Read hard, get it all caught up :-D

Things are (actually) going on around the community (surprise!), you may find latest news and happenings in and around the community, and of course, latest information for you to better enjoy AOSC OS.

Most good programmers do programming not because they expect to get paid or get adulation by the public, but because it is fun to program. -- Linus Torvalds


  • AOSA-2016-0041: Update cURLDECEMBER 31, 2016

    Please update your curl (and curl+32 if using the AMD64/x86_64 port with optenv32 installed) to version 7.52.1.

    This security advisory discusses the security vulnerabilities addressed in 7.52.0 and followed by 7.52.1 as an emergency release - to fix a new security regression introduced with version 7.52.0.

    Version 7.52.0 addressed the following security vulnerabilities:

    CVE-2016-9586, CVE-2016-9952, CVE-2016-9953.

    Version 7.52.1 address a security vulnerability described as follows, however, no CVE was assigned at the time of writing:

    "libcurl's (new) internal function that returns a good 32bit random value was implemented poorly and overwrote the pointer instead of writing the value into the buffer the pointer pointed to.

    "This random value is used to generate nonces for Digest and NTLM authentication, for generating boundary strings in HTTP formposts and more. Having a weak or virtually non-existent random there makes these operations vulnerable.

    "This function is brand new in 7.52.0 and is the result of an overhaul to make sure libcurl uses strong random as much as possible - provided by the backend TLS crypto libraries when present. The faulty function was introduced in this commit."

    Relevant documentation:

  • AOSA-2016-0040: Update FlightGearDECEMBER 31, 2016

    Please update your flightgear package to version 2016.4.3-1.

    A fix was recently introduced to the source code for the FlightGear Flight Simulator to address the following security vulnerability:

    "The FlightGear project fixed a security issue, allowing arbitrary file overwrites for files the user running FlightGear has write access to and could be taken advantage to for other impact as arbitrary code execution."

    Relevant documentation:

  • AOSA-2016-0039: Update SambaDECEMBER 31, 2016

    Please update your samba package to version 4.5.3.

    A new version of Samba was recently released to address the following security vulnerability:

    CVE-2016-2123, CVE-2016-2125, CVE-2016-2126.

    Relevant documentation:

  • AOSA-2016-0038: Update EximDECEMBER 31, 2016

    Please update your exim package to version 4.88.

    A security vulnerability was recently disclosed that:

    "Exim leaks the private DKIM signing key to the log files. Additionally, if the build option EXPERIMENTAL_DSN_INFO=yes is used, the key material is included in the bounce message."

    And was consequently assigned with CVE-2016-9963.

    Relevant documentation:

  • New package additions: Dec 16th, 2016DECEMBER 16, 2016

    Per users' requests, we have added the following packages to our community repository:

    • abbs - Configuration/manifest manager for Autobuild.
    • aosc-os-arm-boot-flasher - AOSC OS boot-related file update(flash)er for ARM architecture (and maybe more).
    • apm - Atom Package Manager.
    • arc-openbox - Arc theme for the Openbox window manager.
    • atool - A script for managing file archives of various types.
    • compton - A compositor for X11.
    • easy-rsa - Simple shell based CA utility.
    • electron - Build cross platform desktop apps with JavaScript, HTML, and CSS.
    • flat-remix-icon-theme - A pretty simple icon theme for Linux.
    • gost - GO Simple Tunnel.
    • gtk3-tqt-engine - GTK+ 3 engine for TQt.
    • gtk-qt-engine - GTK+ engine for TQt/Qt 3.
    • http-parser - Parser for HTTP Request/Response written in C.
    • lrzsz - xmodem, ymodem and zmodem file transfer protocols.
    • ncbi-vdb - The NCBI VDB.
    • neofetch - A fast, highly customizable system info script.
    • netperf - Network benchmark for multiple types of networks.
    • ngs - NGS Language Bindings.
    • nitrogen - Background browser and setter for X windows.
    • opencryptoki - Implementation of the PKCS#11 (Cryptoki) specification.
    • pysocks - SOCKS4, SOCKS5 or HTTP proxy for Python.
    • quodlibet - Music library manager and player.
    • racer - Rust Code Completion Utility.
    • ranger - A simple, vim-like file manager.
    • rustfmt - Rust Code Formatter.
    • rxvt-unicode - A customizable terminal emulator forked from rxvt.
    • sassc - Command line driver for libsass.
    • skanlite - Image scanning application for KDE.
    • sra-tools - The NCBI SRA (Sequence Read Archive).
    • tde-i18n - Translation and l10n data for Trinity Desktop.
    • tdenetworkmanager - NetworkManager frontend for Trinity Desktop.
    • tpm-tools - Management tools for TPM hardware.
    • virtualenv - A tool to create isolated Python environments.

