Please update your
amd64 only) and
chromium packages to version
A recently released version of Chromium and Google Chrome has addressed a series of security vulnerabilities, assigned with the following CVE IDs:
CVE-2017-5070, CVE-2017-5071, CVE-2017-5072, CVE-2017-5073, CVE-2017-5074, CVE-2017-5075, CVE-2017-5076, CVE-2017-5077, CVE-2017-5078, CVE-2017-5079, CVE-2017-5080, CVE-2017-5081, CVE-2017-5082, CVE-2017-5083, CVE-2017-5085, CVE-2017-5086.
Please update your
sudo package to version
A recently released version of Sudo has addressed a security vulnerability titled “Potential overwrite of arbitrary files on Linux”:
“On Linux systems, sudo parses the /proc/[pid]/stat file to determine the device number of the process’s tty (field 7). The fields in the file are space-delimited, but it is possible for the command name (field 2) to include spaces, which sudo does not account for. A user with sudo privileges can cause sudo to use a device number of the user’s choosing by creating a symbolic link from the sudo binary to a name that contains a space, followed by a number.”
This vulnerability has been assigned CVE-2017-100036.
Just a quick notice that Cinnamon 3.4 is now available in our community repository (along with the new Slick Greeter)! Here’s a screenshot…
For more information on changes introduced with Cinnamon 3.4 please refer to this Linux Mint blog post.
With the hard work of our community infrastructure contributors, there are now two more services available for our community members:
Thanks to Dingyuan Wang (gumblex) for creating this website.
It should not take much explanation for our Packages site - as mentioned above, it is a catalog of AOSC OS packages - and you could now search for a particular package available to AOSC OS (or to find out if it’s available yet), check on update status, and compare versions of a given package available to all our AOSC OS ports.
Dingyuan Wang also mentioned that there will be a function where AOSC OS users could file package requests on the same website, making it easier for users and developers to check on request status.
Thanks to Sijie Bu (butangmucat) for making this service available.
Currently there are four mailing lists available, each dedicated to different functions…
If you have any questions, concerns, or suggestions to our community services and infrastructure, please pop a mail to our discussions mailing list
Please update your
firefox package to version
53.0 and above.
A recently released version of Firefox has addressed the following security vulnerabilities, assigned with multiple CVE IDs:
CVE-2017-5429, CVE-2017-5430, CVE-2017-5432, CVE-2017-5433, CVE-2017-5434, CVE-2017-5435, CVE-2017-5436, CVE-2017-5437, CVE-2017-5438, CVE-2017-5439, CVE-2017-5440, CVE-2017-5441, CVE-2017-5442, CVE-2017-5443, CVE-2017-5444, CVE-2017-5445, CVE-2017-5446, CVE-2017-5447, CVE-2017-5448, CVE-2017-5449, CVE-2017-5450, CVE-2017-5451, CVE-2017-5452, CVE-2017-5453, CVE-2017-5454, CVE-2017-5455, CVE-2017-5456, CVE-2017-5458, CVE-2017-5459, CVE-2017-5460, CVE-2017-5461, CVE-2017-5462, CVE-2017-5463, CVE-2017-5464, CVE-2017-5465, CVE-2017-5466, CVE-2017-5467, CVE-2017-5468, CVE-2017-5469.
Please update your
google-chrome packages to version
58.0.3029.81 and above.
A recently released version of Chromium/Google Chrome Web browser addressed the following security issues, assigned with multiple CVE IDs:
We have received complaints regarding their SSH Host keys being erased despite that they have already regenerated their SSH Host key before
AOSA-2017-0034 was posted.
This is our fault for not checking on vulnerable host keys by checksum - instead, we chose to regenerate the keys regardless. But here’s the way to workaround this issue, issue this command before you upgrade your system (given that your
openssh package has version older than
# touch /usr/share/doc/openssh/AOSA-2017-0034
Again, we apologize for this incident.
This is an issue of great emergency, please update your system with the newest
openssh package to workaround this security vulnerability!
In our traditional way of generating AOSC OS release tarballs, SSH Daemon host keys were generated only once across any AOSC OS install because the tarballs were built from a single
stub tarball, then to a Base variant - which already contains a copy of OpenSSH (with keys generated) - then all other variants were generated from the Base tarball with extra sets of packages. The result was - due to our ignorance - that all SSH Daemon host keys are generated only once, a great security threat to all AOSC OS users with their SSH Daemon or
To workaround this for all existing users, (once again) please update your system with the latest
openssh package, if you see the following message when installing the update…
Regenerating SSH Keys for AOSA-2017-0034... removed '/etc/ssh/ssh_host_dsa_key' removed '/etc/ssh/ssh_host_dsa_key.pub' removed '/etc/ssh/ssh_host_ecdsa_key' removed '/etc/ssh/ssh_host_ecdsa_key.pub' removed '/etc/ssh/ssh_host_ed25519_key' removed '/etc/ssh/ssh_host_ed25519_key.pub' removed '/etc/ssh/ssh_host_rsa_key' ssh-keygen: generating new host keys: RSA DSA ECDSA ED25519
Then your SSH Daemon host keys are regenerated, and they are expected to be unique across any device. You would not need to restart your
sshd.service, but when clients connect to your device, they may receive a warning…
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that a host key has just been changed. The fingerprint for the ECDSA key sent by the remote host is <ECSDA key here> Please contact your system administrator.
Please remove the line (or inform users of your AOSC OS host with SSH enabled to do so) from your
~/.ssh/known_host file containing the key described above - another method is to identify the host you are attempting to connect to, and remove the line containing the host.
openssh are now available for