Real time changelog for Porteus Kiosk clients
Each new system version (like e.g. 20140605) triggers an action on the client side to pull updated component from our update servers. After short downtime the system is ready to use with all security fixes, updates and new features merged into the ISO. Everthing is done automatically without any user action.
vmlinuz and 000-kernel.xzm:
- upgraded to linux-6.6.57, intel-microcode-20240910_p20240915, sof-firmware-2024.06
001-core:
- security fix curl-8.9.1: ASN.1 date parser overread (CVE-2024-7264) #937125
- upgraded to alsa-ucm-conf-1.2.12, libgpg-error-1.50, openssl-3.3.2, kmod-33, alsa-lib-1.2.12, libgcrypt-1.11.0, gnutls-3.8.7.1-r1, userspace-rcu-0.14.1, sqlite-3.46.1, alsa-utils-1.2.12, nss-3.101.2, systemd-utils-254.17, dhcpcd-10.0.10, libjpeg-turbo-3.0.3-r1, fontconfig-2.15.0-r1, harfbuzz-9.0.0, imlib2-1.12.3, pango-1.52.2, feh-3.10.3
002-firefox:
- security fix mozilla-firefox-128.3.1 Changelog: link
002-chrome:
- major Chrome upgrade upgraded to google-chrome-130.0.6723.58
004-wifi.xzm:
- upgraded to wireless-regdb-20240508, tcl-8.6.14, libnl-3.10.0, wpa_supplicant-2.10-r5, iw-6.7
005-thinclient.xzm:
- upgraded to libsodium-1.0.20, libssh-0.10.6-r1
08-ssh.xzm:
- upgraded to openssh-9.8_p1-r2
10-printing.xzm:
- security fix openjpeg-2.5.2: Heap-buffer-overflow in color.c:379:42 in sycc420_to_rgb (CVE-2021-3575) #832007
- security fix cups-2.4.10-r1: Missing PPD attribute validation #940316
- upgraded to libpaper-2.1.3, jbig2dec-0.20, libjpeg-turbo-3.0.3-r1, qpdf-11.9.1, lcms-2.16-r1, poppler-24.08.0
vmlinuz and 000-kernel.xzm:
- upgraded to linux-6.6.51, intel-microcode-20240813_p20240815, sof-firmware-2024.03
- upgraded AMD CPU microcode to latest version from git
001-core:
- security fix openssl-3.0.14: Checking excessively long DSA keys or parameters may be very slow (CVE-2024-4603) #932317
- security fix expat-2.6.3: multiple vulnerabilities (CVE-2024-45490, CVE-2024-45491, CVE-2024-45492) #938894
- upgraded to libffi-3.4.6, nettle-3.10, libpcre2-10.44-r1, compose-tables-1.8.10, libX11-1.8.10, libXtst-1.2.5, logrotate-3.22.0, shadow-4.14.8, abseil-cpp-20240116.2-r4, libgudev-238-r2, libwacom-2.12.2, wayland-1.23.0-r1, libXfont2-2.0.7, speech-dispatcher-0.11.5, tigervnc-1.14.0-r1
10-printing.xzm:
- security fix ghostscript-gpl-10.03.1: Multiple vulnerabilities (CVE-2023-52722, CVE-2024-29510, CVE-2024-33869, CVE-2024-33870, CVE-2024-33871) #932125
- security fix net-snmp-5.9.4: multiple vulnerabilities (CVE-2022-44792, CVE-2022-44793) #880231
- upgraded to perl-5.40.0, libieee1284-0.2.11-r9, poppler-24.06.1
001-core:
- upgraded to hwdata-0.383, ethtool-6.9, sqlite-3.46.0, rsync-3.3.0-r1, elfutils-0.191-r1, util-linux-2.39.4-r1, e2fsprogs-1.47.1, rsyslog-8.2404.0-r1, pciutils-3.13.0, xfsprogs-6.8.0, libevdev-1.13.2, xkeyboard-config-2.42, libwacom-2.11.0, libinput-1.26.1, libxkbcommon-1.7.0-r1, nghttp2-1.62.1, curl-8.8.0-r1, gtk+-3.24.41-r1
002-firefox:
- security fix mozilla-firefox-128.1.0 Changelog: link
11-citrix.xzm:
- upgraded to icaclient-24.5.0.76
001-core:
- upgraded to llvm-17.0.6, mesa-24.0.9, mesa-progs-9.0.0, gmmlib-22.3.19, libdrm-2.4.121, libva-2.21, libva-utils-2.21.0, libva-intel-media-driver-24.1.5
- added speech-dispatcher-0.11.4-r2
002-firefox:
- major Firefox ESR release mozilla-firefox-128.0 changelog: 116.0 117.0 118.0 119.0 120.0 121.0 122.0 123.0 124.0 125.0 126.0 127.0 128.0
003-settings.xzm:
- kiosk fix disabled webpage translation popup by default for the Firefox browser
- new feature sync the time automatically when making a connection to porteus-kiosk.org server during system installation. Display a message that time must be set manually in the wizard if it's not correct (case where the NTP protocol/server is blocked in the network).
vmlinuz and 000-kernel.xzm:
- upgraded to linux-6.6.37, intel-microcode-20240514_p20240514
- kernel config: added support for PCI based UFS host controllers which are used in some laptops and miniPCs
001-core:
- security fix libxml2-2.12.7: Buffer overread with xmllint --htmlout #931977
- security fix procps-4.0.4: ps buffer overflow (CVE-2023-4016) #931408
- security fix coreutils-9.5: chmod -R TOCTOU vulnerability #928062
- upgraded to hwdata-0.38, nettle-3.9.1-r1, libcap-2.70, kmod-32-r2, dhcpcd-10.0.8, harfbuzz-8.5.0
002-chrome:
- major Chrome upgrade upgraded to google-chrome-126.0.6478.126
003-settings.xzm:
- kiosk fix fixed screensaver slideshow/webpage/video incompatibility with 'onscreen buttons'
- kiosk fix disabled 'Reading mode' feature for the Chrome browser
- kiosk fix disabled 'In Product help' Chrome popup related to the settings menu
005-thinclient.xzm:
- upgraded to libsodium-1.0.19_p20240117, remmina-1.4.35-r2
08-ssh.xzm:
- security fix openssh-9.7_p1-r6: Remote code execution (CVE-2024-6387) #935271
001-core:
- security fix wget-1.24.5: cookie leakage with HSTS and subdomains #930041
- upgraded to libgpg-error-1.49, pacparser-1.4.3, dmidecode-3.6, rsync-3.3.0, systemd-utils-254.13, pciutils-3.12.0, xfsprogs-6.6.0-r1, iptables-1.8.10-r1, html-xml-utils-8.6, libcec-6.0.2-r2, fontconfig-2.15.0, harfbuzz-8.4.0, openbox-3.6.1-r9
- added abseil-cpp-20230125.3-r3
002-firefox:
- security fix mozilla-firefox-115.12.0 Changelog: link
004-wifi.xzm:
- upgraded to wvdial-1.61-r1, libnl-3.9.0
vmlinuz and 000-kernel.xzm:
- upgraded to linux-6.6.30, intel-microcode-20240312_p20240312, sof-firmware-2023.12.1
001-core:
- security fix glibc-2.38-r13: Multiple vulnerabilities in nscd (CVE-2024-33599, CVE-2024-33600, CVE-2024-33601, CVE-2024-33602, GLIBC-SA-2024-0005, GLIBC-SA-2024-0006, GLIBC-SA-2024-0007, GLIBC-SA-2024-0008) #930667
- security fix glib-2.78.6: Signal subscription vulnerabilities (CVE-2024-3439) #931507
- upgraded to gcc-13.2.1_p20240210, alsa-ucm-conf, alsa-lib-1.2.11, alsa-utils-1.2.11, ncurses-6.4_p20240414, sysvinit-3.09, zlib-1.3.1-r1, sqlite-3.45.3, libpcre2-10.43, zstd-1.5.6, kmod-32-r1, libxml2-2.12.6, libpciaccess-0.18.1, libgpg-error-1.48, libusb-1.0.27-r1, ca-certificates-20240203.3.98, libevdev-1.13.1-r1, libwacom-2.10.0, curl-8.7.1-r4, libxkbcommon-1.7.0, mtdev-1.1.7, libX11-1.8.9, libepoxy-1.5.10-r3, rsyslog-8.2404.0, librsvg-2.57.3, libxcb-1.17.0, libXmu-1.2.1, xf86-input-wacom-1.2.2
- added alsa-plugins-1.2.7.1-r1, libpulse-17.0, pulseaudio-daemon-17.0-r1, libltdl-2.4.7-r1, libsndfile-1.2.2-r2, speexdsp-1.2.1, webrtc-audio-processing-1.3-r3
003-settings.xzm:
- kiosk fix removed the 1 pixel white line at the top of the kiosk screen which was visible when Firefox displayed the screensaver webpage
- new feature switched the sound subsystem from ALSA to PulseAudio. 'default_sound_card=' and 'default_microphone=' parameters are now obsolete. If they are present in the kiosk config then system falls back to using ALSA.
001-core:
- upgraded to timezone-data-2024a-r1, ethtool-6.7, libunistring-1.2, attr-2.5.2-r1, libpng-1.6.43, openssl-3.0.13-r2, sqlite-3.45.1-r1, coreutils-9.4-r1, libxcrypt-4.4.36-r3, libXdmcp-1.1.5, util-linux-2.39.3-r7, systemd-utils-254.10-r1, libxcb-1.16.1, libXext-1.3.6, at-spi2-core-2.50.2, ca-certificates-20230311.3.97, libpciaccess-0.18, libxkbfile-1.1.3, pixman-0.43.4, xkeyboard-config-2.41, libfontenc-1.1.8, nss-3.99, rsyslog-8.2402.0, inih-58, libXcursor-1.2.2, dhcpcd-10.0.6-r2, startup-notification-0.12-r2, libXaw-1.0.16, xev-1.2.6, iptables-1.8.10, xkbcomp-1.4.7, libXaw3d-1.6.6, nghttp2-1.61.0, curl-8.7.1-r2, pango-1.52.1, gtk+-3.24.41, imlib2-1.11.0, xorg-server-21.1.13-r99, conky-1.19.8, xf86-input-elographics-1.4.4, xf86-input-wacom-1.2.1
002-chrome:
- major Chrome upgrade upgraded to google-chrome-124.0.6367.60
002-firefox:
- security fix mozilla-firefox-115.10.0 Changelog: link
003-settings.xzm:
- kiosk fix disabled "In Product Help" popup which appears when password is saved in Chrome for the first time in the password manager
- kiosk fix disabled "In Product Help" popup which appears when you select "Search this page with Google" option in the Chrome's 3 dot settings menu
004-wifi.xzm:
- upgraded to ppp-2.5.0-r7, wpa_supplicant-2.10-r4
005-thinclient.xzm:
- upgraded to libsodium-1.0.19-r2, freerdp-2.11.5-r10, remmina-1.4.35-r1
initrd:
- updated init script to use overlayfs instead of aufs
vmlinuz and 000-kernel.xzm:
- kernel config: enabled overlayfs support and removed aufs as it causes 'kernel panic' during boot on certain PC models and kernel 6.6.x
003-settings.xzm:
- kiosk fix temporary disable transparency when starting default (ripples) screensaver otherwise it cannot load a screenshot image
- kiosk fix removed 'print test page' function from the wizard as we cannot inject printing module on the fly to the virtual filesystem after switching to overlayfs
initrd:
- mount aufs with 'udba=none' flag by default as writable branch is not accessible anyway after switching to /union, that should also give some small boost in aufs performance
vmlinuz and 000-kernel.xzm:
- major kernel upgrade upgraded to linux-6.6.21
- upgraded to sof-firmware-2023.12, upgraded kernel firmware to latest version from git
001-core:
- upgraded to gmmlib-22.3.17, libva-intel-media-driver-24.1.3, xorg-server-21.1.11-r99
003-settings.xzm:
- new security feature added support for individual SSL certificates and passwords when connecting to PK Server
- new feature added a 3rd party patch to xorg-server to use the 'modesetting' driver by default on Intel GPUs gen 4 and newer
- new feature added a 3rd party patch to xorg-server to enable the 'TearFree' feature for the 'modesetting' GPU driver
- new feature added a wrapper which should automatically fix the video output names in the 'screen_settings=' parameter after switching to the modesetting driver (no need to manually update the kiosk configs)
- kiosk fix import certificates before 'run_command=' parameter so is possible to download files from webpages configured with self-signed certs if you add a private key to the imported CA cert. Remote config still must be protected by a valid SSL cert, hosted on a PK Server "Premium" or plain http/ftp server (without SSL).
vmlinuz and 000-kernel.xzm:
- upgraded to linux-6.1.78
002-chrome:
- major Chrome upgrade upgraded to google-chrome-122.0.6261.111
003-settings.xzm:
- kiosk security fix always verify SSL certificate on all connections. If you host remote config or kiosk files (e.g. wallpaper) on a web server then please ensure that SSL certificate is valid otherwise the 'remote management' function will not work. This rule applies also to the intranet deployments. Please ensure that the NTP protocol is not blocked in your network as the system time must be correct when validating the SSL certificate.
- kiosk security fix skip proxy when making connections to updates server, Porteus Kiosk Server and remote config server (relevant IPs are added to proxy exceptions by default) as we dont want the sensitive traffic to be intercepted or manipulated by anybody
- kiosk security fix never upload VNC passwords on PK server by default, server will download them from the client when initializing the VNC connection
- new security feature if 'root_password=' is not set in the kiosk config then generate a random one during each kiosk boot. Clients can still be accessed over SSH protocol using PK Server "Premium" which uses SSH keys and not passwords when communicating with the clients. Do not remove 'root_password=' parameter from your kiosk config if you plan to connect to your kiosk directly using e.g. Putty app. If you use PK Server "Premium" then its recommended to remove the root password from the kiosk configs in order to enchance the security on the clients.
- new security feature if 'vnc_password=' is not set in the kiosk config then generate a random one during each kiosk boot. Clients can still be accessed over VNC protocol using PK Server "Premium" which copies VNC password over SSH when initializing the VNC connection to the client. Do not remove 'vnc_password=' parameter from your kiosk config if you plan to connect to your kiosk directly using any VNC client e.g. TigerVNC. If you use PK Server "Premium" then its recommended to remove the VNC password from the kiosk configs in order to enchance the security on the clients.
