NEWS

Read hard, get it all caught up :-D

Things are (actually) going on around the community (surprise!), you may find latest news and happenings in and around the community, and of course, latest information for you to better enjoy AOSC OS.

Most good programmers do programming not because they expect to get paid or get adulation by the public, but because it is fun to program. – Linus Torvalds

ALL NEWS

  • New package additions: Dec. 31, 2016DECEMBER 31, 2016

    Per users' requests, we have added the following packages to our community repository:

    • afflib - An open and extensible file format to store disk images and associated metadata.
    • afl - A security-oriented fuzzer.
    • averia-fonts - The Avería GWF font family.
    • construct - A powerful declarative parser/builder for binary data.
    • ctemplate - A library implementing a simple but powerful template language for C++.
    • dff - An Open Source computer forensics platform.
    • distorm - Powerful disassembler library for x86/AMD64.
    • et-xmlfile - A low memory library for creating large XML files.
    • fbset - Framebuffer setup utility.
    • jbig2dec - Decoder implementation of the JBIG2 image compression format.
    • jdcal - Julian dates, from proleptic Gregorian and Julian calendars.
    • jsmath-fonts - Font family for jsMath.
    • libbfio - A library to provide basic file input/output abstraction.
    • libewf - A library to access the Expert Witness Compression Format (EWF).
    • libfm-qt - Core library of PCManFM-Qt (Qt binding for libfm).
    • libforensic1394 - Library for performing live memory forensics over the IEEE 1394 (FireWire) interface.
    • libglademm - C++ bindings for libglade.
    • libiodbc - Independent Open DataBase Connectivity driver library.
    • libpff - Library and tools to access the Personal Folder File (PFF) and the Offline Folder File (OFF) format.
    • libvshadow - A library to access the Volume Shadow Snapshot (VSS) format.
    • lxqt-build-tools - Various packaging tools and scripts for LXQt applications.
    • muparser - A fast math parser library.
    • mysql-workbench - A cross-platform, visual database design tool developed by MySQL.
    • openpyxl - A Python library to read/write Excel 2007 xlsx/xlsm files.
    • paprefs - A simple GTK-based configuration dialog for PulseAudio.
    • pefile - A Python module to read and work with PE (Portable Executable) files.
    • ptunnel - A tool for reliably tunneling TCP connections over ICMP echo request and reply packets.
    • pyodbc - Python bindings for UnixODBC.
    • pyorbit - Python bindings for ORBit2.
    • reglookup - Utilities for direct analysis of Windows NT-based registry files.
    • scantailor - Interactive post-processing tool for scanned pages.
    • seahorse-nautilus - PGP encryption and signing for Nautilus (GNOME Files).
    • stunnel - A program that allows you to encrypt arbitrary TCP connections inside SSL.
    • system-config-lvm - A utility for graphical configuration of Logical Volumes.
    • thermald - The Linux Thermal Daemon program from 01.org.
    • tinyproxy - A light-weight HTTP proxy daemon for POSIX operating systems.
    • volatility - Advanced memory forensics framework.
    • xrdp - An open source remote desktop protocol (RDP) server.
    • yara-python - Python bindings for Yara.
    • yara - Tool aimed at helping malware researchers to identify and classify malware samples.
    • zathura-pdf-mupdf - PDF support for Zathura (MuPDF backend).
    • znc - An IRC bouncer with modules & scripts support.

    To learn about how to request new packages for addition into our community repository, please check out our "pakreq" guide. Or simply shout out requests with #pakreq hashtag on our #aosc IRC channel, or on our Telegram group (joining information available on IRC).

  • AOSA-2016-0043: Update OpenSSHDECEMBER 31, 2016

    Please update your openssh package to version 7.4p1.

    A new version of OpenSSH was recently announced to address the following security vulnerabilities:

    CVE-2016-10009, CVE-2016-10010, CVE-2016-10011, CVE-2016-10012.

    Relevant documentation:

  • AOSA-2016-0042: Update Apache HTTP ServerDECEMBER 31, 2016

    Please update your httpd package to version 2.4.25.

    A new version of Apache HTTP Server was recently announced to address the following security vulnerability:

    CVE-2016-0736, CVE-2016-2161, CVE-2016-5387, CVE-2016-8723, CVE-2016-8740.

    Relevant documentation:

  • AOSA-2016-0041: Update cURLDECEMBER 31, 2016

    Please update your curl (and curl+32 if using the AMD64/x86_64 port with optenv32 installed) to version 7.52.1.

    This security advisory discusses the security vulnerabilities addressed in 7.52.0 and followed by 7.52.1 as an emergency release - to fix a new security regression introduced with version 7.52.0.

    Version 7.52.0 addressed the following security vulnerabilities:

    CVE-2016-9586, CVE-2016-9952, CVE-2016-9953.

