GWN 16 Augustus 2004

Uit Gentoo Linux Wiki

== Gentoo Nieuws == === Verschillende Infrastructuur Upgrades voor Gentoo === Goed nieuws voor de Gentoo infrastructuur, het werd deze week uitgebreid door de donatie van twee nieuwe servers. 1 server, een dual Xeon met 2GB RAM, zal gebruikt worden om de capaciteit van de rsync.gentoo.org rotatie te laten stijgen. De andere server, een quad Xeon met 1GB of RAM, zal gebruikt worden als hoofd bittorrent server. Gentoo Linux bedankt Melior, Inc. voor deze servers aan het Gentoo Linux project te leveren. Vervolgens ontvangde Gentoo Linux een donatie van EMC voor een licentie voor VMWare GSX Server, deze zal gebruikt worden om de ontwerpstappen in onze verschillende interne projecten te kunnen assisteren. Als laatste is er een nieuw op maat ontworpen mailing lijst archiveringsmiddel in closed beta gekomen en het zal niet lang duren voor dit aan het publiek wordt vrijgegeven. Deze archiveringsoplossing zal iedereen read-only toegang tot onze mailing lijsten verschaffen, zelfs de gentoo-trustees mailing list. We verwachten dat deze oplossing binnen 2 weken gereed is voor het publiek. ------------------ BEGIN ENGELS ------------------.........

Inhoud 1 Projects Update 1.1 Documentation 1.2 Infrastructure 1.3 Security 2 Gentoo Security 2.1 SpamAssassin: Denial of Service vulnerability 2.2 Horde-IMP: Input validation vulnerability for Internet Explorer users 2.3 Cfengine: RSA Authentication Heap Corruption 2.4 Roundup: Filesystem access vulnerability 2.5 gv: Exploitable Buffer Overflow 2.6 Nessus: "adduser" race condition vulnerability 2.7 Gaim: MSN protocol parsing function buffer overflow 2.8 kdebase, kdelibs: Multiple security issues 2.9 acroread: UUDecode filename buffer overflow 2.10 Tomcat: Insecure installation 2.11 glibc: Information leak with LD_DEBUG 3 Featured Developer of the Week 4 Heard in the Community 4.1 gentoo-user 4.1.1 Always Working as Root 5 Gentoo International 6 Bugzilla 6.1 Statistics 6.2 Closed Bug Rankings 6.3 New Bug Rankings 6.4 Tips and Tricks 7 Verplaatsingen, Toevoegingen en Veranderingen 7.1 Verplaatsingen 7.2 Toevoegingen 7.3 Veranderingen 8 Schrijven voor de GWN 9 GWN Feedback 10 GWN Abonnements Informatie

[bewerken] Projects Update

[bewerken] Documentation

The Documentation Team have recently completed a work cycle to review a large number of the "bugs" reported for documentation, and have implemented a large number of minor corrections to wording or content in the documents. They also have a new Status Update that describes a number of major revisions, including: a new Quick HOWTO on su with X, extensions to the Gentoo Installation Tips 'n Tricks, major edits to the Gentoo Security Guide and several updates to the Gentoo Handbook.

[bewerken] Infrastructure

The Infrastructure team are currently working on moving the Forums server to faster hardware - this upgrade will consist of moving the Apache server (currently a a dual PIII 1GHz/1GB) and database server (dual Xeon 2.4 GHz/2GB) to new platforms: a dual 2.4GHz/1GB and a 3.0GHz/4GB, respectively. This should substantially improve Forums performance, especially during peak loading.

[bewerken] Security

Gentoo is currently working towards inclusion on the vendor-sec mailing list, a limited-access mailing list that includes many major Linux vendors. Membership on the list would permit early access to security alerts and related discussions, prior to general release of the issue.

[bewerken] Gentoo Security

[bewerken] SpamAssassin: Denial of Service vulnerability

SpamAssassin is vulnerable to a Denial of Service attack when handling certain malformed messages.

For more information, please see the GLSA Announcement

[bewerken] Horde-IMP: Input validation vulnerability for Internet Explorer users

An input validation vulnerability has been discovered in Horde-IMP. This only affects users of Internet Explorer.

For more information, please see the GLSA Announcement

[bewerken] Cfengine: RSA Authentication Heap Corruption

Cfengine is vulnerable to a remote root exploit from clients in AllowConnectionsFrom.