- kiosk fix ignore "default_sound_card=0.0" parameter as it breaks the sound output in Chrome
- kiosk fix show up to 20 messages on the screen so its possible to see them all during system update
001-core:
- security fix glibc-2.38-r10: Multiple vulnerabilities (CVE-2023-6246, CVE-2023-6779, CVE-2023-6780, GLIBC-SA-2024-0001, GLIBC-SA-2024-0002, GLIBC-SA-2024-0003) #923352
- security fix openssl-3.0.13: multiple vulnerabilities (CVE-2023-5678, CVE-2023-6129, CVE-2023-6237) #921684
- upgraded to libffi-3.4.4-r4, libcap-2.69-r1, libbsd-0.11.8, bzip2-1.0.8-r5, libpcre2-10.42-r2, sqlite-3.44.2-r2, libxcb-1.16-r1, rsync-3.2.7-r4, e2fsprogs-1.47.0-r3, pixman-0.43.2, zstd-1.5.5-r1, libinput-1.25.0, curl-8.5.0-r3, libdrm-2.4.120, libva-utils-2.20.1, libXaw3d-1.6.5-r1
002-firefox:
- security fix mozilla-firefox-115.8 Changelog: link
005-thinclient.xzm:
- upgraded to libidn2-2.3.7, json-glib-1.8.0
10-printing.xzm:
- upgraded to libpaper-2.1.2, libidn-1.42, openjpeg-2.5.0-r6, qpdf-11.7.0, ghostscript-gpl-10.02.1, poppler-24.02.0, cups-2.4.7-r2
001-core:
- security fix curl-8.5.0: Multiple vulnerabilities (CVE-2023-42619, CVE-2023-46218) #919325
- upgraded to libffi-3.4.4-r3, baselayout-2.14-r2, timezone-data-2023d, traceroute-2.1.5, popt-1.19-r1, rsync-3.2.7-r3, zlib-1.3-r4, libxml2-2.12.5, systemd-utils-254.8, rsyslog-8.2312.0, ca-certificates-20230311.3.96.1, dhcpcd-10.0.6-r1, lsof-4.99.3, conky-1.19.6-r2, feh-3.10.2, libgcrypt-1.10.3-r1
002-firefox:
- security fix mozilla-firefox-115.7 Changelog: link
005-thinclient.xzm:
- upgraded to libidn2-2.3.4-r2, shared-mime-info-2.4-r1, libvncserver-0.9.14-r2
09-x11vnc.xzm:
- upgraded to libvncserver-0.9.14-r2
vmlinuz and 000-kernel.xzm:
- upgraded to linux-6.1.74, sof-firmware-2023.09.2
001-core:
- upgraded to llvm-16.0.6, ethtool-6.6, sysvinit-3.08, coreutils-9.4, libXaw-1.0.15-r1, libxml2-2.11.5-r1, at-spi2-core-2.50.1, shadow-4.14.2, libglvnd-1.7.0, inih-57-r1, ca-certificates-20230311.3.95, ntp-4.2.8_p17-r1, usbutils-017, gmmlib-22.3.14, libdrm-2.4.118, libva-2.20.0, libva-intel-media-driver-23.4.3, libva-utils-2.20.0, mesa-23.2.1, libnotify-0.8.3, pango-1.51.0, gtk+-3.24.39, librsvg-2.57.0, libXfont2-2.0.6-r1, xorg-server-21.1.11
- added lsof-4.99
001-core:
- security fix cairo-1.18.0: Multiple vulnerabilities (CVE-2019-6461, CVE-2019-6462) #717778
- security fix traceroute-2.1.3: improper command line parsing (CVE-2023-46316) #917769
- upgraded to glib-2.78.3, libffi-3.4.4-r2, timezone-data-2023c-r1, alsa-ucm-conf-1.2.10-r1, hwdata-0.376, gmp-6.3.0-r1, zlib-1.3-r2, openssl-3.0.12, util-linux-2.38.1-r3, sqlite-3.44.2-r1, kmod-31, libxslt-1.1.39, systemd-utils-254.7, elfutils-0.190, tiff-4.6.0, alsa-lib-1.2.10-r2, libgpg-error-1.47-r1, xkeyboard-config-2.40-r1, ca-certificates-20230311.3.93, dhcpcd-10.0.5-r1, alsa-utils-1.2.10-r1, stunnel-5.71, libwacom-2.8.0, harfbuzz-8.3.0, openbox-3.6.1-r8, feh-3.10.1
002-chrome:
- upgraded to google-chrome-120.0.6099.199
005-thinclient.xzm:
- security fix libssh-0.10.6 : terrapin vulnerability #920291
- upgraded to freerdp-2.11.1, remmina-1.4.31-r1
08-ssh.xzm:
- security fix openssh-9.6_p1: ProxyCommand Unexpected Code Execution Vulnerability (CVE-2023-51385) #920722
002-chrome:
- major Chrome upgrade upgraded to google-chrome-120.0.6099.109
003-settings.xzm:
- kiosk fix disabled 'Featured experiments' button in the Chrome's UI (navigation bar)
- kiosk fix disabled 'In Product Help' popups in Chrome which appears when you perform certain actions for the first time with private mode disabled: open new tab, play video file, download file
- kiosk fix disabled 'NEW' flag on Google Password Manager in the 3-dot Chrome settings menu
- new feature updated Chrome flags for the 'hardware_video_decode=' parameter. Google switched to a new "Vaapi Video Decoder" which supports additional codecs: h265 and AV1. Right now it works only for Intel Broadwell GPUs and newer. If you use another GPU (e.g. AMD or older Intel) and need hardware video decode feature then you should switch to a Firefox browser as it supports all GPUs which are capable of accelerated video playback.
- new feature added udev rule to allow user 'guest' using the Yubikey products
vmlinuz and 000-kernel.xzm:
- upgraded to linux-6.1.63, intel-microcode-20231114_p20231114, sof-firmware-2023.09.1
001-core:
- upgraded to c-ares-1.21.0, hwdata-0.375, dmidecode-3.5-r3, zlib-1.3-r1, libXrandr-1.5.4, systemd-utils-254.5-r2, xkeyboard-config-2.40, rsyslog-8.2310.0, libxkbcommon-1.6.0, xf86-video-siliconmotion-1.7.10
002-firefox:
- security fix mozilla-firefox-115.5 Changelog: link
vmlinuz and 000-kernel.xzm:
- upgraded to linux-6.1.61
- upgraded AMD microcode to the latest version
001-core:
- security fix xorg-server-21.1.9 Multiple vulnerabilities (CVE-2023-5367, CVE-2023-5380) #916254
- security fix zlib-1.2.13-r2: Buffer overflow (CVE-2023-45853) #916484
- upgraded to hwdata-0.374, ethtool-6.5, acpid-2.0.34-r1, sqlite-3.43.2, harfbuzz-8.2.0
002-firefox:
- security fix mozilla-firefox-115.4 Changelog: link
003-settings.xzm:
- kiosk fix when the address bar is disabled in the Firefox browser then do not allow opening a new tab by double clicking on the empty space in the tab bar area
- kiosk fix removed the 1 pixel white line at the top of the kiosk screen when Firefox works with the navigation bar disabled
- kiosk fix re-enabled 'hinting-slight' feature (previously it broke our gtkdialog apps and had to be disabled) so fonts in kiosk should look much better now
005-thinclient.xzm:
- upgraded to libidn2-2.3.4-r1, libsodium-1.0.19-r1, libvncserver-0.9.14-r1
001-core:
- security fix glibc-2.37-r7 Local Privilege Escalation in ld.so (CVE-2023-4911) #915127
- security fix libxml2-2.11.5-r1: Use-after-free if memory allocation fails (CVE-2023-45322) #915351
- security fix libX11-1.8.7: Multiple vulnerabilities (CVE-2023-43785, CVE-2023-43786, CVE-2023-43787) #915129
- security fix libXpm-3.5.17: Multiple vulnerabilities (CVE-2023-43788, CVE-2023-43789) #915130
- security fix lua-5.4.6: heap buffer overflow in recursive errors (CVE-2022-33099) #856463
- security fix nghttp2-1.57.0: HTTP/2 Rapid Reset vulnerability #915554
- security fix curl-8.4.0: security stabilisation #915569
- upgraded to gcc-13.2.1_p20230826, openssl-3.0.11, nss-3.91, elfutils-0.189-r4, systemd-utils-253.11-r1, libxcb-1.16, libgcrypt-1.10.2, dhcpcd-10.0.3, sshpass-1.09-r1, libinput-1.24.0, freetype-2.13.2, fontconfig-2.14.2-r3, xf86-input-libinput-1.4.0
004-wifi.xzm:
- upgraded to libnl-3.8.0
08-ssh.xzm:
- upgraded to openssh-9.4_p1-r1
10-printing.xzm:
- security fix cups-2.4.7: Buffer overflow when reading Postscript in PPD files (CVE-2023-4504) #914781
- security fix cups-filters-1.28.17-r2: RCE via beh filter (CVE-2023-24805, GHSA-gpxc-v2m8-fr3x) #906944
- upgraded to python-3.10.13, qpdf-11.5.0, ghostscript-gpl-10.02.0
002-firefox:
- security fix mozilla-firefox-115.3.1 Changelog: link
004-wifi.xzm:
- upgraded to wpa_supplicant-2.10-r3, tcl-8.6.13-r1, ppp-2.5.0-r4, crda-4.15-r2
08-ssh.xzm:
- security fix openssh-9.3_p2: Remote code execution in ssh-agent PKCS#11 support (CVE-2023-38408) #910553
001-core:
- security fix tiff-4.5.1: multiple vulnerabilities (CVE-2023-1916, CVE-2023-25434, CVE-2023-26965, CVE-2023-2731) #904424
- upgraded to alsa-ucm-conf-1.2.9, hwdata-0.373, libmd-1.1.0, cronbase-0.3.7-r10, ethtool-6.4, gmp-6.3.0, libpcre-8.45-r2, libpng-1.6.40-r1, gnutls-3.8.0, iw-5.19, libxcrypt-4.4.36, coreutils-9.3-r3, alsa-lib-1.2.9, elfutils-0.189-r1, mtr-0.95-r1, alsa-utils-1.2.9, systemd-utils-253.6, xkeyboard-config-2.39, inih-57, curl-8.1.2, dhcpcd-10.0.2, xfsprogs-6.4.0, libjpeg-turbo-3.0.0, glib-2.76.4, libgudev-238-r1, libwacom-2.7.0, libepoxy-1.5.10-r2, harfbuzz-8.0.1, xorg-server-21.1.8-r2, conky-1.19.2-r1, librsvg-2.56.3, lua-5.4.4-r103
10-printing.xzm:
- upgraded to perl-5.38.0-r1, poppler-data-0.4.12, lcms-2.15, poppler-23.08.0, libpaper-2.1.0
vmlinuz and 000-kernel.xzm:
- upgraded to linux-6.1.46, intel-microcode-20230808_p20230804
- new kernel and microcode versions fixes important vulnerabilities: Intel Downfall, AMD Inception and AMD Zen 1 "Divide By Zero" bug
001-core:
- upgraded VAAPI stack which is required by new Chrome: libva-2.19.0, libva-utils-2.19.0, gmmlib-22.3.7, libva-intel-media-driver-23.2.4
002-chrome:
- major Chrome upgrade upgraded to google-chrome-115.0.5790.170
003-settings.xzm:
- kiosk fix disabled 'High Efficiency' mode for the Chrome browser to prevent discarding of tabs after a certain period of time
- kiosk fix disabled DRI3 support for VAAPI library when hardware video decode is enabled for the Chrome browser (otherwise hardware acceleration wont work)
initrd:
- kiosk fix fixed a bug where the watchdog daemon prevented kiosk reconfiguration on a fast booting systems
vmlinuz and 000-kernel.xzm:
- upgraded to linux-6.1.42, intel-microcode-20230613_p20230520, sof-firmware-2.2.6
- upgraded AMD CPU firmware to latest version from git to fix 'Zenbleed' vulnerabilities
002-firefox:
- major Firefox ESR release mozilla-firefox-115.1.0 changelog: 103.0 104.0 105.0 106.0 107.0 108.0 109.0 110.0 111.0 112.0 113.0 114.0 115.0
003-settings.xzm:
- kiosk fix removed extensions button from the Firefox UI as it allows to list installed extensions and report them to Mozilla
- kiosk fix removed 'Firefox view' button from the Firefox UI as its not needed for kiosk purposes
- kiosk fix removed 'minimize, restore down, close' buttons when Firefox works with 'autohide_navigation_bar=yes' parameter
- kiosk fix start Firefox in kiosk mode (instead of fullscreen) when displaying the screensaver video or screensaver URL
- new feature upgraded Firefox plugins to latest available versions
001-core:
- security fix libX11-1.8.6: Buffer overflows in InitExt.c (CVE-2023-3138) #908549
- security fix shadow-4.13-r4: possible password leak during passwd(1) change #908613
- upgraded to procps-3.3.17-r2, libunistring-1.1-r1, nettle-3.9.1, e2fsprogs-1.47.0-r2, ca-certificates-20230311.3.90, libxml2-2.11.4:2, ntp-4.2.8_p17, libxslt-1.1.38, fribidi-1.0.13, glib-2.76.3, at-spi2-core-2.48.3, librsvg-2.56.1, gtk+-3.24.38
005-thinclient.xzm:
- upgraded to remmina-1.4.31
10-printing.xzm:
- security fix cups-2.4.6: Use-after-free when logging warnings during cupsdAcceptClient failure (CVE-2023-34241) #909018
- security fix ghostscript-gpl-10.01.2: Code execution vulnerability (CVE-2023-36664) #910294
- upgraded to libpaper-2.0.12, perl-5.36.1-r3, net-snmp-5.9.3-r3, libusb-compat-0.1.8, openjpeg-2.5.0-r5, poppler-23.05.0, python-3.10.12, sane-backends-1.2.1
001-core:
- security fix c-ares-1.19.1: Multiple vulnerabilities (CVE-2023-31124, CVE-2023-31130, CVE-2023-31147, CVE-2023-32067) #906964
- upgraded to hwdata-0.371, dmidecode-3.5-r2, ethtool-6.3, sysvinit-3.07, coreutils-9.3-r2, wget-1.21.4, sqlite-3.42.0, nspr-4.35-r2, pciutils-3.10.0, xfsprogs-6.3.0, dhcpcd-9.5.1, libjpeg-turbo-2.1.5.1
002-firefox:
- security fix mozilla-firefox-102.12.0 Changelog: link
005-thinclient.xzm:
- upgraded to libgpg-error-1.47, freerdp-2.10.0-r3
001-core:
- security fix openssl-1.1.1u: Possible DoS translating ASN.1 object identifiers (CVE-2023-2650) #907413
- security fix libcap-2.69: Multiple vulnerabilities (CAP-CR-23-02, CVE-2023-2602, CVE-2023-2603, LCAP-CR-23-01) #906461
- security fix libXpm-3.5.16: multiple vulnerabilities (CVE-2022-44617, CVE-2022-46285, CVE-2022-4883) #891209
- upgraded to ncurses-6.4_p20230401, hwdata-0.369, tiff-4.5.0-r2, libfastjson-1.2304.0, libXi-1.8.1, setxkbmap-1.3.4, xinput-1.6.4, coreutils-9.3-r1, rsyslog-8.2304.0, ca-certificates-20230311.3.89.1, gmmlib-22.3.5, libpciaccess-0.17-r1, libevdev-1.13.1, libXaw3d-1.6.5, libva-intel-media-driver-23.1.6, mesa-amber-21.3.9-r1, fontconfig-2.14.2-r2, harfbuzz-7.3.0, libXft-2.3.8, conky-1.17.0-r1, feh-3.10, xf86-video-ati-22.0.0, gtk+-2.24.33-r3
004-wifi.xzm:
- security fix ppp-2.5.0: out-of-bounds read (CVE-2022-4603) #887017
005-thinclient.xzm:
- security fix libssh-0.10.5: Multiple vulnerabilities (CVE-2023-1667, CVE-2023-2283, GHSL-2023-085) #905746
- upgraded to freerdp-2.10.0-r2, remmina-1.4.30
001-core:
- security fix freetype-2.13.0: integer overflow vulnerability (CVE-2023-2004) #881443
- security fix libxml2-2.10.4: Multiple vulnerabilities (CVE-2023-28484, CVE-2023-29469) #904202
- security fix dmidecode-3.5: root privilege escalation via file overwrite (CVE-2023-30630) #905093
- security fix curl-8.0.1: Multiple vulnerabilities (CVE-2023-27533, CVE-2023-27534, CVE-2023-27535, CVE-2023-27536, CVE-2023-27537, CVE-2023-27538) #902801
- upgraded to libffi-3.4.4-r1, timezone-data-2023c, ethtool-6.2, rsync-3.2.7-r2, libcap-2.68, libfastjson-0.99.9.1, userspace-rcu-0.14.0, libXfixes-6.0.1, libXt-1.3.0, systemd-utils-252.9, zstd-1.5.5, rsyslog-8.2302.0, libcec-6.0.2-r1, iptables-1.8.9, libinput-1.23.0, at-spi2-core-2.48.0, wayland-1.22.0, pango-1.50.14, conky-1.17.0, feh-3.9.1-r1, librsvg-2.56.0, xf86-input-libinput-1.3.0, xf86-input-wacom-1.2.0, openbox-3.6.1-r5
002-firefox:
- security fix mozilla-firefox-102.11.0 Changelog: link
004-wifi.xzm:
- upgraded to ppp-2.4.9-r9
001-core:
- security fix xorg-server-21.1.8 Privilege escalation via use-after-free (CVE-2023-1393) #903547
- security fix shadow-4.13-r3 shadow file manipulation via chfn (CVE-2023-29383) #904518
- upgraded to hwdata-0.367, dmidecode-3.4-r1, libxcrypt-4.4.33, sqlite-3.41.2-r1, libX11-1.8.4-r1, nss-3.79.4, openssl-1.1.1t-r3, util-linux-2.38.1-r2, e2fsprogs-1.47.0-r1, ca-certificates-20211016.3.88.1, stunnel-5.68, curl-7.88.1-r2, xkeyboard-config-2.38, zstd-1.5.4-r3, glib-2.74.6, libnotify-0.8.2, cairo-1.17.8, pango-1.50.13, xf86-video-intel-2.99.917_p20230201, tigervnc-1.13.1, gtk+-3.24.37
002-chrome:
- upgraded to google-chrome-112.0.5615.121
vmlinuz and 000-kernel.xzm:
- upgraded to intel-microcode-20230214_p20230212
- kernel config: compiled DAX driver directly to the vmlinuz image as it's required by PCs which initialize device mapper early during boot
002-chrome:
- major Chrome upgrade upgraded to google-chrome-112.0.5615.49
Tagged as Porteus Kiosk 5.5.0 release
Main features of this release are listed here.
