also a lack of GLSA coordinators. Other areas 
that need more support are the KISS project (kernel security advisory 
system) and glsa-check integration into Portage. If you're able and 
willing to help with any of these security-related issues, please contact 
one of the following project/subproject leaders: 
 
 * GLSA team: Sune Kloppenborg Jeppesen[1] or Stefan Cornelius[2] (who 
replaces Thierry Carrez as operational co-lead) 
 * Kernel team: Tim Yamin[3] 
 * Audit team: Tavis Ormandy[4] 
 1. jaervosz@gentoo.org
 2. dercorny@gentoo.org
 3. plasmaroo@gentoo.org
 4. taviso@gentoo.org

 
Note:  See the latest security team meeting report for more details. 
    
Bugzilla category change for the installer project
--------------------------------------------------
  
The maintainers of bugs.gentoo.org[5] have removed the old "Gentoo Linux 
Installer" (GLI) component inside the "Gentoo Linux" category. Instead 
they have added an "Installer" component as a "Gentoo Release Media" 
subcategory. All the old bugs are already reassigned, and if you would 
like to file a bug regarding the installer, please use the new component! 

 5. http://bugs.gentoo.org
    
Ruby on Rails 1.1 RC1 hits Portage
----------------------------------
  
The first release candidate of Ruby on Rails[6] 1.1 is now in Portage. For 
users running ~arch, it will add the new versions to their gem 
installations without removing the old ones. They will be able to make use 
of the new version, and can still lock their code to the old version if 
they need to. The Portage versions all end in .4008, which represents 
upstream's subversion repository commit number for the 1.1_RC1 release. 

 6. http://www.rubyonrails.com
 
Users who are interested in trying out the new versions are encouraged to 
do so, and file bugs to either Gentoo[7] or http://dev.rubyonrails.org[8] 
as appropriate. Those who want to lock their existing Rails applications 
to a specific version, they can see the following URLs for information on 
how to do so: 

 7. http://bugs.gentoo.org
 8. http://dev.rubyonrails.org
 
 * RC 1 announcement[9] 
 * How to lock to specific Rails versions[10] 
 9. 
http://weblog.rubyonrails.com/articles/2006/03/22/rails-1-1-release-candidate-1-available
 10. 
http://wiki.rubyonrails.com/rails/pages/HowtoLockToSpecificRailsVersions

    
=========================
2. Heard in the community
=========================
  
Web forums
----------
  
Timezone down under
 
Gentoo's timezone data was not updated in time to support the timezone 
change made for the Commonwealth Games held in Australia until the end of 
March. Several Australian states postponed the usual changeover to 
daylight saving time until 2 April. To prevent clocks from running an hour 
ahead of time for a whole week, check this thread: 
 
 * Newb: How to patch for Commonwealth Games DST[11] 
 11. http://forums.gentoo.org/viewtopic-t-423456.html

 
Suddenly the dungeon collapses
 
Are games in Gentoo inherently unsafe? A recently discovered vulnerability 
in Nethack has sparked this lively debate. The vulnerability isn't in 
Nethack though. It is caused by the way Gentoo handles games and was not a 
problem for any other distro. Should we find a new way to handle the games 
group? Come and join the debate! 
 
 * Gentoo games group leads to security hole - big surprise(!)[12] 
 12. http://forums.gentoo.org/viewtopic-t-446415.html

    
======================
3. Gentoo in the press
======================
  
ZDNet France (20 March 2006, in French)
---------------------------------------
  
"Renaissance"[13] is the title of an animated movie by Christian Volckman 
set in the year 2054 in Paris. A young scientist is being kidnapped, and 
an obscure police officer is trying to get her back. While real human 
actors were involved in the making of this "animated Matrix", it was 
merely to capture their movements and have those transformed into 
computer-generated black-and-white images -- rendered entirely on a 
cluster of 200 Gentoo Linux servers. The French ZDNet website clearly 
thought this was worth an article[14], which is based on an interview with 
Julien Doussot, a technical director of "Attitude Studio"[15], the 
creative team behind the scenes. In cinemas in France since last week. 

