NEWS

Read hard, get it all caught up :-D

Things are (actually) going on around the community (surprise!), you may find latest news and happenings in and around the community, and of course, latest information for you to better enjoy AOSC OS.

Most good programmers do programming not because they expect to get paid or get adulation by the public, but because it is fun to program. – Linus Torvalds

ALL NEWS

  • Cinnamon 3.4 Now Available!MAY 5, 2017

    Just a quick notice that Cinnamon 3.4 is now available in our community repository (along with the new Slick Greeter)! Here’s a screenshot…

    cinnamon-3.4


    For more information on changes introduced with Cinnamon 3.4 please refer to this Linux Mint blog post.

  • AOSA-2017-0038: Update WeeChatMAY 5, 2017

    Please update your weechat package to version 1.7.1.

    A recently announced version of WeeChat has addressed the following security vulnerability:

    CVE-2017-8073.

    Relevant documentation:

  • Updates to Our Community Infrastructure!APRIL 29, 2017

    With the hard work of our community infrastructure contributors, there are now two more services available for our community members:

    • AOSC OS Packages: A catalog of packages available for AOSC OS.
    • Mailing Lists: Community mailing lists for discussions, advisories, and announcements.

    AOSC OS Packages

    Thanks to Dingyuan Wang (gumblex) for creating this website.

    It should not take much explanation for our Packages site - as mentioned above, it is a catalog of AOSC OS packages - and you could now search for a particular package available to AOSC OS (or to find out if it’s available yet), check on update status, and compare versions of a given package available to all our AOSC OS ports.

    Dingyuan Wang also mentioned that there will be a function where AOSC OS users could file package requests on the same website, making it easier for users and developers to check on request status.

    Mailing Lists

    Thanks to Sijie Bu (butangmucat) for making this service available.

    Currently there are four mailing lists available, each dedicated to different functions…

    • announcements@lists.aosc.io: for community events and project-related announcements; broadcast only, read-only to subscribers.
    • discussions@lists.aosc.io: for development discussions, questions, and suggestions; open to users and developers, subscription required.
    • mirrors@lists.aosc.io: announcements on maintenance and status of our mirrors; broadcast only, read-only to subscribers.
    • security@lists.aosc.io: bulletin for security updates, CVEs, etc; broadcast only, read-only to subscribers.

    If you have any questions, concerns, or suggestions to our community services and infrastructure, please pop a mail to our discussions mailing list

  • AOSA-2017-0037: Update FirefoxAPRIL 28, 2017

  • AOSA-2017-0036: Update Chromium and Google ChromeAPRIL 28, 2017

    Please update your chromium and google-chrome packages to version 58.0.3029.81 and above.

    A recently released version of Chromium/Google Chrome Web browser addressed the following security issues, assigned with multiple CVE IDs:

    CVE-2017-5057, CVE-2017-5058, CVE-2017-5059, CVE-2017-5060, CVE-2017-5061, CVE-2017-5062, CVE-2017-5063, CVE-2017-5064, CVE-2017-5065, CVE-2017-5066, CVE-2017-5067, CVE-2017-5069.

    Relevant documentation:

  • AOSA-2017-0035: Update cURLAPRIL 28, 2017

    Please update your curl and curl+32 package to version 7.54.0 and above.

    A recently released version of cURL fixed several security vulnerabilities, one of which assigned with a CVE number:

    CVE-2017-7468.

    Relevant documentation:

  • Additional Information for AOSA-2017-0034APRIL 20, 2017

    We have received complaints regarding their SSH Host keys being erased despite that they have already regenerated their SSH Host key before AOSA-2017-0034 was posted.

    This is our fault for not checking on vulnerable host keys by checksum - instead, we chose to regenerate the keys regardless. But here’s the way to workaround this issue, issue this command before you upgrade your system (given that your openssh package has version older than 7.5p1-1).

    # touch /usr/share/doc/openssh/AOSA-2017-0034
    

    Again, we apologize for this incident.

  • AOSA-2017-0034: OpenSSH in Tarballs Shipped Identical Host KeysAPRIL 18, 2017

    This is an issue of great emergency, please update your system with the newest openssh package to workaround this security vulnerability!

    In our traditional way of generating AOSC OS release tarballs, SSH Daemon host keys were generated only once across any AOSC OS install because the tarballs were built from a single stub tarball, then to a Base variant - which already contains a copy of OpenSSH (with keys generated) - then all other variants were generated from the Base tarball with extra sets of packages. The result was - due to our ignorance - that all SSH Daemon host keys are generated only once, a great security threat to all AOSC OS users with their SSH Daemon or sshd.service enabled.

    To workaround this for all existing users, (once again) please update your system with the latest openssh package, if you see the following message when installing the update…

    Regenerating SSH Keys for AOSA-2017-0034...
    removed '/etc/ssh/ssh_host_dsa_key'
    removed '/etc/ssh/ssh_host_dsa_key.pub'
    removed '/etc/ssh/ssh_host_ecdsa_key'
    removed '/etc/ssh/ssh_host_ecdsa_key.pub'
    removed '/etc/ssh/ssh_host_ed25519_key'
    removed '/etc/ssh/ssh_host_ed25519_key.pub'
    removed '/etc/ssh/ssh_host_rsa_key'
    ssh-keygen: generating new host keys: RSA DSA ECDSA ED25519
    

    Then your SSH Daemon host keys are regenerated, and they are expected to be unique across any device. You would not need to restart your sshd.service, but when clients connect to your device, they may receive a warning…

    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
    @    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
    IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
    Someone could be eavesdropping on you right now (man-in-the-middle attack)!
    It is also possible that a host key has just been changed.
    The fingerprint for the ECDSA key sent by the remote host is
    <ECSDA key here>
    Please contact your system administrator.
    

    Please remove the line (or inform users of your AOSC OS host with SSH enabled to do so) from your ~/.ssh/known_host file containing the key described above - another method is to identify the host you are attempting to connect to, and remove the line containing the host.

    Updates to openssh are now available for amd64, arm64, armel, mipsel, powerpc, and ppc64.

  • Manual Input Needed with Upcoming iana-etc UpdateAPRIL 17, 2017

    A recent change to the iana-etc package has addressed an issue where it could be impossible to initiate telnet connections on AOSC OS.

    However, the file /etc/services - contained within iana-etc has been marked as a configuration file, therefore, DPKG could ask if the file should be replaced with the one provided with the package (which contain the fix to this issue). Please choose “Yes”, or press the i key when prompted.

    We apologize for your inconvenience.

  • Repository De-Dup CompleteAPRIL 15, 2017

    As mentioned in the announcement last week, a repository de-duplication (removing old version s of all packages in the repository) is planned for this weekend - and now, the process is complete.

    Ideally, as an user who regularly updates their copy of AOSC OS, they would/should not notice the changes taken place this weekend. But we do anticipate removals of some packages may lead to dependency issues, and that our bulk removal of files on the repository server may cause error on our mirror partners (due to rsync's delete threshold, or --max-delete settings).

    If unfortunately you run into issue with updating or installing packages, please first try and switch to our source server…

    sudo apt-gen-list -e "40-source"
    

    And contact us at the IRC channel #aosc to report this incident - we will then try and get into contact with our mirror servers to solve the issue.