Other changes which sums up this release: new features implemented in the ISO level, bugfixes and package upgrades are listed in the changelog below.
Long live Porteus Kiosk!
vmlinuz and 000-kernel.xzm:
- major kernel upgrade upgraded to linux-6.1.20
- kernel config: enabled watchdog drivers, switched to voluntary kernel preemption, other changes
- upgraded to sof-firmware-2.2.3
- added watchdog-5.16
001-core:
- upgraded to gmmlib-22.3.3, mesa-22.3.7-r1, libva-intel-media-driver-22.6.6
002-firefox:
- security fix mozilla-firefox-102.9.0 Changelog: link
initrd:
- start watchdog as soon as possible if its enabled in the kiosk's configuration
001-core:
- upgraded to alsa-ucm-conf-1.2.8, alsa-utils-1.2.8-r2, alsa-lib-1.2.8-r1, alsa-plugins-1.2.7.1-r1, ca-certificates-20211016.3.87-r1, ethtool-6.1, popt-1.19, sysvinit-3.06-r1, kmod-30-r1, compose-tables-1.8.4, libX11-1.8.4, systemd-utils-252.7, xfsprogs-6.1.1, logrotate-3.21.0, usbutils-015, libdrm-2.4.115, libwacom-2.6.0, libinput-1.22.1, libxkbcommon-1.5.0, mesa-22.3.6, freetype-2.12.1-r2, fontconfig-2.14.2, cairo-1.17.6-r1, xf86-video-amdgpu-23.0.0, xf86-video-qxl-0.1.6, xf86-video-vmware-13.4.0, tigervnc-1.13.0
003-settings.xzm:
- kiosk fix PXE boot: properly export remote config name so it can be displayed in the Administration Panel of Porteus Kiosk Server
- new feature display the current resolution at the top of available resolutions in the 'monitor settings' application
005-thinclient.xzm:
- upgraded to libgcrypt-1.10.1-r3, remmina-1.4.29-r2
09-x11vnc.xzm:
- upgraded to x11vnc-0.9.16-r8
vmlinuz and 000-kernel.xzm:
- upgraded to linux-5.15.96
001-core:
- security fix tiff-4.5.0: multiple vulnerabilities (CVE-2022-2056, CVE-2022-2057, CVE-2022-2058, CVE-2022-2519, CVE-2022-2520, CVE-2022-2521, CVE-2022-2867, CVE-2022-2868, CVE-2022-2869, CVE-2022-2953, CVE-2022-3570, CVE-2022-3597, CVE-2022-3598, CVE-2022-3599, CVE-2022-3626, CVE-2022-3627, CVE-2022-3970) #856478
- upgraded to nspr-4.35-r1, stunnel-5.65-r2, libbsd-0.11.7-r2
003-settings.xzm:
- kiosk fix fixed bug where mouse cursor was visible on the kiosk's screen with 'disable_input_devices=yes' and 'hide_mouse=yes' parameters enabled
08-ssh.xzm:
- security fix openssh-9.2_p1: Pre-authentication double-free (CVE-2023-25136) #892936
10-printing.xzm:
- upgraded to python-3.10.9-r1, libpaper-2.0.4, lcms-2.14-r4, poppler-23.01.0, hplip-3.22.10
001-core:
- security fix xorg-server-21.1.7: Use-after-free in DeepCopyPointerClasses (CVE-2023-0494) #893438
- security fix openssl-{1.1.1t, 3.0.8}: Multiple vulnerabilities (CVE-2022-4203, CVE-2022-4304, CVE-2022-4450, CVE-2023-0215, CVE-2023-0216, CVE-2023-0217, CVE-2023-0286, CVE-2023-0401) #893446
- upgraded to gmp-6.2.1-r5, libpcre2-10.42-r1, systemd-utils-251.10-r1, shadow-4.13-r2, e2fsprogs-1.46.5-r4, nghttp2-1.51.0, rsyslog-8.2210.0-r2, ntp-4.2.8_p15-r6, glib-2.74.5
- added 'mktemp' utility from the 'coreutils' package as it supports extra flags which are required by the 'update-ca-certificates' script
003-settings.xzm:
- kiosk fix resolved a bug where UEFI component was booting the (old) kiosk system which was installed on the hard drive rather than booting the (new) installation ISO from removable device
- kiosk fix fixed testing of foomatic printer drivers and directly connected printers in the Kiosk Wizard
- new feature start the Xorg session on tty1/VT1 rather than traditionally on VT7 to avoid flipping between VTs (faster and smoother boot experience)
005-thinclient.xzm:
- security fix libvncserver-0.9.14: multiple vulnerabilities #887067
09-x11vnc.xzm:
- security fix libvncserver-0.9.14: multiple vulnerabilities #887067
11-citrix.xzm:
- upgraded to libsecret-0.20.5-r3, libvorbis-1.3.7-r1, speex-1.2.1, libogg-1.3.5-r1, icaclient-23.2.0.10
uefi.zip:
- upgraded to grub-2.06-r5
001-core:
- security fix ca-certificates-20211016.3.86: TrustCor removal (CVE-2022-23491) #884805
- upgraded to gcc-12.2.1_p20230121-r1, hwdata-0.366, coreutils-9.1-r2, libICE-1.1.1-r1, libXau-1.0.11, libXdmcp-1.1.4-r2, libxshmfence-1.3.2, libfontenc-1.1.7, libSM-1.2.4, compose-tables-1.8.3, xcb-util-0.4.1, libxkbfile-1.1.2, libXrandr-1.5.3, libXcomposite-0.4.6, libXdamage-1.1.6, libXScrnSaver-1.2.4, libXv-1.0.12, libXres-1.2.2, xset-1.2.5, xrandr-1.5.2, xcompmgr-1.1.9, xinit-1.4.2, curl-7.87.0-r2, libXpm-3.5.14, wayland-1.21.0-r1, xkbcomp-1.4.6, libglvnd-1.6.0, harfbuzz-6.0.0, xlockmore-5.71, xf86-input-elographics-1.4.3, xf86-video-ast-1.1.6, xf86-video-r128-6.12.1, xf86-video-vesa-2.6.0
002-firefox:
- security fix mozilla-firefox-102.7.0 Changelog: link
003-settings.xzm:
- kiosk fix updated chrome/firefox startup scripts to properly handle '&' characters which may be provided from command line as a part of the URL
001-core:
- security fix xorg-server-21.1.6 (CVE-2022-4283, CVE-2022-46283, CVE-2022-46340, CVE-2022-46341, CVE-2022-46342, CVE-2022-46343, CVE-2022-46344) #885825
- security fix ncurses-6.3_p20220423: segfaulting OOB read (CVE-2022-29458) #839351
- security fix cairo-1.17.6: buffer overwrite vulnerability (CVE-2020-35492) #777123
- security fix glib-2.74.4: Multiple vulnerabilities #887807
- security fix sqlite-3.40.1: insufficient sandboxing of "safe" script execution (CVE-2022-46908) #886029
- security fix curl-7.87.0: multiple vulnerabilities (CVE-2022-43551, CVE-2022-43552) #887745
- upgraded to timezone-data-2022g, libpng-1.6.39, elfutils-0.188, libxcrypt-4.4.28-r2, util-linux-2.38.1, systemd-utils-251.10, shadow-4.13-r1, gmmlib-22.3.0, pciutils-3.9.0, mesa-22.2.5, imlib2-1.9.1-r1, xlockmore-5.69, pango-1.50.12, gtk+-3.24.35, sshpass-1.09
002-chrome:
- upgraded to google-chrome-108.0.5359.124-r1
005-thinclient.xzm:
- upgraded to libidn2-2.3.4, libpsl-0.21.1-r1
10-printing.xzm:
- upgraded to lcms-2.13.1-r3, sane-backends-1.1.1-r13, ghostscript-gpl-10.0.0-r5, perl-5.36.0-r1
001-core:
- security fix libpcre2-10.40: multiple vulnerabilities (CVE-2022-1586, CVE-2022-1587) #845195
- security fix curl-7.86.0: multiple vulnerabilities (CVE-2022-32221, CVE-2022-35260, CVE-2022-42915, CVE-2022-42916) #878365
- upgraded to libffi-3.4.4, timezone-data-2022f-r1, libmnl-1.0.5, libbsd-0.11.7, nettle-3.8.1, openssl-1.1.1s, coreutils-9.1-r1, zlib-1.2.13-r1, ntp-4.2.8_p15-r1, gnutls-3.7.8, libjpeg-turbo-2.1.4, tiff-4.4.0-r2, rsyslog-8.2210.0-r1, xfsprogs-6.0.0, libxml2-2.10.3-r1, libxslt-1.1.37-r1, libpciaccess-0.17, gdk-pixbuf-2.42.10-r1, pixman-0.42.2, libevdev-1.13.0, libwacom-2.5.0, xkeyboard-config-2.37, libXau-1.0.10, libdrm-2.4.114, libxshmfence-1.3.1, libfontenc-1.1.6, libXfont2-2.0.6, xcb-util-renderutil-0.3.10, xcb-util-keysyms-0.4.1, xcb-util-wm-0.4.2, libXext-1.3.5, libXrender-0.9.11, libxkbfile-1.1.1, libXmu-1.1.4, libXft-2.3.6, libXinerama-1.1.5, libglvnd-1.5.0, libXxf86vm-1.1.5, imlib2-1.7.5-r1, libXtst-1.2.4, libXaw3d-1.6.4, xsetroot-1.1.3, systemd-utils-251.8-r1, llvm-15.0.5, mesa-22.2.3, xcb-util-image-0.4.1, xcb-util-cursor-0.1.4
004-wifi.xzm:
- upgraded to libnl-3.7.0
10-printing.xzm:
- upgraded to python-3.8.16, net-snmp-5.9.3-r1, qpdf-10.6.3-r1, lcms-2.13.1-r2, openjpeg-2.5.0-r4, sane-backends-1.1.1-r7, cups-2.4.2-r6, ghostscript-gpl-10.0.0-r4, poppler-22.11.0-r1
- added poppler-data-0.4.11-r2.tbz2
vmlinuz and 000-kernel.xzm:
- upgraded to linux-5.15.81, intel-microcode-20221108_p20221102
002-chrome:
- major Chrome upgrade upgraded to google-chrome-108.0.5359.94
003-settings.xzm:
- kiosk fix revomed obsolete Chrome flags which are no longed needed for hardware video decode
- kiosk fix keep the 'mesa-amber' EGL vendor config empty otherwise modesetting driver cannot be used with upgraded 'mesa' package
001-core:
- security fix ntfs3g-2022.10.3: code execution via malicious filesystem (CVE-2022-40284) #878885
- security fix nss-3.79.2: tstclnt crash when accessing gnutls server without user cert #877169
- security fix curl-7.85.0: control code in cookie denial of service (CVE-2022-35252) #867679
- upgraded to timezone-data-2022f, hwdata-0.364, libpng-1.6.38, zstd-1.5.2-r3, elfutils-0.187-r2, libcap-2.66, acpid-2.0.34, libva-2.16.0, libva-utils-2.16.0, libva-intel-driver-2.4.1-r4, libva-intel-media-driver-22.5.4, feh-3.9.1, stunnel-5.64-r2, rsyslog-8.2208.0-r1, iptables-1.8.8-r5, glibc-2.36-r5, ca-certificates-20211016.3.83, lm-sensors-3.6.0-r1, gmmlib-22.2.1, glib-2.74.1-r1, libwacom-2.4.0, xf86-input-wacom-1.1.0, conky-1.13.1, gdk-pixbuf-2.42.10, harfbuzz-5.3.1-r1, pango-1.50.11, librsvg-2.55.1, at-spi2-core-2.46.0, adwaita-icon-theme-43_p1
- added c-ares-1.18.1
002-firefox:
- security fix mozilla-firefox-102.5. Changelog: link
005-thinclient.xzm:
- security fix freerdp-2.9.0: multiple vulnerabilities (CVE-2022-39316, CVE-2022-39317, CVE-2022-39318, CVE-2022-39319, CVE-2022-39320, CVE-2022-39347, CVE-2022-41877) #8815225
- upgraded to libgpg-error-1.46-r1, libgcrypt-1.10.1-r2, libsoup-2.74.3
10-printing.xzm:
- security fix ghostscript-gpl-9.56.1: null pointer dereference (CVE-2022-2085) #852944
- upgraded to lcms-2.13.1-r1, perl-5.34.1-r4, pnm2ppa-1.13-r2
001-core:
- upgraded to expat-2.5.0, nspr-4.35, imlib2-1.7.5, e2fsprogs-1.46.5-r3, xfsprogs-5.18.0-r1, libxml2-2.10.3
005-thinclient.xzm:
- upgraded to freerdp-2.8.1
vmlinuz and 000-kernel.xzm:
- upgraded to linux-5.15.74
- security fix this release fixes several critically important wifi stack vulnerabilities in the linux kernel: link
- kernel config: added DRM driver for Hyper-V Gen2 VMs. Gen1 machines cause troubles and still default to the framebuffer driver. DRM driver offers much faster 2D scrolling and allows setting a custom screen resolution (you are not longer forced to use FullHD resolution).
