Foresight Linux Newsletter Volume 1, Issue 6 (August 2007)
Welcome to the August edition of the Foresight Linux Newsletter. Summer can be a slow time for news, and without a point release of Foresight Linux 1.3, and continued development of Foresight Linux 2.0, this month's edition is shorter than normal. This month's issue features an overview of the newest feature to be added to Foresight Linux 2.0, PackageKit, an updated Foresight Linux 2.0 release calendar, and other news.
In this issue:
- Current version: Foresight Linux 1.3.2
- Recent packages updated to fix security flaws
- Foresight Linux 2.0 development update
- Introducing PackageKit
- Michigan User Group
- Ohio Linux Fest
Foresight Linux News
Foresight Linux 1.3.2 Released July 21st
Foresight Linux 1.3.2 continues to be the current version of Foresight Linux available for download, which was released on July 21st. Foresight Linux 1.3.2 includes the latest GNOME, GNOME 2.18.3.
Foresight Linux 1.3 is available for download on 1 DVD, 2 CDs, or through a number of different virtualization images. Visit the download pagefor more information.
GNOME 2.18.3 Live Media
Foresight Linux is proud to be the distribution offering the latest version of GNOME via a number of different choices of Live Media. Making it simple for users who want to test the latest GNOME release, four images are available for testing GNOME without having to install it directly on your hard drive. These images include a LiveCD, VMWare image, and a Parallels / QEMU image. GNOME Live Media is available for download at http://torrent.gnome.org.
Security Updates
Security updates are published on the Foresight Security mailing list. This month's security updates include:
| FLEA-2007-0038-1 |
GIMP
|
2007-08-01 |
Previous versions of the gimp package are vulnerable to multiple user-assisted buffer-overflow attacks in which gimp may execute arbitrary code contained in maliciously-crafted image files of type DICOM, PNM, PSD, PSP, XBM, and XWD. |
FLEA-2007-0039-1
FLEA-2007-0040-1
|
firefox
thunderbird |
2007-08-01
2007-08-03 |
Previous versions of the firefox package are vulnerable to a flaw in handling of "about:blank" windows. A malicious web server could exploit this to steal sensitive information or modify contents of other open web pages.
In addition, a malicious web server could execute helpers with arbitrary arguments due to firefox's mishandling of certain types of characters when launching external programs. |
| FLEA-2007-0041-1 |
gdm
|
2007-08-03 |
Previous versions of the gdm package are vulnerable to a local Denial of Service whereby a system user can crash the gdm daemon by sending specially-crafted as a GDM socket command. |
| FLEA-2007-0042-1 |
qt
|
2007-08-03 |
Previous versions of the qt package are vulnerable to user-assisted format-string attacks, possibly leading to arbitrary code execution in applications that use the QTextEdit widget.
Note that while Foresight ships qt for compatibility with third-party applications, Foresight Linux does not include any components which use qt so a default install is not exposed to this issue. |
| FLEA-2007-0043-1 |
openssl |
2007-08-13 |
Previous versions of the openssl package are vulnerable to an attack in which a local attacker may be able to discover another user's RSA private key by watching another running process using that key. |
| FLEA-2007-0044-1 |
tetex |
2007-08-14 |
Previous versions of the tetex package are vulnerable to an int overflow in included xpdf code, which can be exploited via a specially-crafted PDF file to execute arbitrary code. |
| FLEA-2007-0045-1 |
popple |
2007-08-14 |
Previous versions of the poppler package are vulnerable to an int overflow in included xpdf code, which can be exploited via a specially-crafted PDF file to execute arbitrary code. |
| FLEA-2007-0046-1 |
CUPS |
2007-08-14 |
Previous versions of the cups package are vulnerable to an int overflow in included xpdf code, which can be exploited via a specially-crafted PDF file to execute arbitrary code. |
| FLEA-2007-0047-1 |
rsync |
2007-08-23 |
Previous versions of the rsync package contain multiple buffer-overflow vulnerabilities, possibly allowing remote attackers to execute arbitrary code using maliciously crafted directory names. |
| FLEA-2007-0048-1 |
xterm |
2007-08-23 |
Previous versions of the xterm package assigned incorrect ownership and write permissions to pseudo-terminal devices, permitting local users to direct output to other users' xterm sessions.
