Please update your
ntfs-3g package to version
A security vulnerability assigned with CVE-2017-0358 was addressed in NTFS-3G.
*Jann Horn, Project Zero (Google) discovered that ntfs-3g, a read-write NTFS driver for FUSE does not not scrub the environment before executing modprobe to load the fuse module. This influence the behavior of modprobe (MODPROBE_OPTIONS environment variable, --config and –dirname options) potentially allowing for local root privilege escalation if ntfs-3g is installed setuid. This is the case for Debian, Ubuntu and probably Gentoo. *
Please update your
webkit2gtk package to version
WebKitGTK+ recently announced a security advisory which contained detailed information regarding security vulnerabilities fixed with the newly released WebKitGTK+ verion 2.14.4. The secuity vulnerabilities were assigned CVE-2017-2350, CVE-2017-2354, CVE-2017-2355, CVE-2017-2356, CVE-2017-2362, CVE-2017-2363, CVE-2017-2364, CVE-2017-2365, CVE-2017-2366, CVE-2017-2369, CVE-2017-2371, CVE-2017-2373.
Let us start with an apologize - we messed up. Starting with AOSC OS2 back in early 2014, the repositories for AOSC OS were signed with a GPG key - it was a time when we had no idea about longterm maintainership - thus no plan, nor anticipation for the expiration of this GPG key on Valentine’s Day of 2017.
Although the problem has already been addressed for our source repository (with extra security enhancements), we do realize that some of you have already been running into issues trying to update your AOSC OS. It will be another two days before we could push out another batch of updates that addresses this issue directly - but you can still fix it yourself (albeit you can’t even obtain an update for Apt now, as you can’t update your system anyways). So here is how it goes:
First, obtain a copy of our new GPG key.
Then, remove the old key from the old storage.
sudo rm -fv /etc/apt/trusted.gpg
And finally, add the new key to the Apt key storage.
sudo apt-key add 20170214-2y.gpg
And you should be greeted with an “OK” message. Now, you are good to go again with the new keys on hand.
sudo apt update
But at the time of posting, you may not be able to update your system via our various mirrors, this is because our new signature was not yet synchronised with the mirrors. To workaround this issue temporarily, use
apt-gen-list and select our source server again - it might be slower in certain areas, but it gets the job done.
sudo apt-gen-list -e "40-source"
Then, as usual.
sudo apt update
Core 4.2 was just released as the latest feature update to the Core 4.0 series. With 4.2, we have updated virtually every single component in the Core, but more importantly, we have officially added support for the MIPS64 Little Endian architecture, currently maintained by Junde Yhi (creation of build specifications, and package porting) and Mingcong Bai (package porting).
What’s more? You could expect, with Core 4.2:
Core 4.2 is now readily available for the AMD64/x86_64 port of AOSC OS, updates for all other architectures will come in this upcoming weekend.
Please note that Core 4.2 contains security updates, which were assigned with AOSA-2017-0018 (for GNU C Library) and AOSA-2017-0019 (for Bash). Please update your AOSC OS with the newest Core at your earliest convenience!
For detailed description of changes made between Core 4.1 and 4.2, please checkout the full changelog.