001-core:
- upgraded to sqlite-3.39.4, libxml2-2.10.2, libxslt-1.1.37, gmmlib-22.1.8, lua-5.3.6-r102, libva-intel-driver-2.4.1-r3, cairo-1.16.0-r6, librsvg-2.54.4-r1, gtk+-3.24.34-r1, gtk+-2.24.33-r2
005-thinclient.xzm:
- upgraded to libsodium-1.0.18_p20220618
06-fonts.xzm:
- upgraded to liberation-fonts-2.1.5
001-core:
- upgraded to sysvinit-3.05, expat-2.4.9, zstd-1.5.2-r2, userspace-rcu-0.13.2, nss-3.79.1, systemd-utils-251.4-r2, rsyslog-8.2206.0-r1
002-firefox:
- security fix mozilla-firefox-102.3. Changelog: link
005-thinclient.xzm:
- upgraded to libvncserver-0.9.13-r1, libssh-0.10.4
001-core:
- upgraded to bzip2-1.0.8-r3, timezone-data-2022c, hwdata-0.361, dmidecode-3.4, zstd-1.5.2-r1, attr-2.5.1-r2, libcap-2.65, kmod-30, nspr-4.34.1, systemd-utils-251.4-r1, ca-certificates-20211016.3.80, inih-56-r1, iptables-1.8.8-r4, libnotify-0.8.1, libva-2.15.0, libva-utils-2.15.0, libva-intel-media-driver-22.4.4, freetype-2.12.1-r1, harfbuzz-5.1.0, pango-1.50.9
005-thinclient.xzm:
- upgraded to libidn2-2.3.3, libgcrypt-1.9.4-r2, remmina-1.4.27, libdbusmenu-16.04.0-r2
10-printing.xzm:
- security fix cups-2.4.2: Bad certificate verification for local authorisation (CVE-2022-26691) #847625
- security fix poppler-22.09.0: JBIG2 integer overflow to code execution (CVE-2021-30860, CVE-2022-38784) #867958
- upgraded to libidn-1.41, net-snmp-5.9.3, openjpeg-2.5.0-r2, ghostscript-gpl-9.55.0-r2
vmlinuz and 000-kernel.xzm:
- added missing wireless firmware: iwlwifi-Qu-c0-jf-b0-66.ucode
001-core:
- security fix zlib-1.2.12-r3: buffer overread in inflateGetHeader() (CVE-2022-37434) #863851
- security fix gnutls-3.7.7: Double free in PKCS7 signature verification (CVE-2022-2509) #861803
- security fix libtasn1-4.19.0: Out of bounds read #866237
- upgraded to libffi-3.4.2-r2, timezone-data-2022a, shadow-4.12.3, html-xml-utils-7.8-r1, gmmlib-22.1.7, dbus-1.14.0-r4, lua-5.3.6-r5, glib-2.72.3, wmctrl-1.07-r3, freetype-2.12.1, pango-1.50.8
003-settings.xzm:
- new feature 'homepage_append=' parameter will properly add requested info to homepage URLs which already have the query arguments, sample: "https://domain.com?argument=1" becomes "https://domain.com?argument=1&kiosk=hostname"
vmlinuz and 000-kernel.xzm:
- upgraded to linux-5.15.60, intel-microcode-20220809_p20220809
- kernel config: enabled bluetooth support, userspace still needs the firmware and bluetooth manager application for pairing devices (must be added through the ISO customization)
002-chrome:
- major Chrome upgrade upgraded to google-chrome-104.0.5112.79-r1
003-settings.xzm:
- kiosk fix disabled autoupdate of Chrome internal components (e.g. widevine plugin) as without persistence enabled it causes the updated components to be downloaded during every session restart
- kiosk fix disabled 'Share this page' button in the Chrome URL's bar
- kiosk fix disabled 'Bookmark this tab' button in the Chrome URL's bar
- new feature added support for 'MD5' authentication protocol in 802.1x wired networks ('wired_authentication=eapol' parameter)
001-core:
- security fix openssl-1.1.1q broken AES-OCB encryption on x86 (CVE-2022-2097) #856592
- security fix sqlite-3.39.2: buffer overflow (CVE-2022-35737) #863431
- security fix rsyslog-8.2206.0: Potential heap buffer overflow in TCP syslog server (receiver) components (CVE-2022-24903) #842846
- security fix logrotate-3.20.0: Unprivileged DoS via state file (CVE-2022-1348) #847382
- security fix xorg-server-21.1.4 security stabilisation #858140
- upgraded to glibc-2.35-r8, alsa-lib-1.2.7.2, alsa-ucm-conf-1.2.7.2, alsa-utils-1.2.7-r1, alsa-plugins-1.2.7.1, libxcrypt-4.4.28-r1, wget-1.21.3-r1, stunnel-5.64-r1, libxcb-1.15-r1, compose-tables-1.8.1, libX11-1.8.1, gmmlib-22.1.4, pciutils-3.8.0-r1, xmodmap-1.0.11, xev-1.2.5, libxcvt-0.1.2, libdrm-2.4.112, xcb-util-cursor-0.1.3-r4, wayland-1.21.0, libepoxy-1.5.10-r1, mesa-progs-8.5.0, tigervnc-1.12.0-r7, harfbuzz-4.4.1, xf86-input-synaptics-1.9.2, xf86-video-mga-2.0.1
003-settings.xzm:
- kiosk fix properly handle the URLs containing the '&' character when browser is started by another app (e.g. Zoom's authorization through Google) or from the command line
vmlinuz and 000-kernel.xzm:
- upgraded to linux-5.15.55
- kernel config: enabled ASUS WMI driver, enabled hardware monitoring support for NVME bus so device temperatures can be viewed in the debug log or by executing the 'sensors' command over SSH
002-firefox.xzm:
- major Firefox ESR release mozilla-firefox-102.0.1 changelog: 92.0 93.0 94.0 95.0 96.0 97.0 98.0 99.0 100.0 101.0 102.0
003-settings.xzm:
- kiosk fix disabled autoupdate of Firefox plugins. Without persistence enabled it causes the updated plugins to be downloaded during every session restart.
- kiosk fix fixed a bug where Firefox would not open on an entire screen when running with navigation bar disabled and was restarted from Porteus Kiosk Server or over SSH ('killall firefox' command)
- kiosk fix disabled 'Open previous tabs' popup which appears in the Firefox browser when persistence is enabled and the kiosk PC is rebooted or powered off (unclean shutdown)
- kiosk fix hide the PDF download button in the Firefox's PDF viewer when downloads are disabled in the system
- new feature added support for downloading components and updates from our domian mirrors. System installation and update time should be shorter now. Please ensure that your company network allows connecting to the mirror servers - update/reconfiguration process will notify about this when needed.
001-core:
- security fix curl-7.84.0: multiple vulnerabilities (CVE-2022-32205, CVE-2022-32206, CVE-2022-32207, CVE-2022-32208) #854708
- upgraded to traceroute-2.1.0-r2, elfutils-0.187, acpid-2.0.33, rsync-3.2.4-r3, nspr-4.34, tiff-4.4.0, systemd-utils-250.7, nghttp2-1.47, rsyslog-8.2112.0-r1, dbus-1.12.22-r2, gmmlib-22.1.3, glib-2.72.2, libinput-1.21.0-r1, libnotify-0.7.12, libva-intel-media-driver-22.4.3, fontconfig-2.14.0-r1, harfbuzz-4.3.0, librsvg-2.54.4
002-firefox:
- security fix mozilla-firefox-91.11.0. Changelog: link
001-core:
- security fix pacparser-1.4.0: Memory overwrite vulnerability #844736
- security fix zlib-1.2.12-r2: security stabilisation #836303
- upgraded to upgraded to glibc-2.34-r13, libffi-3.4.2-r1, libltdl-2.4.7, gnutls-3.7.6, libfastjson-0.99.9-r1, libestr-0.1.11-r1, sqlite-3.38.5, rsyslog-8.2112.0, libxcb-1.15, xkeyboard-config-2.36, libxkbcommon-1.4.1, libdrm-2.4.111, llvm-14.0.4, mesa-22.0.5, mesa-amber-21.3.9, harfbuzz-4.2.1, xorg-server-21.1.3-r3, tigervnc-1.12.0-r6, xf86-input-libinput-1.2.1, adwaita-icon-theme-42.0_p2
004-wifi.xzm:
- upgraded to wireless-regdb-2022060, ppp-2.4.9-r8
- added tcl-8.6.12
005-thinclient.xzm:
- upgraded to libgpg-error-1.45, vte-0.68.0
10-printing.xzm:
- upgraded to perl-5.34.1-r3, qpdf-10.6.3, python-3.8.13, poppler-22.05.0, lcms-2.13.1
vmlinuz and 000-kernel.xzm:
- upgraded to linux-5.15.44, intel-microcode-20220510_p20220508
- kernel config: added support for storage devices formatted with an exFAT filesystem
001-core:
- security fix rsync-3.2.4: Vulnerability in bundled zlib #838724
- security fix libxml2-2.9.14: Integer overflows in xmlBuf and xmlBuffer #842261
- security fix ntfs3g-2022.5.17 multiple vulnerabilities (CVE-2022-30783, CVE-2022-30784, CVE-2022-30785, CVE-2022-30786, CVE-2022-30787, CVE-2022-30788, CVE-2022-30789) #847598
- upgraded to expat-2.4.8, libbsd-0.11.6, userspace-rcu-0.13.1, sqlite-3.38.3, nss-3.68.4, libjpeg-turbo-2.1.3, fribidi-1.0.12, atk-2.38.0, glib-2.72.1, pango-1.50.7, at-spi2-core-2.44.1, librsvg-2.54.3, gtk+-3.24.34, adwaita-icon-theme-42.0, libusb-1.0.26
- added systemd-utils-250.6
- removed udev-249.6-r2
001-core:
- security fix openssl-1.1.1o: Multiple vulnerabilities #842489
- security fix ncurses-6.3_p20220423: segfaulting OOB read (CVE-2022-29458) #839351
- upgraded to sqlite-3.38.2, compose-tables-1.7.5, libX11-1.7.5, libXcursor-1.2.1, curl-7.83.1, dbus-1.12.22-r1, libevdev-1.12.1, xkeyboard-config-2.35.1, libxkbcommon-1.4.0, setxkbmap-1.3.3, libdrm-2.4.110, e2fsprogs-1.46.5-r1, libva-2.14.0, mesa-22.0.3, libepoxy-1.5.10, libva-intel-media-driver-22.3.1, xorg-server-21.1.3-r2, xf86-video-amdgpu-22.0.0, tigervnc-1.12.0-r5, hwdata-0.358, wget-1.21.3, pciutils-3.8.0, libtasn1-4.18.0, inih-55, libva-utils-2.14.0, libcap-2.64
- added mesa-amber-21.3.8, libunwind-1.6.2
002-firefox:
- security fix mozilla-firefox-91.9.1. Changelog: link
005-thinclient.xzm:
- security fix libpcre2-10.40: multiple vulnerabilities (CVE-2022-1586, CVE-2022-1587) #845195
- security fix freerdp-2.7.0: multiple vulnerabilities (CVE-2022-24882, CVE-2022-24883) #842231
08-ssh:
- security fix openssh-8.9_p1-r2: Command injection via scp (CVE-2020-15778) #733802
vmlinuz and 000-kernel.xzm:
- upgraded to intel-microcode-20220419_p20220421
- kernel config: compiled 'vmd' driver directly into kernel to allow booting from the NVME drives which are managed by the VDM controller
002-chrome:
- major Chrome upgrade upgraded to google-chrome-101.0.4951.54
WARNING: if you use 'browser_preferences=' parameter then you may need to update your preferences file as number of Chrome policies have been depreciated in Chrome 101:
ExtensionInstallWhitelist replaced by ExtensionInstallAllowlist
ExtensionInstallBlacklist replaced by ExtensionInstallBlocklist
URLWhitelist replaced by URLAllowlist
URLBlacklist replaced by URLBlocklist
003-settings.xzm:
- kiosk fix disabled 'show side panel' button on Chrome UI by default
001-core:
- security fix libinput-1.20.1: format string vulnerability when using xf86-input-libinput (CVE-2022-1215) #839729
- security fix freetype-2.12.0: multiple vulnerabilities (CVE-2022-27404, CVE-2022-27405, CVE-2022-27406) #840224
- upgraded to ncurses-6.3_p20211106, alsa-topology-conf-1.2.5.1, alsa-ucm-conf-1.2.6.3, alsa-lib-1.2.6.1, alsa-utils-1.2.6, alsa-plugins-1.2.6, sqlite-3.38.1, dhcpcd-9.4.1, gmmlib-22.1.2, harfbuzz-3.4.0-r1, xf86-video-vmware-13.3.0-r1
003-settings.xzm:
- kiosk fix whitelist 'zoommtg' protocol for Chrome by default otherwise zoom connections cannot be established using the web client
005-thinclient.xzm:
- upgraded to libpcre2-10.39-r1, shared-mime-info-2.2, freerdp-2.6.1, remmina-1.4.25
vmlinuz and 000-kernel.xzm:
- upgraded to linux-5.15.33
001-core:
- security fix nss-3.68.3: Memory safety issues with PKCS#11 tokens #836386
- upgraded to libpcre-8.45-r1, sysvinit-3.01, sqlite-3.38.0, curl-7.79.1-r1, libplatform-2.1.0.1-r2, libvdpau-1.5, iptables-1.8.7-r2, freetype-2.11.1
- added traceroute-2.1.0-r1
002-firefox:
- security fix mozilla-firefox-91.8.0. Changelog: link
004-wifi.xzm:
- upgraded to wireless-regdb-20220408
Tagged as Porteus Kiosk 5.4.0 release
Main features of this release are listed here.
Other changes which sums up this release: new features implemented in the ISO level, bugfixes and package upgrades are listed in the changelog below.
Long live Porteus Kiosk!