    To learn about how to request new packages for addition into our community repository, please check out our "pakreq" guide. Or simply shout out requests with #pakreq hashtag on our #aosc IRC channel, or on our Telegram group (joining information available on IRC).

  • AOSA-2016-0037: Update w3mDECEMBER 16, 2016

    Please update your w3m to version 1:20161215.

    A series of security fixes have been committed to the w3m project to fix ~20 security fixes, all of which are yet to be officially assigned with a CVE - but we still strongly advise that you update this package.

  • AOSA-2016-0036: Update FirefoxDECEMBER 16, 2016

    Please update your firefox package to version 50.1.0, or 45.6.0esr if you are using the PowerPC 64-bit port.

    A new version of Firefox was recently released to fix the following security issues:

    CVE-2016-9080, CVE-2016-9893, CVE-2016-9894, CVE-2016-9895, CVE-2016-9896, CVE-2016-9897, CVE-2016-9898, CVE-2016-9899, CVE-2016-9900, CVE-2016-9901, CVE-2016-9902, CVE-2016-9903.

    Relevant documentation:

  • AOSA-2016-0035: Update APTDECEMBER 16, 2016

    Please update your apt package to version 1.3.1-2.

    A security vulnerability in APT has recently been disclosed that the "high level package manager, does not properly handle errors when validating signatures on InRelease files. An attacker able to man-in-the-middle HTTP requests to an apt repository that uses InRelease files (clearsigned Release files), can take advantage of this flaw to circumvent the signature of the InRelease file, leading to arbitrary code execution."

    A CVE is assigned for this issue:


    Relevant documentation:

  • Updates to Allwinner ImagesDECEMBER 13, 2016

    A new batch of ARMv7 images for Allwinner is now released by Icenowy Zheng (with date tags 20161212 and 20161213). One of the main changes is the inclusion of AOSC ARM Flasher for updating Linux Kernel for all supported Allwinner devices (will be available for Raspberry Pi 2/3 soon).

    As a side note however, any images released before December 12th, 2016 (thus a date tag older than 20161212) does not include this mechanism, and it is strongly advised that you enroll your device to the Flasher so that you may obtain Kernel updates (feature and security).

    To enroll your device, run the following series of commands as root (just copy and paste to the terminal and press Enter, the commands should finish automatically):

    echo deb / > /etc/apt/sources.list.d/10-sunxi.list && apt update && apt dist-upgrade -y && apt install aosc-os-armel-sunxi-boot aosc-os-arm-boot-flasher -y && FLASHER_CAPABILITIES='bootloader kernel' aosc-arm-flasher

    New images are now available in the Downloads page.

  • AOSA-2016-0034: Update OpenJPEGDECEMBER 9, 2016

    Please update your openjpeg package to version 2.1.2-1.

    Two vulnerabilities in OpenJPEG have just been disclosed:

    • CVE-2016-9580 integer overflow in tiftoimage resulting into heap buffer overflow.
    • CVE-2016-9581 infinite loop in tiftoimage resulting into heap buffer overflow in convert32sC1P1.

    Relevant documentation: