Profile cover photo
Profile photo
Anthon Open Source Community (AOSC)
18 followers -
Welcome to AOSC! We are a progressive and friendly open source community.
Welcome to AOSC! We are a progressive and friendly open source community.

18 followers
About
Posts

Post has attachment
[SECURITY] AOSA-2017-0039: Update Sudo
MAY 31, 2017

Please update your sudo package to version 1.8.20p1.

A recently released version of Sudo has addressed a security vulnerability titled “Potential overwrite of arbitrary files on Linux”:

“On Linux systems, sudo parses the /proc/[pid]/stat file to determine the device number of the process’s tty (field 7). The fields in the file are space-delimited, but it is possible for the command name (field 2) to include spaces, which sudo does not account for. A user with sudo privileges can cause sudo to use a device number of the user’s choosing by creating a symbolic link from the sudo binary to a name that contains a space, followed by a number.”

This vulnerability has been assigned CVE-2017-100036 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000367).

Relevant documentation:

- Original Security Advisory. https://www.sudo.ws/alerts/linux_tty.html

Add a comment...

Post has attachment
[INFO] Updates to Our Community Infrastructure!
APRIL 29, 2017

With the hard work of our community infrastructure contributors, there are now two more services available for our community members:

+ AOSC OS Packages: A catalog of packages available for AOSC OS.
+ Mailing Lists: Community mailing lists for discussions, advisories, and announcements.

## AOSC OS Packages

Thanks to +Dingyuan Wang (gumblex) for creating this website.

It should not take much explanation for our Packages site - as mentioned above, it is a catalog of AOSC OS packages - and you could now search for a particular package available to AOSC OS (or to find out if it’s available yet), check on update status, and compare versions of a given package available to all our AOSC OS ports.

Dingyuan Wang also mentioned that there will be a function where AOSC OS users could file package requests on the same website, making it easier for users and developers to check on request status.

## Mailing Lists

Thanks to +Sijie Bu (butangmucat) for making this service available.

Currently there are four mailing lists available, each dedicated to different functions…

- announcements@lists.aosc.io: for community events and project-related announcements; broadcast only, read-only to subscribers.
- discussions@lists.aosc.io: for development discussions, questions, and suggestions; open to users and developers, subscription required.
- mirrors@lists.aosc.io: announcements on maintenance and status of our mirrors; broadcast only, read-only to subscribers.
- security@lists.aosc.io: bulletin for security updates, CVEs, etc; broadcast only, read-only to subscribers.

If you have any questions, concerns, or suggestions to our community services and infrastructure, please pop a mail to our discussions mailing list.
Add a comment...

Post has attachment
[SECURITY] AOSA-2017-0037: Update Firefox
APRIL 28, 2017

Please update your firefox package to version 53.0 and above.

A recently released version of Firefox has addressed the following security vulnerabilities, assigned with multiple CVE IDs:

CVE-2017-5429, CVE-2017-5430, CVE-2017-5432, CVE-2017-5433, CVE-2017-5434, CVE-2017-5435, CVE-2017-5436, CVE-2017-5437, CVE-2017-5438, CVE-2017-5439, CVE-2017-5440, CVE-2017-5441, CVE-2017-5442, CVE-2017-5443, CVE-2017-5444, CVE-2017-5445, CVE-2017-5446, CVE-2017-5447, CVE-2017-5448, CVE-2017-5449, CVE-2017-5450, CVE-2017-5451, CVE-2017-5452, CVE-2017-5453, CVE-2017-5454, CVE-2017-5455, CVE-2017-5456, CVE-2017-5458, CVE-2017-5459, CVE-2017-5460, CVE-2017-5461, CVE-2017-5462, CVE-2017-5463, CVE-2017-5464, CVE-2017-5465, CVE-2017-5466, CVE-2017-5467, CVE-2017-5468, CVE-2017-5469.

Relevant documentation:

- Original Mozilla Firefox Security Advisory MFSA2017-10. https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/

Add a comment...

Post has attachment
[SECURITY] AOSA-2017-0036: Update Chromium and Google Chrome
APRIL 28, 2017

Please update your chromium and google-chrome packages to version 58.0.3029.81 and above.

A recently released version of Chromium/Google Chrome Web browser addressed the following security issues, assigned with multiple CVE IDs:

CVE-2017-5057, CVE-2017-5058, CVE-2017-5059, CVE-2017-5060, CVE-2017-5061, CVE-2017-5062, CVE-2017-5063, CVE-2017-5064, CVE-2017-5065, CVE-2017-5066, CVE-2017-5067, CVE-2017-5069.

Relevant documentation:

- Original Announcement. https://chromereleases.googleblog.com/2017/04/stable-channel-update-for-desktop.html

Add a comment...

Post has attachment
[SECURITY] AOSA-2017-0035: Update cURL
APRIL 28, 2017

Please update your curl and curl+32 package to version 7.54.0 and above.

A recently released version of cURL fixed several security vulnerabilities, one of which assigned with a CVE number:

CVE-2017-7468.

Relevant documentation:

- cURL 7.54.0 Changelog.
- cURL Security Advisory for CVE-2017-7468.
Add a comment...

Post has attachment
[INFO] Additional Information for AOSA-2017-0034
APRIL 20, 2017

We have received complaints regarding their SSH Host keys being erased despite that they have already regenerated their SSH Host key before AOSA-2017-0034 was posted.

This is our fault for not checking on vulnerable host keys by checksum - instead, we chose to regenerate the keys regardless. But here’s the way to workaround this issue, issue this command before you upgrade your system (given that your openssh package has version older than 7.5p1-1).

# touch /usr/share/doc/openssh/AOSA-2017-0034

Again, we apologize for this incident.
Add a comment...

Post has attachment
[WARN] Manual Input Needed with Upcoming iana-etc Update
APRIL 17, 2017

A recent change to the iana-etc package has addressed an issue where it could be impossible to initiate telnet connections on AOSC OS.

However, the file /etc/services - contained within iana-etc has been marked as a configuration file, therefore, DPKG could ask if the file should be replaced with the one provided with the package (which contain the fix to this issue). Please choose “Yes”, or press the i key when prompted.

We apologize for your inconvenience.
Add a comment...

Post has attachment
[INFO] Repository De-Dup Complete
APRIL 15, 2017

As mentioned in the announcement last week, a repository de-duplication (removing old version s of all packages in the repository) is planned for this weekend - and now, the process is complete.

Ideally, as an user who regularly updates their copy of AOSC OS, they would/should not notice the changes taken place this weekend. But we do anticipate removals of some packages may lead to dependency issues, and that our bulk removal of files on the repository server may cause error on our mirror partners (due to rsync's delete threshold, or --max-delete settings).

If unfortunately you run into issue with updating or installing packages, please first try and switch to our source server…

sudo apt-gen-list -e "40-source"

And contact us at the IRC channel #aosc to report this incident - we will then try and get into contact with our mirror servers to solve the issue
Add a comment...

Post has attachment
[DEVEL] AArch64/ARM64 Images Update for Allwinner Devices
APRIL 15, 2017

Icenowy Zheng has recently uploaded a new batch of AArch64/ARM64 SD card images for compatible Allwinner devices, with Linux Kernel Updated to 4.11-rc6. Along with the Kernel update, two new devices are now supported:

+ Xunlong Orange Pi Prime
+ FriendlyARM Nano Pi NEO2

Please head over to the download page (https://aosc.io/os-download/) for more downloads and more information.
Add a comment...
Wait while more posts are being loaded