002-firefox:
- security fix mozilla-firefox-91.7.1. Changelog: link
003-settings.xzm:
- kiosk fix switching to a secondary keyboard layout will no longer allow using keyboard combinations which are blocked in the system by default
- new feature added support for remote config URLs which contains an append parameters, e.g. https://domain.com/kiosk-config.php?device=nuc&sound=0.3
001-core:
- security fix openssl-1.1.1n: infinite loop when using invalid curve parameters in BN_mod_sqrt() (CVE-2022-0778) #835343
- upgraded to expat-2.4.7, libcap-2.63, nss-3.68.2-r1, gnutls-3.7.3-r1, fribidi-1.0.11, glib-2.70.4, at-spi2-core-2.42.0, mesa-21.3.7, libva-intel-media-driver-22.1.0-r1, xorg-server-21.1.3-r1, pango-1.50.4, librsvg-2.52.6, pangomm-2.46.2, gtk+-3.24.31, adwaita-icon-theme-41.0
002-firefox:
- security fix mozilla-firefox-91.7.1. Changelog: link
004-wifi.xzm:
- upgraded to wpa_supplicant-2.10-r1
005-thinclient.xzm:
- upgraded to vte-0.66.2
10-printing.xzm:
- upgraded to qpdf-10.5.0, sane-backends-1.1.1-r2, poppler-22.01.0
11-citrix.xzm:
- upgraded to libsecret-0.20.5, icaclient-22.3.0.24
vmlinuz and 000-kernel.xzm:
- major kernel upgrade upgraded to linux-5.15.28
- upgraded to sof-firmware-1.9.3-r1
001-core:
- security fix gnutls-3.7.3: Memory corruption in gnutls_x509_trust_list_verify_crt2() (GNUTLS-SA-2022-01-17) #831573
- security fix libxml2-2.9.13: multiple vulnerabilities (CVE-2022-23308) #833809
- security fix libxslt-1.1.35: use-after-free in xsltApplyTemplates (CVE-2021-30560) #833508
- upgraded to timezone-data-2021e, hwdata-0.354, zstd-1.5.2, expat-2.4.6, libxcrypt-4.4.27, openssl-1.1.1m, ntfs3g-2021.8.22-r3, gmmlib-22.0.2, logrotate-3.19.0, libva-intel-media-driver-22.1.0
- added libcec-6.0.2, libplatform-2.1.0.1-r1
002-chrome:
- major Chrome upgrade upgraded to google-chrome-98.0.4758.102
003-settings.xzm:
- kiosk fix disabled 'share this page' button on the Chrome's URL bar by default
vmlinuz and 000-kernel.xzm:
- upgraded to linux-5.10.101, intel-microcode-20220207_p20220207
001-core:
- security fix util-linux-2.37.4: Partial disclosure of arbitrary files in chfn and chsh when compiled with libreadline (CVE-2022-0563) #833365
- upgraded to nspr-4.33, mtr-0.95, libICE-1.0.10-r1, libXdmcp-1.1.3-r1, mesa-21.3.5
002-firefox:
- security fix mozilla-firefox-91.6.0. Changelog: link
003-settings.xzm:
- kiosk fix Firefox browser will open URLs which require domain authentication without asking for an user confirmation
001-core:
- security fix expat-2.4.4: multiple vulnerabilities (CVE-2022-23852, CVE-2022-23990) #831918
- security fix util-linux-2.37.3: multiple vulnerabilities (CVE-2021-3995, CVE-2021-3996) #831978
- security fix shadow-4.11.1: TOCTOU race condition in usermod/userdel (CVE-2013-4235) #830486
- upgraded to sqlite-3.37.2, nss-3.68.2, gmmlib-21.3.5, libinput-1.19.3, elogind-246.10-r2, libva-intel-media-driver-21.4.3, harfbuzz-3.2.0, gtk+-3.24.30, glib-2.70.2
003-settings.xzm:
- new feature if default GPU driver fails during the Xorg server initialization then automatically use other drivers in the following order: modesetting, fbdev, vesa until the desktop is started properly
005-thinclient.xzm:
- upgraded to json-glib-1.6.6-r1, libsoup-2.74.2, remmina-1.4.23-r1
001-core:
- security fix expat-2.4.3: multiple vulnerabilities (CVE-2021-45960, CVE-2021-46143, CVE-2022-22822, CVE-2022-22823, CVE-2022-22824, CVE-2022-22825, CVE-2022-22826, CVE-2022-22827) #830422
- upgraded to glibc-2.33-r7, compose-tables-1.7.3, libX11-1.7.3, wget-1.21.2, libevdev-1.12.0, libglvnd-1.4.0, libdrm-2.4.109, wayland-1.20.0, libva-2.13.0-r2, mesa-21.3.4, feh-3.7.2, xorg-server-21.1.3
- added libxcrypt-4.4.25-r1, libxcvt-0.1.1
002-firefox:
- security fix mozilla-firefox-91.5.0. Changelog: link
- new feature enabled OpenH264 plugin by default as its needed for WebRTC streams
005-thinclient.xzm:
- security fix libgcrypt-1.9.4: ElGamal plaintext recovery (CVE-2021-40528) #811900
10-printing.xzm:
- upgraded to libidn-1.38-r1, perl-5.34.0-r6, qpdf-10.4.0, sane-backends-1.0.32, cups-2.3.3_p2-r3, ghostscript-gpl-9.55.0-r1, poppler-21.11.0, cups-filters-1.28.10-r1, foomatic-db-engine-4.0.12-r1, python-3.8.12_p1-r1, dbus-python-1.2.18, hplip-3.21.10
001-core:
- upgraded to e2fsprogs-libs-1.46.4-r1, ethtool-5.15, elfutils-0.186, libcap-2.62, xfsprogs-5.14.2, shadow-4.9-r4, gcc-11.2.0
- added userspace-rcu-0.13.0
08-ssh:
- security fix openssh-8.8_p1: Multiple vulnerabilities #815010
initrd:
- use native 'vboxvideo' driver instead of 'vesafb' for displaying the splash screen when booting on the VirtualBox platform
- use 'vesafb' driver for displaying the splash screen when the proprietary nVidia driver is available in the system (custom builds only)
vmlinuz and 000-kernel.xzm:
- kiosk fix mainstain firmware symlinks according to the WHENCE file
001-core:
- security fix ntfs3g-2021.8.22: Multiple vulnerabilities (CVE-2021-33285, CVE-2021-33286, CVE-2021-33287, CVE-2021-33289, CVE-2021-35266, CVE-2021-35267, CVE-2021-35268, CVE-2021-35269, CVE-2021-39251, CVE-2021-39252, CVE-2021-39253, CVE-2021-39254, CVE-2021-39255, CVE-2021-39256, CVE-2021-39257, CVE-2021-39258, CVE-2021-39259, CVE-2021-39260, CVE-2021-39261, CVE-2021-39262, CVE-2021-39263) #811156
- upgraded to libmd-1.0.4, libpciaccess-0.16-r1, gmmlib-21.3.3, libwacom-1.12, harfbuzz-3.1.1, udev-249.6-r2, pciutils-3.7.0-r2, usbutils-014-r1, gmp-6.2.1-r2, openssl-1.1.1l-r1, xdotool-3.20211022.1, mesa-21.2.6, imlib2-1.7.1-r2, xorg-server-1.20.14
- added hwdata-0.353
- removed hwids-20210613-r2
002-chrome:
- upgraded to google-chrome-96.0.4664.110
002-firefox:
- security fix mozilla-firefox-91.4.0. Changelog: link
003-settings.xzm:
- new feature reduce the number of required connections to PK Server from 5 to 3. This optimization lowers the server overhead when multiple clients are booting at the same time ('rtc_wake=' parameter is used).
004-wifi.xzm:
- upgraded to ppp-2.4.9-r5, wpa_supplicant-2.9-r8
005-thinclient.xzm:
- upgraded to remmina-1.4.21, libpcre2-10.39
08-ssh.xzm:
- upgraded to openssh-8.7_p1-r3
001-core:
- security fix rsync-3.2.3-r5: improper TLS validation in rsync-ssl script (CVE-2020-14387) #792576
- upgraded to dbus-1.12.20-r4, hwids-20210613-r2, libva-2.13.0-r1, libva-utils-2.13.0, libva-intel-media-driver-21.3.5
- added udev-249-r3
- removed eudev-3.2.10-r1
002-chrome:
- major Chrome upgrade upgraded to google-chrome-96.0.4664.45
001-core:
- upgraded to ncurses-6.2_p20210619, nspr-4.32, nss-3.70, libXi-1.8, libxslt-1.1.34-r2, nghttp2-1.45.1-r1, shadow-4.9-r3, llvm-13.0.0, gmmlib-21.3.1, libglvnd-1.3.4, libxkbcommon-1.3.1, xkeyboard-config-2.34, libinput-1.19.2, mesa-21.2.5, libepoxy-1.5.9-r1, libva-intel-driver-2.4.1-r1, mesa-progs-8.4.0-r1, cairo-1.16.0-r5, libXft-2.3.4, libXfont2-2.0.5, pango-1.48.10-r1, xf86-input-libinput-1.2.0, xf86-video-amdgpu-21.0.0
002-firefox:
- security fix mozilla-firefox-91.3.0. Changelog: link
005-thinclient.xzm:
- upgraded to freerdp-2.4.1-r1
vmlinuz and 000-kernel.xzm:
- upgraded to linux-5.10.76
003-settings.xzm:
- kiosk fix disabled 'Restore pages' Chrome popup which could appear when kiosk is rebooted with full persistence enabled
- kiosk fix enable the hardware video decode also for screensaver video and screensaver webpage functions when relevant parameters are present in the kiosk config
- new feature added support for .der certificates to 'import_certificates=' parameter
Tagged as Porteus Kiosk 5.3.0 release
Wizard 5.3.0 features: all new features implemented on the wizard level can be found here
Other changes which sums up this release: new features implemented in the ISO level, bugfixes and package upgrades are listed in the changelog below.
Long live Porteus Kiosk!
vmlinuz and 000-kernel.xzm:
- upgraded to linux-5.10.73
001-core:
- security fix libjpeg-turbo-2.1.1: Out of bounds read (CVE-2021-37972) #814206
- security fix curl-7.79.0: Multiple vulnerabilities (CVE-2021-22945, CVE-2021-22946, CVE-2021-22947) #813270
- upgraded to e2fsprogs-libs-1.46.4, e2fsprogs-1.46.4, compose-tables-1.7.2-r1, mtr-0.94-r1, nghttp2-1.44.0-r1, shadow-4.9-r2, gmmlib-21.2.1, xdotool-3.20210903.1, stunnel-5.59, util-linux-2.37.2-r1, libusb-1.0.24-r2, pciutils-3.7.0-r1, usbutils-014, glib-2.68.4, libgudev-237-r1, libnotify-0.7.9-r1, freetype-2.11.0-r1, harfbuzz-2.9.1, pango-1.48.10
002-firefox:
- security fix mozilla-firefox-91.2.0. Changelog: link
005-thinclient.xzm:
- security fix libssh-0.9.6: Heap buffer overflow (CVE-2021-3634) #810517
- security fix libgcrypt-1.8.8: ElGamal sidechannel leak (CVE-2021-33560) #795480
- upgraded to libidn2-2.3.2, shared-mime-info-2.1, remmina-1.4.20-r1
10-printing.xzm:
- security fix ghostscript-gpl-9.54.0-r1: arbitrary code execution vulnerability (CVE-2021-3781) #812509
- security fix perl-5.34.0-r2: perl-core/Encode-3.120: Encode.pm loads code from outside expected @INC (CVE-2021-36770) #807307
- upgraded to net-snmp-5.9.1-r1, gutenprint-5.3.4-r2
001-core:
- added libinput-1.18.1, xf86-input-libinput-1.1.0
003-settings.xzm:
- new feature use 'libinput' as default input driver and fallback to 'evdev' only in case the touchscreen was calibrated in kiosk 5.2.0 release or older
- new feature enabled native touch gestures support in the Firefox browser: scrolling, swiping, pinch to zoom, etc.
- new feature updated 'disable_zoom_controls=' parameter to control the 'pinch to zoom' touch gesture in the Firefox browser
vmlinuz and 000-kernel.xzm:
- upgraded to linux-5.10.63, intel-microcode-20210608_p20210830
002-chrome:
- major Chrome upgrade upgraded to google-chrome-93.0.4577.82
002-firefox.xzm:
- major Firefox ESR release mozilla-firefox-91.1.0 changelog: 79.0 80.0 81.0 82.0 83.0 84.0 85.0 86.0 87.0 88.0 89.0 90.0 91.0
003-settings.xzm:
- kiosk fix disabled 'Reading List' in the Chrome browser by default
- kiosk fix disabled 'Ctrl+Shift+B' key combination by default as it allows to toggle the bookmarks bar in the Firefox browser
- kiosk fix removed 'star button' from the Firefox's URL bar as it allows to bookmark webpages with a single mouse click
- kiosk fix added access to 'about:certificates' in Firefox so users can view the certificates which are available for the browser and also view certificate of untrusted sites
05-flash.xzm:
- *removed* as Firefox 91 ESR do not support flash NPAPI plugin anymore. Flash standalone applications can be still supported through the customized kiosk builds.