 13. http://www.renaissance-lefilm.com
 14. http://www.zdnet.fr/actualites/informatique/0,39040745,39332299,00.htm
 15. http://www.attitude-studio.com
    
Newsforge (21 March 2006)
-------------------------
  
"A distro of power"[16] is what Joseph Quigley calls Gentoo Linux in his 
testimonial, published last Tuesday as the latest addition to Newsforge's 
"My Desktop OS" mini-series. In spite of using Gentoo on what he calls a 
"low-end system," he was impressed that he "could watch a DVD and compile 
KDE simultaneously with few interruptions or glitches." There are those 
who'd disagree on his 1.58GHz Sempron 2300 with 512MB of RAM being on the 
low end of things, but then again: "If you have a higher-end system, you 
won't be disappointed either," says Quigley. 

 16. http://os.newsforge.com/os/06/03/15/228227.shtml
    
=========================
4. Gentoo developer moves
=========================
  
Moves
-----
  
The following developers recently left the Gentoo project: 
 
 * None this week 
    
Adds
----
  
The following developers recently joined the Gentoo project: 
 
 * None this week 
    
Changes
-------
  
The following developers recently changed roles within the Gentoo project:
 
 * Thierry Carrez (koon) - stepped down as operational security co-lead 
 * Stefan Cornelius (DerCorny) - new operational security co-lead 
    
==================
5. Gentoo Security
==================
   
PeerCast: Buffer overflow
-------------------------
  
PeerCast is vulnerable to a buffer overflow that may lead to the execution 
of arbitrary code. 
 
For more information, please see the GLSA Announcement[17] 

 17. http://www.gentoo.org/security/en/glsa/glsa-200603-17.xml
    
Pngcrush: Buffer overflow
-------------------------
  
Pngcrush is vulnerable to a buffer overflow which could potentially lead 
to the execution of arbitrary code. 
 
For more information, please see the GLSA Announcement[18] 

 18. http://www.gentoo.org/security/en/glsa/glsa-200603-18.xml
    
cURL/libcurl: Buffer overflow in the handling of TFTP URLs
----------------------------------------------------------
  
libcurl is affected by a buffer overflow in the handling of URLs for the 
TFTP protocol, which could be exploited to compromise a user's system. 
 
For more information, please see the GLSA Announcement[19] 

 19. http://www.gentoo.org/security/en/glsa/glsa-200603-19.xml
    
Macromedia Flash Player: Arbitrary code execution
-------------------------------------------------
  
Multiple vulnerabilities have been identified that allows arbitrary code 
execution on a user's system via the handling of malicious SWF files. 
 
For more information, please see the GLSA Announcement[20] 

 20. http://www.gentoo.org/security/en/glsa/glsa-200603-20.xml
    
Sendmail: Race condition in the handling of asynchronous signals
----------------------------------------------------------------
  
Sendmail is vulnerable to a race condition which could lead to the 
execution of arbitrary code with sendmail privileges. 
 
For more information, please see the GLSA Announcement[21] 

 21. http://www.gentoo.org/security/en/glsa/glsa-200603-21.xml
    
PHP: Format string and XSS vulnerabilities
------------------------------------------
  
Multiple vulnerabilities in PHP allow remote attackers to inject arbitrary 
HTTP headers, perform cross site scripting or in some cases execute 
arbitrary code. 
 
For more information, please see the GLSA Announcement[22] 

 22. http://www.gentoo.org/security/en/glsa/glsa-200603-22.xml
    
NetHack, Slash'EM, Falcon's Eye: Local privilege escalation
-----------------------------------------------------------
  
NetHack, Slash'EM and Falcon's Eye are vulnerable to local privilege 
escalation vulnerabilities that could potentially allow the execution of 
arbitrary code as other users. 
 
For more information, please see the GLSA Announcement[23] 

 23. http://www.gentoo.org/security/en/glsa/glsa-200603-23.xml
    
RealPlayer: Buffer overflow vulnerability
-----------------------------------------
  
RealPlayer is vulnerable to a buffer overflow that could lead to remote 
execution of arbitrary code. 
 
