Debian Weekly News - November 22nd, 2000

Welcome to Debian Weekly News, a newsletter for the Debian community.

A raft of recent security fixes include fixes for a local cron exploit, a serious hole in ssh, a local root exploit in modutils (Debian is vulnerable after all), a bug in mc that allows anyone to overwrite the first byte of any file, a buffer overflow in ncurses that can be exploited via suid binaries in xmcd, a symlink attack using joe's DEADJOE files and a similar problem in elvis-tiny, a remote exploit that can crash tcpdump, a similar buffer overflow in ethereal, and an updated cupsys package that doesn't default to letting anyone in the world access the printer. More security fixes continue to come in as DWN goes to press. This has been the busiest week for the security team in recent memory, and they've certainly done a good job.

Debian 2.2r2 will probably be released by this weekend. Anthony Towns and Ben Collins argued about this, with Anthony wanting get r2 out within the promised time frame to fix the problems in r1, while Ben prefers to wait a week or two for testing, even more pending security fixes, and to let the porters catch up so we do not "make another point release, with known issues". Anthony rejected this plan, stating that "it'll be out around the 24th, US holiday or not". This is a tough call -- more security holes will surely be found soon after we release -- but it's the kind of tough call that Anthony as release manager has to make, even if his decision is not popular.

One of this week's more interesting threads concerns women in Debian. The thread touches on many subjects: the number of female developers (a few, with more in the queue), why there are so relatively few women in Debian and the free software world in general (is Debian "the epitome of the all guys testosterone engineering groups"?), and lots of general discussion not specific to Debian. It's clearly an interesting topic, but we should pay heed to An Thi-Nguyen Le when she points out, "We're all just dudes who happen to work on Debian."

The Debian Jr. project is collecting ideas for a logo. The project also has a dedicated irc channel now, #debian-jr on

debianHELP is the latest new Debian website. Their purpose is to "provide some in-depth, non-geek explanations about the common problems that people run into", and the site is taking off quickly, already full of topics like "What to do when unstable goes bad", "Printing in Debian", "Managing kernel modules", and a fair number of useful tips.

Debian won several awards this month. Debian received a reader's choice award for web infrastructure from WebTechniques magazine, and a VA Linux system with Debian pre-loaded received Linux Journal's editor's choice award for best web server. There seems to be a theme here..

To receive this newsletter weekly in your mailbox, subscribe to the debian-news mailing list.

Back issues of this newsletter are available.

This issue of Debian Weekly News was edited by Joey Hess.