Read hard, get it all caught up :-D

Things are (actually) going on around the community (surprise!), you may find latest news and happenings in and around the community, and of course, latest information for you to better enjoy AOSC OS.

Most good programmers do programming not because they expect to get paid or get adulation by the public, but because it is fun to program. – Linus Torvalds


  • AOSA-2017-0027: Update NTFS-3GMARCH 4, 2017

    Please update your ntfs-3g package to version 2016.2.22-1.

    A security vulnerability assigned with CVE-2017-0358 was addressed in NTFS-3G.

    *Jann Horn, Project Zero (Google) discovered that ntfs-3g, a read-write NTFS driver for FUSE does not not scrub the environment before executing modprobe to load the fuse module. This influence the behavior of modprobe (MODPROBE_OPTIONS environment variable, --config and –dirname options) potentially allowing for local root privilege escalation if ntfs-3g is installed setuid. This is the case for Debian, Ubuntu and probably Gentoo. *

    Relevant documentation:

  • AOSA-2017-0026: Update libopusMARCH 4, 2017

    Please update your libopus to version 1.1.4.

    A recently released update to libopus has fixed a security vulnerabilities, assigned CVE-2017-0381.

    Relevant documentation:

  • AOSA-2017-0025: Update Gtk-VNCMARCH 4, 2017

    Please update your gtk-vnc to version 0.7.0.

    A recently released update to Gtk-VNC has fixed a series of security vulnerabilities, assigned CVE-2017-5884, CVE-2017-5885.

    Relevant documentation:

  • AOSA-2017-0024: Update LibWMFMARCH 4, 2017

    Please update your libwmf package to version

    A series of vulnerabilities were recently fixed in LibWMF, assigned CVE-2016-6912, CVE-2016-9317, CVE-2016-10166, CVE-2016-10167, CVE-2016-10168.

    Relevant documentation:

  • AOSA-2017-0023: Update WebKitGTK+MARCH 4, 2017

    Please update your webkit2gtk package to version 2.14.4.

    WebKitGTK+ recently announced a security advisory which contained detailed information regarding security vulnerabilities fixed with the newly released WebKitGTK+ verion 2.14.4. The secuity vulnerabilities were assigned CVE-2017-2350, CVE-2017-2354, CVE-2017-2355, CVE-2017-2356, CVE-2017-2362, CVE-2017-2363, CVE-2017-2364, CVE-2017-2365, CVE-2017-2366, CVE-2017-2369, CVE-2017-2371, CVE-2017-2373.

    Relevant documentation:

  • AOSA-2017-0022: Update Pale MoonMARCH 4, 2017

    Please update your palemoon package to version 27.1.0.

    A recent release of Pale Moon has fixed a series of security vulnerabilities, assigned with CVE-2017-5376, CVE-2017-5380, CVE-2017-5381, CVE-2017-5383, CVE-2017-5396.

    Relevant documentation:

  • AOSA-2017-0021: Update VirglrendererMARCH 4, 2017

    Please update your virglrenderer package to version 0.5.0-2.

    A series of security vulnerabilities were fixed in the master branch, assigned with CVE-2016-10214, CVE-2017-5937.

  • AOSA-2017-0020: Update BindMARCH 4, 2017

    Please update your bind package to version 9.11.0.P3.

    A security vulnerability was found in Bind recently, and was assigned CVE-2017-3135.

    Relevant documentation:

  • Repository key expiration!FEBRUARY 14, 2017

    Let us start with an apologize - we messed up. Starting with AOSC OS2 back in early 2014, the repositories for AOSC OS were signed with a GPG key - it was a time when we had no idea about longterm maintainership - thus no plan, nor anticipation for the expiration of this GPG key on Valentine’s Day of 2017.

    Although the problem has already been addressed for our source repository (with extra security enhancements), we do realize that some of you have already been running into issues trying to update your AOSC OS. It will be another two days before we could push out another batch of updates that addresses this issue directly - but you can still fix it yourself (albeit you can’t even obtain an update for Apt now, as you can’t update your system anyways). So here is how it goes:

    First, obtain a copy of our new GPG key.


    Then, remove the old key from the old storage.

    sudo rm -fv /etc/apt/trusted.gpg

    And finally, add the new key to the Apt key storage.

    sudo apt-key add 20170214-2y.gpg

    And you should be greeted with an “OK” message. Now, you are good to go again with the new keys on hand.

    sudo apt update

    But at the time of posting, you may not be able to update your system via our various mirrors, this is because our new signature was not yet synchronised with the mirrors. To workaround this issue temporarily, use apt-gen-list and select our source server again - it might be slower in certain areas, but it gets the job done.

    sudo apt-gen-list -e "40-source"

    Then, as usual.

    sudo apt update
  • Core 4.2 is here!FEBRUARY 8, 2017


    Core 4.2 was just released as the latest feature update to the Core 4.0 series. With 4.2, we have updated virtually every single component in the Core, but more importantly, we have officially added support for the MIPS64 Little Endian architecture, currently maintained by Junde Yhi (creation of build specifications, and package porting) and Mingcong Bai (package porting).

    What’s more? You could expect, with Core 4.2:

    • Improved network performance.
    • Security enhancements.
    • Component updates.

    Core 4.2 is now readily available for the AMD64/x86_64 port of AOSC OS, updates for all other architectures will come in this upcoming weekend.

    Please note that Core 4.2 contains security updates, which were assigned with AOSA-2017-0018 (for GNU C Library) and AOSA-2017-0019 (for Bash). Please update your AOSC OS with the newest Core at your earliest convenience!

    For detailed description of changes made between Core 4.1 and 4.2, please checkout the full changelog.