For more information, please see the GLSA Announcement[24] 

 24. http://www.gentoo.org/security/en/glsa/glsa-200603-24.xml
     
===========
6. Bugzilla
===========
  
Statistics
----------
  
The Gentoo community uses Bugzilla (bugs.gentoo.org[25]) to record and 
track bugs, notifications, suggestions and other interactions with the 
development team. Between 19 March 2006 and 26 March 2006, activity on the 
site has resulted in: 

 25. http://bugs.gentoo.org
 
 * 832 new bugs during this period 
 * 481 bugs closed or resolved during this period 
 * 27 previously closed bugs were reopened this period 
 
Of the 9756 currently open bugs: 66 are labeled 'blocker', 150 are labeled 
'critical', and 536 are labeled 'major'. 
    
Closed bug rankings
-------------------
  
The developers and teams who have closed the most bugs during this period 
are: 
 
 * Gentoo Games[26], with 47 closed bugs[27]  
 * Gentoo Linux Gnome Desktop Team[28], with 21 closed bugs[29]  
 * Gentoo X-windows packagers[30], with 19 closed bugs[31]  
 * AMD64 Project[32], with 18 closed bugs[33]  
 * X11 External Driver Maintainers[34], with 14 closed bugs[35]  
 * Gentoo's Team for Core System packages[36], with 13 closed bugs[37]  
 * Gentoo KDE team[38], with 12 closed bugs[39]  
 * Gentoo Security[40], with 11 closed bugs[41]  
 26. games@gentoo.org
 27. 
http://bugs.gentoo.org/buglist.cgi?bug_status=RESOLVED&bug_status=CLOSED&chfield=bug_status&chfieldfrom=2006-03-19&chfieldto=2006-03-26&resolution=FIXED&assigned_to=games@gentoo.org
 28. gnome@gentoo.org
 29. 
http://bugs.gentoo.org/buglist.cgi?bug_status=RESOLVED&bug_status=CLOSED&chfield=bug_status&chfieldfrom=2006-03-19&chfieldto=2006-03-26&resolution=FIXED&assigned_to=gnome@gentoo.org
 30. x11@gentoo.org
 31. 
http://bugs.gentoo.org/buglist.cgi?bug_status=RESOLVED&bug_status=CLOSED&chfield=bug_status&chfieldfrom=2006-03-19&chfieldto=2006-03-26&resolution=FIXED&assigned_to=x11@gentoo.org
 32. amd64@gentoo.org
 33. 
http://bugs.gentoo.org/buglist.cgi?bug_status=RESOLVED&bug_status=CLOSED&chfield=bug_status&chfieldfrom=2006-03-19&chfieldto=2006-03-26&resolution=FIXED&assigned_to=amd64@gentoo.org
 34. x11-drivers@gentoo.org
 35. 
http://bugs.gentoo.org/buglist.cgi?bug_status=RESOLVED&bug_status=CLOSED&chfield=bug_status&chfieldfrom=2006-03-19&chfieldto=2006-03-26&resolution=FIXED&assigned_to=x11-drivers@gentoo.org
 36. base-system@gentoo.org
 37. 
http://bugs.gentoo.org/buglist.cgi?bug_status=RESOLVED&bug_status=CLOSED&chfield=bug_status&chfieldfrom=2006-03-19&chfieldto=2006-03-26&resolution=FIXED&assigned_to=base-system@gentoo.org
 38. kde@gentoo.org
 39. 
http://bugs.gentoo.org/buglist.cgi?bug_status=RESOLVED&bug_status=CLOSED&chfield=bug_status&chfieldfrom=2006-03-19&chfieldto=2006-03-26&resolution=FIXED&assigned_to=kde@gentoo.org
 40. security@gentoo.org
 41. 
http://bugs.gentoo.org/buglist.cgi?bug_status=RESOLVED&bug_status=CLOSED&chfield=bug_status&chfieldfrom=2006-03-19&chfieldto=2006-03-26&resolution=FIXED&assigned_to=security@gentoo.org

    
New bug rankings
----------------
  
The developers and teams who have been assigned the most new bugs during 
this period are: 
 