For more information, please see the GLSA Announcement

[bewerken] Roundup: Filesystem access vulnerability

Roundup will make files owned by the user that it's running as accessable to a remote attacker.

For more information, please see the GLSA Announcement

[bewerken] gv: Exploitable Buffer Overflow

gv contains an exploitable buffer overflow that allows an attacker to execute arbitrary code.

For more information, please see the GLSA Announcement

[bewerken] Nessus: "adduser" race condition vulnerability

Nessus contains a vulnerability allowing a user to perform a privilege escalation attack.

For more information, please see the GLSA Announcement

[bewerken] Gaim: MSN protocol parsing function buffer overflow

Gaim contains a remotely exploitable buffer overflow vulnerability in the MSN-protocol parsing code that may allow remote execution of arbitrary code.

For more information, please see the GLSA Announcement

[bewerken] kdebase, kdelibs: Multiple security issues

KDE contains three security issues that can allow an attacker to compromise system accounts, cause a Denial of Service, or spoof websites via frame injection.

For more information, please see the GLSA Announcement

[bewerken] acroread: UUDecode filename buffer overflow

acroread contains two errors in the handling of UUEncoded filenames that may lead to execution of arbitrary code or programs.

For more information, please see the GLSA Announcement

[bewerken] Tomcat: Insecure installation

Improper file ownership may allow a member of the tomcat group to execute scripts as root.

For more information, please see the GLSA Announcement

[bewerken] glibc: Information leak with LD_DEBUG

glibc contains an information leak vulnerability allowing the debugging of SUID binaries.

For more information, please see the GLSA Announcement

[bewerken] Featured Developer of the Week

Benjamin Judas

Figure 4.1: Benjamin Judas Fig. 1: Benjamin Judas

This week, we feature Benjamin Judas(beejay), the Gentoo Release Co-ordinator for the x86 architecture. This responsibility involves managing and developing the x86 release media, including the stage tarballs, Live-CDs and GRP installation sets, as well as working with the documentation team to ensure that the install documentation is current. For the recent 2004.2 release, Chris Gianneloni managed the creation of the LiveCD images, allowing Benjamin to focus on the other aspects of the release. This new division of labour, including the sharing of release engineering responsibilities, is likely to be maintained for future releases. However, Benjamin retains primary responsibility for managing and scheduling release points for the x86 platform.

Although Benjamin had been reading about Linux since 1994, it wasn't until 1998 that he took the opportunity to install and use it. His initial introduction was somewhat prosaic: he was "walking through Friedberg (a small town nearby) trying to find some new shoes." He then recounts that "since I didn't find any good looking shoes, I went into a computer store to spend my money there instead." The result was a spanking new set of SuSE-Linux 5.3 Mini-Edition install media. "Hey, 30 bucks...you can't do anything wrong with that price for 6 CDs." He then tells us that it took him 6 months to have the OS working properly and the remainder of a year to strengthen that knowledge. A few years later, an article by Thomas Raschbacher in a German Linux magazine lead him to Gentoo. On August 18th, 2002 (he recalls the date because he ran his first emerge system while at a friends birthday party), Benjamin downloaded and installed the new distro and never looked back.

Benjamin's first contribution to Gentoo took the form of an apache-based online help system, which he asked Alexander Holler, who managed www.gentoo.de, to post for him. Alexander gave him rights on the server and encouraged him to contribute, so Benjamin continued by assisting with translating materials for the German website. By the Fall of 2003, Benjamin had begun using his nascent python skills to hack portage with an interest to developing a Web-based portage front-end. While working on his first task, a package search engine, he was approached by Seemant Kulleen and asked if he would work on Gentoo in a more formal capacity. Benjamin started out as a QA assistant for x86 releases, testing the Live CDs, stages and packages. When Seemant gave up his role co-ordinating the releases, the responsibilities were picked up by Benjamin. In addition to his work on www.gentoo.de and the Release Engineering Team, Benjamin was co-founder of the German Gentoo-NFP (Not-For-Profit) Organization, Friends of Gentoo e.V.. This group represents a formal organization to collect and manage contributions, financial and otherwise, toward fostering and protecting Gentoo development in Germany.

Benjamin works on a collection of four computers that reside around his home desk: an Athlon-Thunderbird 1300 and an IBM Thinkpad R40 are his main working platforms. These are supported by a Sun Ultra 5 which provides DNS, SMTP and IMAP services and an SGI Indy "which doesn't have a particular task - It just sits there and tries to look good." He has recently fallen in love with the zsh shell, and uses vim and catalyst while developing. Evolution, rxvt-unicde, tvtime and Mozilla round out the list of his most-used applications - excepting the occasional round of UT2k3, Simcity 3000 and Heavy Metal F.A.K.K.2.

In real life, Benjamin works at the University Medical Centre of Justus-Liebig-University Giessen, providing desktop application support. He has a formal qualification as an Assistant for Information Technologies - roughly equivalent to a practical diploma in Computer Science. He describes himself as a "typical couch potato". He enjoys watching television and movies - with a penchant for Science Fiction and Horror, with the occasional helping of televised Car Racing. He is an avid reader, and is currently negotiating China Melville's "Perdido Street Station", which he recommends. Benjamin lives in Muecke-Merlau, a small village about 80 Km from Frankfurt, in the Vogelsberg region of Germany - situated on an ancient dormant volcano. He asked for the opportunity to thank Seemant, Daniel, John and Jeff: "Thanks for trusting me and believing in me, helping me and providing constructive Critics!" He also had a message for the Gentoo devs collectively known as "The German Conspiracy": "Thanks for all the hard work to make Gentoo look good in Germany!". And finally, for the rest of us: "Gentoo is like a Goodyear-tire: if it doesn't run straight anymore, you refresh the profile and it will work again."

[bewerken] Heard in the Community

[bewerken] gentoo-user

[bewerken] Always Working as Root

Many hardend Linux and Unix people know that consistently logging in as root isn't a good idea. However many newcomers from the Windows world are not really sure why this is not a good idea. On Windows, most people log in with administrative privileges more often than not. So why should it be any different on Linux? A Linux newcomer asked this question on gentoo-user and got some great reasons, and suggestions for simplifying his transition to a Unix way of life.

   * Working as root...

[bewerken] Gentoo International

Gentoo International is on hiatus this week.

[bewerken] Bugzilla

[bewerken] Statistics

The Gentoo community uses Bugzilla (bugs.gentoo.org) to record and track bugs, notifications, suggestions and other interactions with the development team. Between 07 August 2004 and 13 August 2004, activity on the site has resulted in:

   * 526 new bugs during this period
   * 416 bugs closed or resolved during this period
   * 30 previously closed bugs were reopened this period

Of the 7002 currently open bugs: 143 are labeled 'blocker', 198 are labeled 'critical', and 557 are labeled 'major'.

[bewerken] Closed Bug Rankings

The developers and teams who have closed the most bugs during this period are:

   * Gnome Desktop Team, with 32 closed bugs
   * AMD64 Porting Team, with 31 closed bugs
   * PPC64 Architecture Team, with 16 closed bugs
   * Portage Team, with 14 closed bugs
   * Core System Packages Team, with 14 closed bugs

[bewerken] New Bug Rankings

The developers and teams who have been assigned the most new bugs during this period are:

   * Gnome Desktop Team, with 18 new bugs
   * Gentoo Sound Team, with 15 new bugs
   * AMD64 Porting Team, with 11 new bugs
   * Gentoo X-Windows Packagers, with 10 new bugs

[bewerken] Tips and Tricks

Tips and Tricks is looking for a new owner. If you're interested in taking over this section of the GWN, please email gwn-feedback@gentoo.org.

---

EINDE ENGELS

---

[bewerken] Verplaatsingen, Toevoegingen en Veranderingen

[bewerken] Verplaatsingen

De volgende developers hebben het Gentoo Team recentelijk verlaten:

• Niemand deze week

[bewerken] Toevoegingen

De volgende developers zijn recentelijk bij Gentoo Team gekomen:

• Niemand deze week

[bewerken] Veranderingen

De volgende developers zijn recentelijk van rol veranderd in het Gentoo Linux project:

• Niemand deze week

[bewerken] Schrijven voor de GWN

Interesse om te schrijven voor de Gentoo Weekly Newsletter? Stuur een mail naar gwn-feedback@gentoo.org !

[bewerken] GWN Feedback

Stuur je feedback naar gwn-feedback@gentoo.org en help zo de GWN beter te maken.

[bewerken] GWN Abonnements Informatie

Om je in te schrijven voor de Gentoo Weekly Newsletter, stuur een lege e-mail naar gentoo-gwn-subscribe@gentoo.org.

Om je abonnement op zeggen, stuur een lege e-mail naar gentoo-gwn-unsubscribe@gentoo.org (afkomstig van het e-mail adres waarop je de gwn ontvangt.)