001-core:
- security fix openssl-1.1.1l: multiple vulnerabilities (CVE-2021-3711, CVE-2021-3712) #809980
- upgraded to libxdg-basedir-1.2.3, libbsd-0.11.3, eudev-3.2.10-r1, libxml2-2.9.12-r5, dbus-1.12.20-r3, dbus-glib-0.112, at-spi2-core-2.40.3, libwacom-1.11, libva-2.12.0, mesa-21.1.7, libva-utils-2.12.0, harfbuzz-2.8.2-r1, pango-1.48.7-r1, imlib2-1.6.1-r2
002-firefox:
- security fix mozilla-firefox-78.13.0. Changelog: link
004-wifi.xzm:
- upgraded to usb_modeswitch-2.6.1
001-core:
- security fix curl-7.78.0: Multiple vulnerabilities (CVE-2021-22922, CVE-2021-22923, CVE-2021-22925, CVE-2021-22926) #803308
- upgraded to upgraded to kmod-29, llvm-12.0.1, libtasn1-4.17.0, gnutls-3.7.2, libdrm-2.4.107, xkeyboard-config-2.33, mesa-21.1.6, xorg-server-1.20.13-r1, conky-1.12.2, tigervnc-1.9.0-r2
005-thinclient.xzm:
- upgraded to libpcre2-10.37-r2, libsodium-1.0.18_p20210617, freerdp-2.3.2, remmina-1.4.20
- added libappindicator-12.10.1_p20200706, libdbusmenu-16.04.0-r1
001-core:
- upgraded to cronbase-0.3.7-r8, zstd-1.5.0, openssl-1.1.1k-r1, util-linux-2.36.2-r1, libpcre-8.45, procps-3.3.17-r1, nghttp2-1.43.0-r2, shadow-4.8.1-r4, logrotate-3.18.1-r1
10-printing.xzm:
- upgraded to perl-5.34.0, libidn-1.37, libpaper-1.1.28, qpdf-10.3.2, net-snmp-5.9-r5, cups-2.3.3_p2-r2, poppler-21.07.0
001-core:
- security fix glibc-2.33-r1: Use-after-free in mq_notify (CVE-2021-33574) #792261
- upgraded to elfutils-0.185, libdrm-2.4.106, libX11-1.7.2, llvm-12.0.0, mesa-21.1.4, at-spi2-core-2.40.2, glib-2.68.3-r1, pango-1.48.7, librsvg-2.50.7
004-wifi.xzm:
- upgraded to ppp-2.4.9-r4
005-thinclient.xzm:
- upgraded to remmina-1.4.18, vte-0.64.2
11-citrix.xzm:
- upgraded to libogg-1.3.5
001-core:
- upgraded to timezone-data-2021a-r1, sqlite-3.35.5, hwids-20210613-r1, libjpeg-turbo-2.1.0-r2
004-wifi.xzm:
- upgraded to wvstreams-4.6.1_p14-r2, ppp-2.4.9-r3
09-x11vnc.xzm:
- upgraded to x11vnc-0.9.16-r7
vmlinuz and 000-kernel.xzm:
- upgraded to linux-5.10.45, intel-microcode-20210608_p20210608
001-core:
- upgraded to elfutils-0.184, glib-2.68.2-r1, libxml2-2.9.12-r3, hwids-20210613, nghttp2-1.41.0-r2, curl-7.77.0-r1, pango-1.48.5-r1
002-chrome:
- major Chrome upgrade upgraded to google-chrome-91.0.4472.114
003-settings.xzm:
- kiosk fix blocked 'Ctrl+Shift+N' keyboard shortcut to prevent opening new Chrome window in the incognito mode
- kiosk fix blocked 'Alt+Shift+i' keyboard shortcut to prevent opening the feedback form when Chrome browser is used
- kiosk fix disabled 'Caret browsing' feature by default for Firefox and Chrome browsers
004-wifi.xzm:
- upgraded to wpa_supplicant-2.9-r5
005-thinclient.xzm:
- upgraded to libidn2-2.3.1, libgpg-error-1.42, libsoup-2.72.0-r1, opus-1.3.1-r2
11-citrix.xzm:
- upgraded to icaclient-21.3.0.38
001-core:
- security fix libX11-1.7.1: missing request length checks (CVE-2021-31535) #790824
- security fix curl-7.77.0: multiple vulnerabilities (CVE-2021-22898, CVE-2021-22901) #792192
- upgraded to glibc-2.33, alsa-topology-conf-1.2.4, alsa-ucm-conf-1.2.4, expat-2.4.1, attr-2.5.1, zlib-1.2.11-r4, alsa-lib-1.2.4, libdrm-2.4.105, ca-certificates-20210119.3.66, libxml2-2.9.12-r2, glib-2.68.2, shadow-4.8.1-r3, rsync-3.2.3-r4, wget-1.21.1, libwacom-1.9, xkeyboard-config-2.32, nss-3.63.1-r1, alsa-utils-1.2.4, libxkbcommon-1.3.0, libXfixes-6.0.0, libjpeg-turbo-2.1.0-r1, libglvnd-1.3.3, xkbcomp-1.4.5, libXres-1.2.1, libXaw-1.0.14, gdk-pixbuf-2.42.6, at-spi2-core-2.40.1, elogind-246.10-r1, mesa-21.0.3, harfbuzz-2.8.1, pango-1.48.5, xf86-input-wacom-0.40.0, gtk+-3.24.29, gtk+-2.24.33, libcap-2.49, adwaita-icon-theme-40.1.1m, tiff-4.3.0
002-firefox:
- security fix mozilla-firefox-78.11.0. Changelog: link
004-wifi.xzm:
- upgraded to wireless-regdb-20210421
005-thinclient.xzm:
- upgraded to libpcre2-10.36-r1, usbredir-0.9.0, libsoup-2.72.0, vte-0.64.1
08-ssh.xzm:
- security fix openssh-8.6_p1: theoretical sandbox escape in rare logging configuration #784896
10-printing.xzm:
- upgraded to lcms-2.12, qpdf-10.3.1, net-snmp-5.9-r3, sane-backends-1.0.31-r2, poppler-21.05.0, perl-5.32.1
vmlinuz and 000-kernel.xzm:
- upgraded to linux-5.10.38, intel-microcode-20210216_p20210514, sof-firmware-1.6.1
001-core:
- upgraded to dmidecode-3.3, sysvinit-2.99, inih-53, e2fsprogs-libs-1.46.2, libxml2-2.9.12, gnutls-3.7.1, iptables-1.8.7, dhcpcd-9.4.0-r1, usbutils-013-r1, ntfs3g-2017.3.23.5-r1, e2fsprogs-1.46.2, conky-1.12.1-r1
001-core:
- security fix curl-7.76.1: multiple vulnerabilities (CVE-2021-{22876,22890}) #779535
- upgraded to ethtool-5.10, libusb-1.0.24-r1, logrotate-3.18.0, xlockmore-5.66
005-thinclient.xzm:
- upgraded to json-glib-1.6.2, remmina-1.4.13
06-fonts.xzm:
- upgraded to liberation-fonts-2.1.3
001-core:
- security fix xorg-server-1.20.11 - Input validation failures in X server XInput extension #782679
- upgraded to sysvinit-2.98-r1, util-linux-2.36.2, rsync-3.2.3-r3, fribidi-1.0.10, xinit-1.4.1-r1, nss-3.63.1, gdk-pixbuf-2.42.4, ca-certificates-20210119.3.64
- added dmidecode-3.2
003-settings.xzm:
- kiosk fix fixed scaling function for video outputs working in mirrorying mode and having a similar name, e.g. DP1 and eDP1
004-wifi.xzm:
- upgraded to ppp-2.4.9-r2, usb_modeswitch-2.6.0
09-x11vnc.xzm:
- upgraded to x11vnc-0.9.16-r5
vmlinuz and 000-kernel.xzm:
- major kernel upgrade upgraded to linux-5.10.29, intel-microcode-20210216_p20210221
- added sof-firmware-1.5.1
001-core:
- security fix stunnel-5.58: Multiple vulnerabilities (CVE-2021-20230) #772146
- security fix nettle-3.7.2: potential incorrect validation (CVE-2021-20305) #78483
- upgraded to gmp-6.2.1-r1, nspr-4.30, nss-3.63, libfastjson-0.99.9, rsyslog-8.2102.0, pciutils-3.7.0, procps-3.3.17, mesa-20.3.5, gtk+-3.24.26
002-firefox:
- security fix mozilla-firefox-78.9.0. Changelog: link
005-thinclient.xzm:
- upgraded to remmina-1.4.12
08-ssh.xzm:
- security fix openssh-8.5_p1: Double-free in ssh-agent (CVE-2021-28041) #774090
001-core:
- security fix openssl-1.1.1k: multiple vulnerabilities (CVE-2021-3449, CVE-2021-3450) #777681
- security fix libxml2-2.9.10-r5: Buffer Overflow vulnerability in xmlEncodeEntitiesInternal at libxml2/entities.c (CVE-2020-24977) #749849
- upgraded to bzip2-1.0.8-r1, zstd-1.4.9, libunistring-0.9.10-r1, elfutils-0.183, sqlite-3.34.1, ca-certificates-20210119.3.62, xset-1.2.4-r1, xlockmore-5.65-r1, xsetroot-1.1.2-r1, xrefresh-1.0.6-r1, llvm-11.1.0, xf86-video-qxl-0.1.5_p20200205
005-thinclient.xzm:
- upgraded to libgpg-error-1.41, libgcrypt-1.8.7
Tagged as Porteus Kiosk 5.2.0 release
Main features of this release are listed here.
Other changes which sums up this release: new features implemented in the ISO level, bugfixes and package upgrades are listed in the changelog below.
Long live Porteus Kiosk!
001-core:
- security fix glibc-2.32-r7: buffer overread in iconv (CVE-2019-25013) #764176
- upgraded to dosfstools-4.2, libdrm-2.4.104, rsync-3.2.3-r2, e2fsprogs-libs-1.45.7, libXt-1.2.1, libevdev-1.11.0, dhcpcd-9.3.4, e2fsprogs-1.45.7, libgudev-234, at-spi2-core-2.38.0, at-spi2-atk-2.38.0, libva-2.10.0, libva-utils-2.10.0, mesa-20.3.4, libepoxy-1.5.5, harfbuzz-2.7.4, xf86-video-nouveau-1.0.17, librsvg-2.50.3, adwaita-icon-theme-3.38
- added gmmlib-20.4.1, libva-intel-media-driver-20.4.5
002-firefox:
- security fix mozilla-firefox-78.8.0. Changelog: link
005-thinclient.xzm:
- upgraded to json-glib-1.6.0, vte-0.62.3, remmina-1.4.11
10-printing.xzm:
- upgraded to qpdf-10.1.0, poppler-21.02.0
001-core:
- security fix openssl-1.1.1j: multiple vulnerabilities (CVE-2021-23840, CVE-2021-23841) #769785
- security fix glib-2.66.7: Integer overflow (CVE-2021-27218, CVE-2021-27219, GHSL-2021-045) #768753
- upgraded to timezone-data-2021a, llvm-11.0.1
004-wifi.xzm:
- upgraded to wireless-regdb-20201120, iw-5.9
10-printing.xzm:
- security fix openjpeg-2.4.0: Multiple vulnerabilities (CVE-2019-12973, CVE-2020-15389, CVE-2020-27814, CVE-2020-27841, CVE-2020-27842, CVE-2020-27843, CVE-2020-27844, CVE-2020-27845) #718918
- upgraded to cups-2.3.3-r2, ghostscript-gpl-9.53.3-r5, cups-filters-1.28.7
001-core:
- upgraded to glibc-2.32-r6, timezone-data-2020f, feh-3.6.1, kmod-28, eudev-3.2.10, xorg-server-1.20.10-r2, volumeicon-0.5.1-r2, gtkdialog-0.8.3_p20200202
004-wifi.xzm:
- upgraded to jimtcl-0.78-r2
06-fonts.xzm:
- upgraded to liberation-fonts-2.1.2
001-core:
- security fix freetds-1.2.18: Buffer overflow (CVE-2019-13508) #718950
- upgraded to timezone-data-2020e, expat-2.2.10, zlib-1.2.11-r3, tiff-4.2.0, e2fsprogs-libs-1.45.6, libvdpau-1.4, logrotate-3.17.0, lua-5.3.6-r2, dhcpcd-8.1.9-r1, xfsprogs-5.10.0-r1, xlockmore-5.50-r1, e2fsprogs-1.45.6, conky-1.11.6-r2, mesa-20.2.6, xf86-video-intel-2.99.917_p20201215
- added inih-52
003-settings.xzm:
- kiosk fix blocked 'Shift+F12' keyboard shortcut by default as it gives an access to the 'accessibility inspector' in the Firefox browser
004-wifi.xzm:
- upgraded to ppp-2.4.8-r1
005-thinclient.xzm:
- upgraded to shared-mime-info-2.0-r2, remmina-1.4.10
08-ssh.xzm:
- upgraded to openssh-8.4_p1-r3
002-chrome:
- major Chrome upgrade upgraded to google-chrome-87.0.4280.141
002-firefox:
- security fix mozilla-firefox-78.6.1. Changelog: link
05-flash.xzm:
- downgraded to adobe-flash-32.0.0.330 as this version still works despite of being EOL-ed by Adobe
001-core:
- security fix dbus-1.12.20: use after free if duplicate UIDs #755392
- security fix curl-7.74.0: Multiple vulnerabilities (CVE-2020-8284, CVE-2020-8285, CVE-2020-8286) #759259
- security fix gdk-pixbuf-2.42.2: infinite loop in GIF handling (CVE-2020-29385) #759094
- upgraded to glibc-2.32-r3, zstd-1.4.5, gmp-6.2.1, elfutils-0.182, usbutils-013, libjpeg-turbo-2.0.6, feh-3.6, hsetroot-1.0.5
005-thinclient.xzm:
- upgraded to upgraded to lz4-1.9.3
08-ssh.xzm:
- upgraded to openssh-8.4_p1-r2
09-x11vnc.xzm:
- security fix x11vnc-0.9.16-r4: Insecure permissions on shm (CVE-2020-29074) #756841
10-printing.xzm:
- upgraded to jbig2dec-0.19, qpdf-10.0.4, poppler-20.11.0, ghostscript-gpl-9.53.3-r4, dymo-cups-drivers-1.4.0-r2, gutenprint-5.3.3-r2, cups-filters-1.28.3
- added libidn-1.36
11-citrix.xzm:
- upgraded to speex-1.2.0-r2
vmlinuz and 000-kernel.xzm:
- upgraded to linux-5.4.82, intel-microcode-20201112_p20201116-r1
001-core:
- security fix openssl-1.1.1i: Denial of service in X509 parser (CVE-2020-1971) #759079
- security fix xorg-server-1.20.10: Multiple vulnerabilities (CVE-2020-14360, CVE-2020-25712) #757882
- upgraded to timezone-data-2020d, hwids-20201207, libxml2-2.9.10-r4, libXau-1.0.9-r1, libxshmfence-1.3-r2, libevdev-1.10.0, libdrm-2.4.103, xkeyboard-config-2.31, libX11-1.7.0, libxkbcommon-1.0.3, xkbcomp-1.4.4, libXtst-1.2.3-r2, mesa-20.2.4, xf86-video-vesa-2.5.0, adwaita-icon-theme-3.36.1-r1
- added compose-tables-1.7.0
003-settings.xzm:
- kiosk fix disabled Chrome update notification on screensaver video and screensaver URL
001-core:
- upgraded to popt-1.18, libpng-1.6.37-r2, sysvinit-2.97, libusb-1.0.23-r1, rsyslog-8.2008.0, llvm-11.0.0, mesa-20.2.3, dbus-1.12.20
002-firefox:
- security fix mozilla-firefox-78.5.0. Changelog: link
003-settings.xzm:
- kiosk fix stop the screensaver video before locking the session (session_idle_action=lock). There is no point to play the video if nothing is visible on the kiosk screen.
005-thinclient.xzm:
- security fix libssh-0.9.5: Null pointer dereference (CVE-2020-16135)#734624
- new feature recompiled Remmina with CUPS support so its possible to redirect local printers to remote RDP session
vmlinuz and 000-kernel.xzm:
- upgraded to linux-5.4.77, intel-microcode-20201110_p20201110
001-core:
- security fix nss-3.58: Tighten CCS handling for middlebox compatibility mode in TLS 1.3 handshake (CVE-2020-25648) #750254
- upgraded to gcc-9.3.0-r1, glibc-2.32-r2, attr-2.4.48-r4, nspr-4.29, libXfixes-5.0.3-r3, libXrender-0.9.10-r2, libXv-1.0.11-r2, libXinerama-1.1.4-r1, libSM-1.2.3-r1, libXxf86vm-1.1.4-r2, fontconfig-2.13.1-r2
001-core:
- security fix freetype-2.10.3-r1: Heap buffer overflow in malformed ttf files (CVE-2020-15999) #750275
- upgraded to alsa-topology-conf-1.2.3, alsa-ucm-conf-1.2.3, alsa-lib-1.2.3.2-r1, alsa-utils-1.2.3, rsync-3.2.3-r1, libjpeg-turbo-2.0.5-r2
10-printing.xzm:
- upgraded to lcms-2.11, libieee1284-0.2.11-r8, net-snmp-5.9-r2, poppler-0.90.1
vmlinuz and 000-kernel.xzm:
- upgraded to linux-5.4.72
001-core:
- upgraded to libva-intel-driver-2.4.1, elfutils-0.181, nspr-4.28, nss-3.56, libglvnd-1.3.2-r2, acpid-2.0.32-r2, mesa-20.1.10
002-firefox:
- security fix mozilla-firefox-78.3.1. Changelog: link
003-settings.xzm:
- kiosk fix disabled 'Shift+F9' key combination which opens the "Storage Inspector" console in the Firefox browser
- kiosk fix disabled the possibility of dropping an URL on the tabs bar so its not possible to open a new tab if the address bar is disabled
- kiosk fix disabled the possibility of dropping an URL on the home button so its not possible to change the homepage which was st in the kiosk config
- kiosk fix disabled the possibility of dropping an URL on the bookmarks toolbar so its not possible to add a new bookmark or change the position of existing bookmarks which are managed through the kiosk config
05-flash.xzm:
- upgraded to adobe-flash-32.0.0.445
Tagged as Porteus Kiosk 5.1.0 release
Main features of this release are listed here.
Other changes which sums up this release: new features implemented in the ISO level, bugfixes and package upgrades are listed in the changelog below.