 * Default Assignee for New Packages[42], with 32 new bugs[43]  
 * AMD64 Project[44], with 14 new bugs[45]  
 * Gentoo's Team for Core System packages[46], with 11 new bugs[47]  
 * Gentoo Sound Team[48], with 10 new bugs[49]  
 * Default Assignee for Orphaned Packages[50], with 10 new bugs[51]  
 * Gentoo Science Related Packages[52], with 7 new bugs[53]  
 * media-video herd[54], with 7 new bugs[55]  
 * Gentoo Toolchain Maintainers[56], with 6 new bugs[57]  
 42. maintainer-wanted@gentoo.org
 43. 
http://bugs.gentoo.org/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&chfield=assigned_to&chfieldfrom=2006-03-19&chfieldto=2006-03-26&assigned_to=maintainer-wanted@gentoo.org
 44. amd64@gentoo.org
 45. 
http://bugs.gentoo.org/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&chfield=assigned_to&chfieldfrom=2006-03-19&chfieldto=2006-03-26&assigned_to=amd64@gentoo.org
 46. base-system@gentoo.org
 47. 
http://bugs.gentoo.org/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&chfield=assigned_to&chfieldfrom=2006-03-19&chfieldto=2006-03-26&assigned_to=base-system@gentoo.org
 48. sound@gentoo.org
 49. 
http://bugs.gentoo.org/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&chfield=assigned_to&chfieldfrom=2006-03-19&chfieldto=2006-03-26&assigned_to=sound@gentoo.org
 50. maintainer-needed@gentoo.org
 51. 
http://bugs.gentoo.org/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&chfield=assigned_to&chfieldfrom=2006-03-19&chfieldto=2006-03-26&assigned_to=maintainer-needed@gentoo.org
 52. sci@gentoo.org
 53. 
http://bugs.gentoo.org/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&chfield=assigned_to&chfieldfrom=2006-03-19&chfieldto=2006-03-26&assigned_to=sci@gentoo.org
 54. media-video@gentoo.org
 55. 
http://bugs.gentoo.org/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&chfield=assigned_to&chfieldfrom=2006-03-19&chfieldto=2006-03-26&assigned_to=media-video@gentoo.org
 56. toolchain@gentoo.org
 57. 
http://bugs.gentoo.org/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&chfield=assigned_to&chfieldfrom=2006-03-19&chfieldto=2006-03-26&assigned_to=toolchain@gentoo.org

    
===============
7. GWN feedback
===============
   
Please send us your feedback[58] and help make the GWN better. 

 58. gwn-feedback@gentoo.org
    
===============================
8. GWN subscription information
===============================
   
To subscribe to the Gentoo Weekly Newsletter, send a blank email to 
gentoo-gwn+subscribe@gentoo.org. 
 
To unsubscribe to the Gentoo Weekly Newsletter, send a blank email to 
gentoo-gwn+unsubscribe@gentoo.org from the email address you are 
subscribed under.
    
==================
9. Other languages
==================
   
The Gentoo Weekly Newsletter is also available in the following languages:
 
 * Danish[59]  
 * Dutch[60]  
 * English[61]  
 * German[62]  
 * French[63]  
 * Korean[64]  
 * Japanese[65]  
 * Italian[66]  
 * Polish[67]  
 * Portuguese (Brazil)[68]  
 * Portuguese (Portugal)[69]  
 * Russian[70]  
 * Spanish[71]  
 * Turkish[72]  
 59. http://www.gentoo.org/news/da/gwn/gwn.xml
 60. http://www.gentoo.org/news/nl/gwn/gwn.xml
 61. http://www.gentoo.org/news/en/gwn/gwn.xml
 62. http://www.gentoo.org/news/de/gwn/gwn.xml
 63. http://www.gentoo.org/news/fr/gwn/gwn.xml
 64. http://www.gentoo.org/news/ko/gwn/gwn.xml
 65. http://www.gentoo.org/news/ja/gwn/gwn.xml
 66. http://www.gentoo.org/news/it/gwn/gwn.xml
 67. http://www.gentoo.org/news/pl/gwn/gwn.xml
 68. http://www.gentoo.org/news/pt_br/gwn/gwn.xml
 69. http://www.gentoo.org/news/pt/gwn/gwn.xml
 70. http://www.gentoo.org/news/ru/gwn/gwn.xml
 71. http://www.gentoo.org/news/es/gwn/gwn.xml
 72. http://www.gentoo.org/news/tr/gwn/gwn.xml

   
Ulrich Plate <plate@gentoo.org> - Editor
Andrew Gaffney <agaffney@gentoo.org> - Author
Curtis Napier <curtis119@gentoo.org> - Author
Caleb Tennis <caleb@gentoo.org> - Author
-- 
gentoo-gwn@gentoo.org mailing list