Due to xterm's extensive internal processing of escape sequences, this also permits unauthorized modification of xterm session behavior.
|
| FLEA-2007-0049-1 |
tar |
2007-08-27 |
Previous versions of the tar package are vulnerable to an attack in which unpacking an intentionally-malformed tar archive can overwrite arbitrary files to which the user running tar has write access. If the attacking user knows the name of a vulnerable binary file and overwrites it, this allows the attacker to place arbitrary code on the system which is likely to be run. If root is running tar, this includes any file on the system, which would elevate this to an indirect non-deterministic remote root unauthorized access vulnerability. |
Development News
Foresight Linux 2.0
Unfortunately, due to some delays and challenges in getting the new toolchain working, the Foresight Linux 2.0 release schedule has been delayed a few weeks. Developers are working hard on 2.0, and a great deal of progress has been in the last few weeks. Our apologies for the delay.
The first alpha release for Foresight Linux 2.0 will be September 19th, with the GNOME 2.20 release. Subsequent beta and release candidates will follow. Additionally, Foresight Linux 1.4, with GNOME 2.20 will also be officially released on September 19th.
We are looking for help with testing Foresight Linux, including feedback and reporting bugs on installing and installing Foresight Linux 2.0. Look for more information to come soon.
Introducing PackageKit
Overview
PackageKit, created by Richard Hughes, aims to be a unified package manager and installer available for many different Linux distributions. In today's world of many Linux distributions, package managers are system specific, and each have their strengths and weaknesses. From Synaptic and dpkg for Debian and Ubuntu, to YUM for Fedora and Red Hat, and Portage for Gentoo, all help users manage the software on their system, but they all lack commonality.
PackageKit has a goal to unify this for the user. A number of use cases have been developed, focused on helping users make software installation easier. PackageKit aims to help users install software from their distribution's core repository, without requiring a root password; help with debugging crashes; and installing new features or packages required by a software program that may not already be installed. This also includes a consistent user interface, which follows the Human Interface Guidelines (HIG), to managing software installation and including notification icons on the user's panel.
PackageKit does not do dependency resolution. In this regard, PackageKit is a front end for Conary (or other package manager), which still remains the backbone of Foresight's package management. Development of Eyesight, a similar GUI for Conary which was planned to be included in Foresight Linux 2.0, has ceased in favor of PackageKit. PackageKit is planned for inclusion in Foresight Linux 2.0.
For Developers
For Developers, PackageKit is NetworkManager and DBUS aware. This will help for users in only allowing package installation when connected to the network or internet. PackageKit was recently split in to two parts, to make it more distribution agnostic. This includes the daemon, which requires glib, libnm, dbus-glib and policy kit; and the GUI, which requires some GNOME software, including GTK and libnotify. PackageKit is written in C.
Ken VanDine, Foresight's founder and lead developer, has been contributing to PackageKit and overseeing it's integration within Foresight. Og Maciel contributed the caching and searching code, and Elliot Peele is also lending hand.
PackageKit Screenshots
PackageKit showing a notification in the panel that security updates are available:
PackageKit showing security updates have been installed:
From Ken VanDine's, blog and Flickr stream, PackageKit integrated with Conary, with search working:
PackageKit integrated, with package groups displayed on the left hand side, familiar to Synaptic users:
Get Involved
More information on PackageKit is available at the following resources:
Foresight is excited to include PackageKit in Foresight Linux 2.0 to help manage software installation and packages. We hope to be the first Linux distribution to ship with PackageKit starting next month with the alpha release of Foresight Linux 2.0.
Foresight Linux Tour
The Foresight Linux tour continues, with planned stops in the U.S. Midwest in September.
Ken VanDine and Michael K. Johnson will be presenting an overview of the Conary and rPath technology at the next Michigan User Group meetingon Tuesday, September 11th.
Foresight Linux will have a booth at the upcoming Ohio Linux FestSeptember 29th in Columbus, Ohio. From the Ohio Linux Fest website:
The fifth annual Ohio LinuxFest will be held on September 29, 2007 at the Greater Columbus Convention Center in downtown Columbus, Ohio. Hosting authoritative speakers and a large expo, the Ohio LinuxFest welcomes Free and Open Source Software professionals, enthusiasts, and anyone who wants to take part in the event. The Ohio LinuxFest is a free, grassroots conference for the Linux/Open Source Software/Free Software community that started in 2003 as a large inter-LUG meeting and has grown steadily since. It is a place for the community to gather and share information about Linux and Open Source Software. A large expo area adjacent to the conference rooms will feature exhibits from our sponsors as well as a large .org section from non-profit Open Source/Free Software projects.
Join the Foresight Community
Foresight users and developers are active on a number of different social networking sites.
Share your musical tastes and favorite artists with other Foresight users in the Foresight groupon Last.fm. Banshee, Foresight's default music manager, has built in support for Last.fm.
Follow a few Foresight developers every waking moment via Twitter.
Share pictures of your Foresight Linux desktop at the Foresight Linux Flickr group.
Join the Foresight group on Mugshot. Mugshot is a social networking application available as a web service and desktop service that aggregates a number of different social networks, such as Facebook, Digg, Youtube, Flickr, Reddit and many others. Need an invitation to Mugshot? Email pcutler@foresightlinux.org for an invitation. To install Mugshot on your Foresight Linux desktop, from a terminal type:
sudo conary update mugshot
Last, but not least, add http://www.foresightlinux.org/planet to your bookmarks or favorite feed reader, such as Liferea, to read blog updates from Foresight Developers. Are you a Foresight contributor or developer, and would like your blog syndicated? Email feedback@foresightlinux.org with your blog's feed and a brief note about your blog.
Contributing to Foresight Linux
Contribute to Foresight Linux
Foresight Linux Website
With the upcoming launch of Foresight Linux 2.0, the Foresight Linux team is looking to develop a new website as well. We are looking for volunteers to help with both web design and web development. If interested, please stop by #foresight on Freenode or IRC or email feedback@foresightlinux.org.
Foresight Linux 2.0 Testing
As mentioned above in the Development section, we are looking for users to help test the upcoming Foresight Linux 2.0 beta releases. From testing to bug reporting, all help and feedback is welcome.
For other oportunities to contribute to Foresight Linux, visit the Getting Involved page on the Getting Started with Foresight Linux user guide.
Contribute to the Foresight Linux Newsletter
Have a package or piece of software you want to share in the monthly newsletter? Send it in! We are always looking for more writers or contributors, and building the newsletter is a collaborative process using the Foresight Linux Newsletter wiki. We are also looking for volunteers to interview people in the Foresight and GNOME communities, links to news articles on the web or in print regarding Foresight Linux, and all the other content that makes up the newsletter.
Have thoughts or comments on the newsletter? Email feedback@foresightlinux.org and your letter may be published in the next issue!
Contributors to Issue #3: Paul Cutler (editor), Ken VanDine
Portuguese translation by Vladimir Melo
Downloading and Getting Help with Foresight Linux
Download and install Foresight Linux:
Live Media, including Live CD, VMWare image, and QEMU and Parallels images
Help is available in many forms, and you can choose what you're most comfortable with.
- IRC: Visit the Foresight IRC channel, #foresight on Freenode, and ask questions. We have one of the most friendly IRC channels you'll come across with everyone from users to developers reaching out to help answer questions.
- Forums: Our forums continue to grow, and are a good source of information to check if a specific problem or question has come up before.
- Wiki: Documentation on the wiki is growing on a daily basis, with updates often to the Frequently Asked Questions and other how-to's to get you going with Foresight Linux.
- Mailing Lists:
- General List: General discussion around Foresight Linux
- Commits list:(high traffic): All package commits are emailed to this list
- Packagers List: Discuss packaging applications for Foresight using Conary and rBuilder
- Developers List: Discuss topics related to Foresight development projects
- Translation List: Help translate Foresight Linux into many different languages
Foresight Linux Information
Learn more about Foresight Linux at Foresight's homepage, http://www.foresightlinux.org.
Read what the developers are working on via their blogs, aggregated at Planet Foresight, http://www.foresightlinux.org/planet/ or subscribe via RSS at http://web.foresightlinux.org/planet/feed/rss/.
Subscribe to the newsletter via RSS: http://feeds.feedburner.com/foresightnewsletter.
Have feedback on Foresight Linux or the newsletter? Email feedback@foresightlinux.org and share your thoughts, we'd love to hear from you!
News Operations
Browse Space