Long live Porteus Kiosk!
vmlinuz and 000-kernel.xzm:
- upgraded to linux-5.4.69, intel-microcode-20200616_p20200921
001-core:
- upgraded to sqlite-3.33.0, kmod-27-r2, libxml2-2.9.10-r3, llvm-10.0.1, libglvnd-1.3.2-r1, harfbuzz-2.7.2, libva-2.7.1, mesa-20.1.8
002-chrome:
- upgraded to google-chrome-85.0.4183.121
003-settings.xzm:
- new feature added VAAPI info to the debug log so its quick to find which video codecs can be hardware decoded by the GPU
004-wifi.xzm:
- upgraded to libnl-3.5.0
001-core:
- security fix gnutls-3.6.15: Null-pointer deref in TLS 1.3 client (CVE-2020-24659) #740390
- upgraded to ethtool-5.8-r1, xcb-util-renderutil-0.3.9-r3, xcb-util-keysyms-0.4.0-r2, xcb-util-wm-0.4.1-r3, xcb-util-0.4.0-r2, xcb-util-image-0.4.0-r2, xcb-util-cursor-0.1.3-r3, xev-1.2.4, libevdev-1.9.1, xf86-video-fbdev-0.5.0-r1, mesa-20.1.7
- added libglvnd-1.3.2, wayland-1.18.0
002-chrome:
- upgraded to google-chrome-85.0.4183.102
003-settings.xzm:
- kiosk fix load the driver for USB audio devices with a slight delay to make sure it uses the last sound card slot. This is to prevent breaking our 'default_sound_card=' parameter with random slot assignment.
05-flash.xzm:
- upgraded to adobe-flash-32.0.0.433
11-citrix.xzm:
- upgraded to libogg-1.3.4, libvorbis-1.3.7
001-core:
- security fix libX11-1.6.12: Double free in locale handling (CVE-2020-14363) #738984
- security fix libxml2-2.9.10: multiple vulnerabilities (CVE-2019-20388, CVE-2020-7595) #710748
- security fix curl-7.72.0: May use wrong connection to submit data if CURLOPT_CONNECT_ONLY (CVE-2020-8231) #737990
- security fix libpcre-8.44: Multiple vulnerabilities (CVE-2019-20838, CVE-2020-14155) #717920
- upgraded to coreutils-8.32-r1, ethtool-5.8, libjpeg-turbo-2.0.5-r1, rsync-3.2.3, procps-3.3.16-r2, iptables-1.8.5, libxslt-1.1.34-r1, shadow-4.8-r5, atk-2.36.0, at-spi2-core-2.36.0, librsvg-2.48.8, gtk+-3.24.22, adwaita-icon-theme-3.36.1, glib-2.64.5, libnotify-0.7.9
002-chrome:
- major Chrome upgrade upgraded to google-chrome-85.0.4183.83
003-settings.xzm:
- kiosk security fix disabled 'irc://' and 'ircs://' handlers for the Firefox which could allow the attacker to unlock the default browser profile and run other applications. Vulnerability reported by Offensive Security company - thank you!
- kiosk security fix ensure that Firefox profile folder is not symlinked to another folder when pushing a managed bookmark file to it. Symlinked profile directory could lead to gaining root access and compromising the system. Vulnerability reported by Offensive Security company - thank you!
005-thinclient.xzm:
- upgraded to libgpg-error-1.38, libgcrypt-1.8.6, libpcre2-10.35, vte-0.60.3
08-ssh.xzm:
- upgraded to openssh-8.1_p1-r4
001-core:
- security fix nss-3.55: Multiple vulnerabilities (CVE-2020-12400, CVE-2020-12401, CVE-2020-12403) #734986
- security fix nspr-4.26: Multiple vulnerabilities (CVE-2020-12400, CVE-2020-12401, CVE-2020-12403) #734986
- security fix libX11-1.6.10: Multiple vulnerabilities (CVE-2020-14344) #734974
- security fix libxml2-2.9.10: multiple vulnerabilities (CVE-2019-20388, CVE-2020-7595) #710748
- security fix libxslt-1.1.34: multiple vulnerabilities (CVE-2019-20388, CVE-2020-7595) #710748
- upgraded to glibc-2.31-r6, libffi-3.3-r2, hwids-20200813.1
005-thinclient.xzm:
- security fix freerdp-2.2.0: Integer overflow in rdpegfx channel (CVE-2020-15103) #733328
05-flash.xzm:
- upgraded to adobe-flash-32.0.0.414
10-printing.xzm:
- security fix jbig2dec-0.18: Buffer overflow in jbig2_image_compose (CVE-2020-12268) #729730
- security fix ghostscript-gpl-9.52: Multiple vulnerabilities (CVE-2020-15900, CVE-2020-16287, CVE-2020-16288, CVE-2020-16289, CVE-2020-16290, CVE-2020-16291, CVE-2020-16292, CVE-2020-16293, CVE-2020-16294, CVE-2020-16295, CVE-2020-16296, CVE-2020-16297, CVE-2020-16298, CVE-2020-16299, CVE-2020-16300, CVE-2020-16301, CVE-2020-16302, CVE-2020-16303, CVE-2020-16304, CVE-2020-16305, CVE-2020-16306, CVE-2020-16307, CVE-2020-16308, CVE-2020-16309, CVE-2020-16310, CVE-2020-17538) #734322
- upgraded to net-snmp-5.8.1_pre1-r1, python-2.7.18-r1, sane-backends-1.0.30-r2
vmlinuz and 000-kernel.xzm:
- upgraded to linux-5.4.55
001-core:
- security fix sqlite-3.32.3-r1: Multiple vulnerabilities #732604
- upgraded to elfutils-0.180, rsync-3.2.2-r1, freetype-2.10.2-r1, rsyslog-8.2004.0, libdrm-2.4.102, libxkbcommon-0.10.0-r1, xkeyboard-config-2.30, cairo-1.16.0-r4, xorg-server-1.20.8-r1
002-firefox.xzm:
- major Firefox ESR release mozilla-firefox-78.1 changelog: 69.0 70.0 71.0 72.0 73.0 74.0 75.0 76.0 77.0 78.0
003-settings:
- new feature "silent_printing=yes" parameter is working again for the Firefox browser after fixing relevant function by Mozilla
004-wifi.xzm:
- upgraded to wireless-tools-30_pre9-r1
05-flash.xzm:
- upgraded to adobe-flash-32.0.0.403
vmlinuz and 000-kernel.xzm:
- upgraded to linux-5.4.52
001-core:
- security fix curl-7.71.0: Multiple vulnerabilities (CVE-2020-8169, CVE-2020-8177) #729374
- security fix ntp-4.2.8_p15: Memory leak allowing denial of service (CVE-2020-15025) #729458
- upgraded to llvm-10.0.0, nettle-3.6-r2, util-linux-2.35.2, pciutils-3.6.4, usbutils-012, harfbuzz-2.6.7, gtk+-3.24.20
10-printing.xzm:
- kiosk fix Remove 'og' permissions from the CUPS usb backed as some printers can not be discovered otherwise.
- security fix perl-5.30.3: multiple vulnerabilities (CVE-2020-10543, CVE-2020-10878, CVE-2020-12723) #723792
- security fix openldap-2.4.50: Denial of service via nested boolean expressions in LDAP search filters (CVE-2020-12243) #719960
- upgraded to net-snmp-5.8-r5, python-2.7.18, dbus-python-1.2.16, poppler-0.88.0-r1, cups-filters-1.27.4, cups-2.3.3-r1
vmlinuz and 000-kernel.xzm:
- upgraded to linux-5.4.49, intel-microcode-20200616_p20200617
001-core:
- security fix dbus-1.12.18: Denial of service via file descriptor leak (CVE-2020-12049) #727104
- security fix libjpeg-turbo-2.0.4-r1 Buffer overflow in get_rgb_row() via malformed PPM file (CVE-2020-13790) #727010
- upgraded to html-xml-utils-7.7, rsync-3.2.0-r1, iw-5.4, pixman-0.40.0, mesa-20.0.8, xorg-server-1.20.8
003-settings:
- kiosk fix start the "hide mouse" process with a 5 second delay to have the Xorg session fully set
005-thinclient.xzm:
- security fix libvncserver-0.9.13: Multiple vulnerabilities (CVE-2020-14396, CVE-2020-14397, CVE-2020-14398, CVE-2020-14399, CVE-2020-14400, CVE-2020-14401, CVE-2020-14402, CVE-2020-14403, CVE-2020-14404, CVE-2020-14405) #728594
- upgraded to remmina-1.4.5
09-x11vnc.xzm:
- security fix libvncserver-0.9.13: Multiple vulnerabilities (CVE-2020-14396, CVE-2020-14397, CVE-2020-14398, CVE-2020-14399, CVE-2020-14400, CVE-2020-14401, CVE-2020-14402, CVE-2020-14403, CVE-2020-14404, CVE-2020-14405) #728594
vmlinuz and 000-kernel.xzm:
- upgraded to linux-5.4.46, intel-microcode-20200609_p20200601
001-core:
- security fix gnutls-3.6.14: Flaw in TLS session ticket key construction (CVE-2020-13777)#727108
- security fix nss-3.52.1: Timing attack on DSA signatures (CVE-2020-12399)#726842
- upgraded to pacparser-1.3.7-r1, libtasn1-4.16.0, ca-certificates-20200601.3.53, xf86-video-intel-2.99.917_p20200515
002-chrome:
- upgraded to google-chrome-83.0.4103.97
002-firefox:
- critical security fix mozilla-firefox-68.9.0. Changelog: link
003-settings:
- kiosk fix 'shutdown_menu=' parameter: activate lock function only when session or root password are set
005-thinclient.xzm:
- thinclient fix create pty nodes by default as they are needed for Remmina SSH connection
- upgraded to freerdp-2.1.1-r1
05-flash.xzm:
- upgraded to adobe-flash-32.0.0.387
11-citrix.xzm:
- upgraded to icaclient-20.04.0.21
- kiosk fix ctxusb daemon is disbled by default as some users experience random session disconnects because of it
vmlinuz and 000-kernel.xzm:
- upgraded to linux-5.4.43, intel-microcode-20200508_p20200508
001-core:
- upgraded to harfbuzz-2.6.5, conky-1.10.8-r9
002-chrome:
- major Chrome upgrade upgraded to google-chrome-83.0.4103.61
003-settings:
- kiosk fix disabled Ctrl+Shift+d keyboard shortcut by default
005-thinclient.xzm:
- security fix freerdp-2.1.1: Multiple vulnerabilities (CVE-2020-13396, CVE-2020-13397, CVE-2020-13398)#724380
- upgraded to remmina-1.4.3
001-core:
- security fix ncurses-6.2: multiple vulnerabilities (CVE-2019-17594, CVE-2019-17595) #698210
- security fix ntp-4.2.8_p14: Multiple vulnerabilities (CVE-2020-11868) #717798
- upgraded to timezone-data-2020a, alsa-topology-conf-1.2.2, alsa-ucm-conf-1.2.2, alsa-lib-1.2.2-r1, alsa-utils-1.2.2, ethtool-5.4, nettle-3.5.1-r1, wget-1.20.3-r3, xvkbd-4.1, util-linux-2.35.1-r2, openbox-3.6.1-r3
002-firefox:
- critical security fix mozilla-firefox-68.8.0. Changelog: link
005-thinclient.xzm:
- security fix freerdp-2.1.0: Multiple vulnerabilities (CVE-2020-11017, CVE-2020-11018, CVE-2020-11019, CVE-2020-11038, CVE-2020-11039, CVE-2020-11040, CVE-2020-11041, CVE-2020-11042, CVE-2020-11043, CVE-2020-11044, CVE-2020-11045, CVE-2020-11046, CVE-2020-11047, CVE-2020-11048, CVE-2020-11049, CVE-2020-11058, CVE-2020-11521, CVE-2020-11522, CVE-2020-11523, CVE-2020-11524, CVE-2020-11525, CVE-2020-11526)#716830
05-flash.xzm:
- upgraded to adobe-flash-32.0.0.371
vmlinuz and 000-kernel.xzm:
- upgraded to linux-5.4.36, intel-microcode-20191115_p20200429
001-core:
- upgraded to glibc-2.30-r8, openssl-1.1.1g, nettle-3.5.1, fribidi-1.0.9, libpcre-8.43, dhcpcd-8.1.9, ntfs3g-2017.3.23-r3, glib-2.62.6, atk-2.34.1, at-spi2-core-2.34.0, at-spi2-atk-2.34.2
003-settings:
- kiosk fix disabled completion panel on the virtual keyboard by default as it may reveal passwords which user enters during the session
005-thinclient.xzm:
- upgraded to libsoup-2.70.0, freerdp-2.0.0-r1, vte-0.58.3
001-core:
- upgraded to openssl-1.1.1f, libxcb-1.14, curl-7.69.1, gnutls-3.6.13, libevdev-1.9.0, fuse-2.9.9-r1, feh-3.3, gtk+-3.24.16, xf86-video-intel-2.99.917_p20200310
002-firefox:
- critical security fix mozilla-firefox-68.7. Changelog: link
005-thinclient.xzm:
- security fix libvncserver-0.9.12-r5: heap buffer overflow in HandleCursorShape() (CVE-2019-15690) #714054
- upgraded to libssh-0.9.4, libpcre2-10.34
05-flash.xzm:
- upgraded to adobe-flash-32.0.0.363
09-x11vnc.xzm:
- security fix libvncserver-0.9.12-r5: heap buffer overflow in HandleCursorShape() (CVE-2019-15690) #714054
11-citrix.xzm:
- upgraded to icaclient-19.12.0.19
- enabled microphone and webcam in the Citrix session by default
vmlinuz and 000-kernel.xzm:
- upgraded to linux-5.4.30
- kernel config: enabled EFI stub support which is needed to boot the kiosk on some HP PCs equipped with the EFI firmware
vmlinuz and 000-kernel.xzm:
- upgraded to linux-5.4.28
- kernel config: the busybox's modprobe applet does not load PHY drivers which are need to initialize NICs. Compiled broadcom and realtek PHY drivers directly into kernel to resolve PXE booting issues.
001-core:
- upgraded to gmp-6.2.0-r1, nspr-4.25, shadow-4.8-r4, nss-3.51, libjpeg-turbo-2.0.4
002-chrome:
- upgraded to google-chrome-80.0.3987.149
004-wifi.xzm:
- upgraded to crda-4.14
005-thinclient.xzm:
- security fix libidn2-2.2.0: Improper roundtrip checks when converting A-labels to U-labels (CVE-2019-12290) #697752
- upgraded to usbredir-0.8.0
06-fonts.xzm:
- upgraded to liberation-fonts-2.1.0
10-printing.xzm:
- upgraded to dbus-python-1.2.14, openjpeg-2.3.1-r1, poppler-0.85.0
11-citrix.xzm:
- security fix libvorbis-1.3.6-r1: multiple vulnerabilities (CVE-2018-10392, CVE-2018-10393) #699862
vmlinuz and 000-kernel.xzm:
- upgraded to linux-5.4.25
001-core:
- upgraded to coreutils-8.31-r1, kmod-26-r5, mtdev-1.1.6, sqlite-3.31.1, libxkbcommon-0.10.0, shadow-4.8-r3, hwids-20200306, curl-7.68.0, xkeyboard-config-2.29, xkbcomp-1.4.3, libwacom-1.1, llvm-9.0.1, mesa-19.3.5, xorg-server-1.20.7, xf86-input-wacom-0.39.0, xf86-video-intel-2.99.917_p20191209
002-chrome:
- upgraded to google-chrome-80.0.3987.132
004-wifi.xzm:
- upgraded to ppp-2.4.8
05-flash.xzm:
- upgraded to adobe-flash-32.0.0.344
08-ssh.xzm:
- upgraded to openssh-8.1_p1-r3
Tagged as Porteus Kiosk 5.0.0 release
Wizard 5.0.0 features: all new features implemented on the wizard level can be found here
Other changes which sums up this release: new features implemented in the ISO level, bugfixes and package upgrades are listed in the changelog below.