    Version 7.52.1 address a security vulnerability described as follows, however, no CVE was assigned at the time of writing:

    "libcurl's (new) internal function that returns a good 32bit random value was implemented poorly and overwrote the pointer instead of writing the value into the buffer the pointer pointed to.

    "This random value is used to generate nonces for Digest and NTLM authentication, for generating boundary strings in HTTP formposts and more. Having a weak or virtually non-existent random there makes these operations vulnerable.

    "This function is brand new in 7.52.0 and is the result of an overhaul to make sure libcurl uses strong random as much as possible - provided by the backend TLS crypto libraries when present. The faulty function was introduced in this commit."

    Relevant documentation:

  • AOSA-2016-0040: Update FlightGearDECEMBER 31, 2016

    Please update your flightgear package to version 2016.4.3-1.

    A fix was recently introduced to the source code for the FlightGear Flight Simulator to address the following security vulnerability:

    "The FlightGear project fixed a security issue, allowing arbitrary file overwrites for files the user running FlightGear has write access to and could be taken advantage to for other impact as arbitrary code execution."

    Relevant documentation:

  • AOSA-2016-0039: Update SambaDECEMBER 31, 2016

    Please update your samba package to version 4.5.3.

    A new version of Samba was recently released to address the following security vulnerability:

    CVE-2016-2123, CVE-2016-2125, CVE-2016-2126.

    Relevant documentation:

  • AOSA-2016-0038: Update EximDECEMBER 31, 2016

    Please update your exim package to version 4.88.

    A security vulnerability was recently disclosed that:

    "Exim leaks the private DKIM signing key to the log files. Additionally, if the build option EXPERIMENTAL_DSN_INFO=yes is used, the key material is included in the bounce message."

    And was consequently assigned with CVE-2016-9963.

    Relevant documentation:

  • New package additions: Dec 16th, 2016DECEMBER 16, 2016

    Per users' requests, we have added the following packages to our community repository:

    • abbs - Configuration/manifest manager for Autobuild.
    • aosc-os-arm-boot-flasher - AOSC OS boot-related file update(flash)er for ARM architecture (and maybe more).
    • apm - Atom Package Manager.
    • arc-openbox - Arc theme for the Openbox window manager.
    • atool - A script for managing file archives of various types.
    • compton - A compositor for X11.
    • easy-rsa - Simple shell based CA utility.
    • electron - Build cross platform desktop apps with JavaScript, HTML, and CSS.
    • flat-remix-icon-theme - A pretty simple icon theme for Linux.
    • gost - GO Simple Tunnel.
    • gtk3-tqt-engine - GTK+ 3 engine for TQt.
    • gtk-qt-engine - GTK+ engine for TQt/Qt 3.
    • http-parser - Parser for HTTP Request/Response written in C.
    • lrzsz - xmodem, ymodem and zmodem file transfer protocols.
    • ncbi-vdb - The NCBI VDB.
    • neofetch - A fast, highly customizable system info script.
    • netperf - Network benchmark for multiple types of networks.
    • ngs - NGS Language Bindings.
    • nitrogen - Background browser and setter for X windows.
    • opencryptoki - Implementation of the PKCS#11 (Cryptoki) specification.
    • pysocks - SOCKS4, SOCKS5 or HTTP proxy for Python.
    • quodlibet - Music library manager and player.
    • racer - Rust Code Completion Utility.
    • ranger - A simple, vim-like file manager.
    • rustfmt - Rust Code Formatter.
    • rxvt-unicode - A customizable terminal emulator forked from rxvt.
    • sassc - Command line driver for libsass.
    • skanlite - Image scanning application for KDE.
    • sra-tools - The NCBI SRA (Sequence Read Archive).
    • tde-i18n - Translation and l10n data for Trinity Desktop.
    • tdenetworkmanager - NetworkManager frontend for Trinity Desktop.
    • tpm-tools - Management tools for TPM hardware.
    • virtualenv - A tool to create isolated Python environments.

    To learn about how to request new packages for addition into our community repository, please check out our "pakreq" guide. Or simply shout out requests with #pakreq hashtag on our #aosc IRC channel, or on our Telegram group (joining information available on IRC).

  • AOSA-2016-0037: Update w3mDECEMBER 16, 2016

    Please update your w3m to version 1:20161215.

    A series of security fixes have been committed to the w3m project to fix ~20 security fixes, all of which are yet to be officially assigned with a CVE - but we still strongly advise that you update this package.

  • AOSA-2016-0036: Update FirefoxDECEMBER 16, 2016

    Please update your firefox package to version 50.1.0, or 45.6.0esr if you are using the PowerPC 64-bit port.

    A new version of Firefox was recently released to fix the following security issues:

    CVE-2016-9080, CVE-2016-9893, CVE-2016-9894, CVE-2016-9895, CVE-2016-9896, CVE-2016-9897, CVE-2016-9898, CVE-2016-9899, CVE-2016-9900, CVE-2016-9901, CVE-2016-9902, CVE-2016-9903.

    Relevant documentation: