Please update your
firefox package to version
53.0 and above.
A recently released version of Firefox has addressed the following security vulnerabilities, assigned with multiple CVE IDs:
CVE-2017-5429, CVE-2017-5430, CVE-2017-5432, CVE-2017-5433, CVE-2017-5434, CVE-2017-5435, CVE-2017-5436, CVE-2017-5437, CVE-2017-5438, CVE-2017-5439, CVE-2017-5440, CVE-2017-5441, CVE-2017-5442, CVE-2017-5443, CVE-2017-5444, CVE-2017-5445, CVE-2017-5446, CVE-2017-5447, CVE-2017-5448, CVE-2017-5449, CVE-2017-5450, CVE-2017-5451, CVE-2017-5452, CVE-2017-5453, CVE-2017-5454, CVE-2017-5455, CVE-2017-5456, CVE-2017-5458, CVE-2017-5459, CVE-2017-5460, CVE-2017-5461, CVE-2017-5462, CVE-2017-5463, CVE-2017-5464, CVE-2017-5465, CVE-2017-5466, CVE-2017-5467, CVE-2017-5468, CVE-2017-5469.
Please update your
google-chrome packages to version
58.0.3029.81 and above.
A recently released version of Chromium/Google Chrome Web browser addressed the following security issues, assigned with multiple CVE IDs:
We have received complaints regarding their SSH Host keys being erased despite that they have already regenerated their SSH Host key before
AOSA-2017-0034 was posted.
This is our fault for not checking on vulnerable host keys by checksum - instead, we chose to regenerate the keys regardless. But here’s the way to workaround this issue, issue this command before you upgrade your system (given that your
openssh package has version older than
# touch /usr/share/doc/openssh/AOSA-2017-0034
Again, we apologize for this incident.
This is an issue of great emergency, please update your system with the newest
openssh package to workaround this security vulnerability!
In our traditional way of generating AOSC OS release tarballs, SSH Daemon host keys were generated only once across any AOSC OS install because the tarballs were built from a single
stub tarball, then to a Base variant - which already contains a copy of OpenSSH (with keys generated) - then all other variants were generated from the Base tarball with extra sets of packages. The result was - due to our ignorance - that all SSH Daemon host keys are generated only once, a great security threat to all AOSC OS users with their SSH Daemon or
To workaround this for all existing users, (once again) please update your system with the latest
openssh package, if you see the following message when installing the update…
Regenerating SSH Keys for AOSA-2017-0034... removed '/etc/ssh/ssh_host_dsa_key' removed '/etc/ssh/ssh_host_dsa_key.pub' removed '/etc/ssh/ssh_host_ecdsa_key' removed '/etc/ssh/ssh_host_ecdsa_key.pub' removed '/etc/ssh/ssh_host_ed25519_key' removed '/etc/ssh/ssh_host_ed25519_key.pub' removed '/etc/ssh/ssh_host_rsa_key' ssh-keygen: generating new host keys: RSA DSA ECDSA ED25519
Then your SSH Daemon host keys are regenerated, and they are expected to be unique across any device. You would not need to restart your
sshd.service, but when clients connect to your device, they may receive a warning…
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that a host key has just been changed. The fingerprint for the ECDSA key sent by the remote host is <ECSDA key here> Please contact your system administrator.
Please remove the line (or inform users of your AOSC OS host with SSH enabled to do so) from your
~/.ssh/known_host file containing the key described above - another method is to identify the host you are attempting to connect to, and remove the line containing the host.
openssh are now available for
A recent change to the
iana-etc package has addressed an issue where it could be impossible to initiate
telnet connections on AOSC OS.
However, the file
/etc/services - contained within
iana-etc has been marked as a configuration file, therefore,
DPKG could ask if the file should be replaced with the one provided with the package (which contain the fix to this issue). Please choose “Yes”, or press the
i key when prompted.
We apologize for your inconvenience.
As mentioned in the announcement last week, a repository de-duplication (removing old version s of all packages in the repository) is planned for this weekend - and now, the process is complete.
Ideally, as an user who regularly updates their copy of AOSC OS, they would/should not notice the changes taken place this weekend. But we do anticipate removals of some packages may lead to dependency issues, and that our bulk removal of files on the repository server may cause error on our mirror partners (due to
rsync's delete threshold, or
If unfortunately you run into issue with updating or installing packages, please first try and switch to our source server…
sudo apt-gen-list -e "40-source"
And contact us at the IRC channel
#aosc to report this incident - we will then try and get into contact with our mirror servers to solve the issue.
Icenowy Zheng has recently uploaded a new batch of AArch64/ARM64 SD card images for compatible Allwinner devices, with Linux Kernel Updated to
4.11-rc6. Along with the Kernel update, two new devices are now supported:
Please head over to the download page for more downloads and more information.
With today’s newest changes to AOSC OS packages, we have decided to split the
firmware-nonfree package to free and non-free portions, with the
firmware-nonfree packages (pre-installed with any system release) containing only non-free firmware files, and a new
firmware-free package containing “free” firmware files.
A normal system upgrade may not install the new
firmware-free package automatically. If you started encountering issues regarding missing firmware after you upgraded your system, please check if you have installed
Both packages will be pre-installed with future system releases.
Since 2014, our community repository has been growing in size due to our (essentially) permissive policy on keeping all old versions of all our packages.
As we stand today, the repository is roughly 500GiB in size. This is abnormal even when considering all of our architectural ports, as Debian, the largest binary-based *nix distribution requires just over 1TiB in size. This continuing growth in repository size has brought storage challenges to both our mirror hosts and our own repository server.
Therefore, it is decided that starting at midnight of next Friday (April 14th, UTC time) that we will be starting to remove all packages that are not the newest provided across all architectures. We expect this operation to be finished by the weekend of April 16th.
Users (like you) should not be concerned about this operation, nor would impact your experience with AOSC OS. Removal of old packages only removes the possibility for developers to backtrack onto older revisions of a packages for comparative and regression testing.