Long live Porteus Kiosk!
vmlinuz and 000-kernel.xzm:
- major kernel upgrade upgraded to linux-5.4.23
001-core:
- security fix glib-2.60.7-r2: Mishandling of proxy_addr field in GSocketClient may lead to proxy being ignored (CVE-2020-6750) #710514
- upgraded to xfsprogs-5.4.0-r1, acpid-2.0.32-r1, librsvg-2.40.21
002-chrome:
- upgraded to google-chrome-80.0.3987.122
002-firefox.xzm:
- upgraded to mozilla-firefox-68.5.0
003-settings:
- new feature added support for displaying TIFF files in the Firefox browser. TIFF files are converted to the PDF format first so its possible to view them directly in the browser. This function requires 'enable_file_protocol=yes' parameter present in the kiosk config.
08-ssh.xzm:
- upgraded to openssh-8.1_p1-r2
10-printing.xzm:
- upgraded to python-2.7.17-r1, gutenprint-5.3.3
vmlinuz and 000-kernel.xzm:
- upgraded to linux-4.19.102, 20191115_p20200209
001-core:
- security fix openssl: rsaz_512_sqr overflow bug on x86_64 (CVE-2019-1551) #702176
- security fix e2fsprogs-1.45.5: out of bounds write on filesystem check (CVE-2019-5188) #709374
- upgraded to gcc-9.2.0-r2, libffi-3.3-r1
002-chrome:
- major Chrome upgrade upgraded to google-chrome-80.0.3987.100
003-settings:
- kiosk fix disabled 'browser reset prompt' by default in the Firefox browser. This prompt may appear when full persistence is enabled and the kiosk was not used for a while.
- new feature added virtual keyboard to the 'session password' windows its possible to start the kiosk session without physical keyboard
- new feature sync NTP time every day to keep the system clock updated for kiosks which are not rebooted for a long time (e.g. 6 months).
004-wifi.xzm:
- upgraded to wpa_supplicant-2.9-r2
005-thinclient.xzm:
- upgraded to lz4-1.9.2
05-flash.xzm:
- upgraded to adobe-flash-32.0.0.330
10-printing.xzm:
- upgraded to hplip-3.18.12-r1, net-snmp-5.8-r3, python-2.7.17, libpaper-1.1.24_p5
vmlinuz and 000-kernel.xzm:
- upgraded to linux-4.19.101
001-core:
- upgraded to alsa-lib-1.2.1.2, alsa-utils-1.2.1, imlib2-1.6.1, glib-2.60.7-r1, gtk+-3.24.13
- added alsa-topology-conf-1.2.1, alsa-ucm-conf-1.2.1.2
003-settings:
- kiosk fix fix mouse events on ncurses apps (mc, alsamixer) when logging to the kiosk over SSH from the 'xterm-256color' terminal
- new feature give the user 60 seconds to perform an action in order to stop shutting down the PC when the 'halt_idle=' parameter is used
005-thinclient.xzm:
- upgraded to libvncserver-0.9.12-r4
05-flash.xzm:
- upgraded to adobe-flash-32.0.0.314
09-x11vnc.xzm:
- upgraded to libvncserver-0.9.12-r4
003-settings:
- kiosk fix disable Chrome update popup also on browser instance which is used for displaying the screensaver video/webpage
- kiosk fix ensure to kill only the browser process when screensaver webpage is running and Xorg session is restarted
vmlinuz and 000-kernel.xzm:
- upgraded to linux-4.19.94
001-core:
- security fix fribidi-1.0.8: stack buffer overflow in the fribidi_get_par_embedding_levels_ex() function in lib/fribidi-bidi.c (CVE-2019-18397) #699338
- upgraded to rsyslog-8.1911.0-r1, xfsprogs-5.4.0, libxml2-2.9.9-r3, libXpm-3.5.13, libvdpau-1.3, mesa-19.2.8, libepoxy-1.5.4, xorg-server-1.20.6, xf86-input-wacom-0.38.0
002-firefox.xzm:
- critical security fix mozilla-firefox-68.4.1. Changelog: link
003-settings:
- kiosk fix 'persistence=full' parameter: remove Chrome's SingletonLock file by default to avoid 'Chrome profile' locked message when hostname is changed
- kiosk fix reuse Chrome profile in full for screensaver video/webpage purposes. Some extensions can be forced through global policies as we want to keep their settings in the new Chrome instance which is used to play the screensaver.
08-ssh.xzm:
- kiosk fix recompiled openssh package with support for obsolete keys as many kiosk users still use older SSH clients
001-core:
- upgraded to glibc-2.29-r7, ncurses-6.1_p20190609, gnutls-3.6.7-r1, fribidi-1.0.7, nss-3.47.1-r1, glib-utils-2.60.7, glib-2.60.7, gdk-pixbuf-2.40.0, atk-2.32.0, at-spi2-core-2.32.1, at-spi2-atk-2.32.0, gtk+-3.24.11, adwaita-icon-theme-3.32.0
003-settings:
- kiosk fix 'volume_level=' parameter: set the sound level for every audio device present in the system and not just the first one
005-thinclient.xzm:
- upgraded to libssh-0.9.3, libsoup-2.66.4, vte-0.56.4
05-flash.xzm:
- upgraded to adobe-flash-32.0.0.303
001-core:
- security fix nss-3.47.1: Out-of-bounds write when passing an output buffer smaller than the block size to NSC_EncryptUpdate (CVE-2019-11745) #701840
- upgraded to elfutils-0.177, sqlite-3.30.1, stunnel-5.55, libxml2-2.9.9-r2
002-firefox.xzm:
- critical security fix mozilla-firefox-68.3.0. Changelog: link
10-printing.xzm:
- security fix tiff-4.1.0: multiple vulnerabilities (CVE-2018-19210, CVE-2019-17546, CVE-2019-6128) #699868
- upgraded to poppler-0.82.0, perl-5.30.1
vmlinuz and 000-kernel.xzm:
- upgraded to linux-4.19.86, intel-microcode-20191115_p20191110
001-core:
- security fix libjpeg-turbo-2.0.3: several integer overflows and subsequent segfaults when attempting to compress/decompress gigapixel images (CVE-2019-2201) #699830
- upgraded to kmod-26-r3, attr-2.4.48-r3, libbsd-0.10.0, libxkbcommon-0.9.1, libdrm-2.4.100, libX11-1.6.9, xkeyboard-config-2.28, rsyslog-8.1910.0-r1, harfbuzz-2.6.4, libnotify-0.7.8, xf86-video-ati-19.1.0, xf86-video-amdgpu-19.1.0, mesa-19.1.8, volumeicon-0.5.1-r1
005-thinclient.xzm:
- thinclient fix fixed Citrix standalone application by switching to latest 'selfservice' utility which utilize webkitgtk2 package, also added all required dependencies
- upgraded to remmina-1.3.6-r1, shared-mime-info-1.10-r1
- added libsodium-1.0.18
05-flash.xzm:
- upgraded to adobe-flash-32.0.0.293
09-x11vnc.xzm:
- security fix libvncserver-0.9.12-r3: memory leak allows attacker to read stack memory (CVE-2019-15681) #699036
001-core:
- security fix curl-7.66.0: multiple vulnerabilities (CVE-2019-5481, CVE-2019-5482) #694020
- upgraded to kmod-26-r2, eudev-3.2.9, libgudev-233-r1, libusb-1.0.21-r1, pciutils-3.5.6-r1
004-wifi.xzm:
- security fix wpa_supplicant-2.9-r1: multiple vulnerabilities (CVE-2019-{13377,16275}) #696030
005-thinclient.xzm:
- security fix libpcre2-10.33-r1: multiple vulnerabilities #699052
10-printing.xzm:
- security fix ghostscript-gpl-9.50 multiple vulnerabilities (CVE-2019-14811, CVE-2019-14812, CVE-2019-14813, CVE-2019-14817) #693002
- upgraded to qpdf-9.0.2, jbig2dec-0.17-r1, cups-filters-1.25.11
vmlinuz and 000-kernel.xzm:
- upgraded to linux-4.19.80
001-core:
- security fix rsyslog-8.1910.0: multiple vulnerabilities (CVE-2019-17041, CVE-2019-17042) #697464
- upgraded to timezone-data-2019c, sqlite-3.29.0, hwids-20191025, gdk-pixbuf-2.38.1-r1
002-chrome:
- major Chrome upgrade upgraded to google-chrome-78.0.3904.70
002-firefox.xzm:
- critical security fix mozilla-firefox-68.2.0. Changelog: link
003-settings:
- kiosk fix added '-noxdamage' flag to the x11vnc startup script to prevent VNC crashes on some kiosks
005-thinclient.xzm:
- security fix libgcrypt-1.8.5: ECDSA side-channel attack (CVE-2019-13627) #693108
05-flash.xzm:
- upgraded to adobe-flash-32.0.0.270
08-ssh.xzm:
- upgraded to openssh-8.0_p1-r4
10-printing.xzm:
- upgraded to openldap-2.4.48, python-2.7.16
vmlinuz and 000-kernel.xzm:
- upgraded to linux-4.19.77
001-core:
- security fix e2fsprogs-1.45.4: maliciously corrupted file systems can trigger buffer overruns in the quota code used by e2fsck (CVE-2019-5094) #695522
- upgraded to libffi-3.3_rc0, e2fsprogs-libs-1.45.4
003-settings:
- kiosk fix hide the Firefox's tab bar when 'toggle_tabs=' parameter is used. Regression introduced after upgrading to Firefox 68.x.
vmlinuz and 000-kernel.xzm:
- upgraded to linux-4.19.75, intel-microcode-20190918_p20190918
001-core:
- security fix openssl-1.0.2t: multiple vulnerabilities (CVE-2019-1547, CVE-2019-1549, CVE-2019-1563) #694162
- security fix expat-2.2.8: Heap buffer overread (CVE-2019-15903) #694362
- upgraded to gmp-6.1.2-r1, libpciaccess-0.16, libICE-1.0.10, libevdev-1.8.0, libXfont2-2.0.4, setxkbmap-1.3.2, xinput-1.6.3, xrandr-1.5.1, libdrm-2.4.99, llvm-8.0.1, mesa-19.1.7
05-flash.xzm:
- upgraded to adobe-flash-32.0.0.255
Tagged as Porteus Kiosk 4.9.0 release
Wizard 4.9.0 features: all new features implemented on the wizard level can be found here
Other changes which sums up this release: new features implemented in the ISO level, bugfixes and package upgrades are listed in the changelog below.
Long live Porteus Kiosk!
001-core:
- upgraded to feh-3.2.1, nspr-4.22, nss-3.46, rsyslog-8.1904.0-r1, xvkbd-4.0, glib-2.60.6, harfbuzz-2.6.1, libwacom-0.33, gtk+-3.24.10
002-firefox.xzm:
- critical security fix mozilla-firefox-68.1.0. Changelog: link
003-settings:
- new feature enable dictionary on the xvkbd virtual keyboard by default
- new feature 'homepage_check=' parameter will restart network service approx every 10 minutes if homepage is not found
- new feature if 'session_idle=' parameter is enabled then users have up to 30 seconds to cancel session restart/lock instead of 5 seconds
- new feature when 'session_idle_forced=' parameter is used then no 'session restart' notification will be displayed as this parameter is used mostly for digital signage
10-printing.xzm:
- security fix tiff-4.0.10-r2: Integer overflow in _TIFFCheckMalloc() and other implementation-defined behaviour (CVE-2019-14973) #693394
- security fix openjpeg-2.3.1: Multiple vulnerabilities (CVE-2018-5727, CVE-2018-5785, CVE-2018-6616) #646774
- upgraded to poppler-0.79.0-r1
11-citrix.xzm:
- upgraded to icaclient-19.8.0.29
xorg-server-1.20.x fullscreen issue seems to be fixed now in latest Citrix package so we have removed our own tweaks for emulating the fullscreen mode
vmlinuz and 000-kernel.xzm:
- upgraded to linux-4.19.68, intel-microcode-20190618_p20190819
001-core:
- security fix pango-1.42.4-r2: Buffer overflow (CVE-2019-1010238) #692110
- upgraded to timezone-data-2019b-r1, hwids-20190818, libva-2.5.0-r1, libva-intel-driver-2.3.0
002-chrome:
- upgraded to google-chrome-76.0.3809.100
002-firefox.xzm:
- critical security fix mozilla-firefox-68.0.2. Changelog: link
003-settings:
- kiosk fix 'client_id=automatic' - ensure the port is not already used by other kiosk or process when registering new client ID
004-wifi.xzm:
- security fix wpa_supplicant-2.8: Improper fragmentation reassembly state validation in EAP peer leading to DoS (CVE-2019-11555) #685860
005-thinclient.xzm:
- upgraded to remmina-1.3.4, libssh-0.9.0
05-flash.xzm:
- upgraded to adobe-flash-32.0.0.238
08-ssh.xzm:
- upgraded to openssh-8.0_p1-r2
WARNING: We have changed default key type from RSA to newer Ed25519 (faster and more secure) in OpenSSH version 8.x.
Please reboot Porteus Kiosk Server ASAP in order to upgrade the system and OpenSSH package specifically. This is to avoid connectivity issues with kiosk clients which already upgraded to system 8version '20190825' and higher.
vmlinuz and 000-kernel.xzm:
- upgraded to linux-4.19.63, intel-microcode-20190618_p20190722
001-core:
- security fix glib-2.58.3-r1: file_copy_fallback does not properly restrict file permissions while a copy operation is in progress (CVE-2019-12450) #690498
- upgraded to dhcpcd-7.2.3, xfsprogs-4.19.0
002-chrome:
- major Chrome upgrade upgraded to google-chrome-76.0.3809.87
002-firefox.xzm:
- major Firefox ESR release mozilla-firefox-68.0 changelog: 53.0 54.0 55.0 56.0 57.0 58.0 59.0 60.0 61.0 62.0 63.0 64.0 65.0 66.0 67.0 68.0
- *broken parameter* Mozilla still did not fix the 'silent_printing=' parameter in Firefox 68. We could not wait any longer with a Firefox upgrade so please switch to Chrome if you need this feature.
003-settings:
- kiosk fix disabled middle mouse click by default when browser works with navigation bar disabled so its not possible to open new tabs when clicking on the hyperlinks
- kiosk fix disabled hidden files from viewing through the file protocol in the Firefox browser
- kiosk fix run 'grep' utility with a '-w' flag to properly find and reuse client IDs from deleted kiosks when 'client_id=automatic' parameter is used
- kiosk fix disabled 'Ctrl+0' (zoom reset) keyboard shortcut when 'disable_zoom_controls=' parameter is used. This is to prevent the case when zoom level is changed by the admin and kiosk users should not reset it back to default value.
- new feature 'managed_bookmarks=' parameter will work even when when navigation bar is disabled in the Firefox browser
07-java.xzm:
- *removed* as Firefox 68 do not support java NPAPI plugin anymore. Java .jnlp files are rare nowadays and can be still supported through the customized builds.
vmlinuz and 000-kernel.xzm:
- upgraded to linux-4.19.60
001-core:
- upgraded to ncurses-6.1_p20181020, timezone-data-2019a, ca-certificates-20190110.3.43, e2fsprogs-libs-1.45.2, e2fsprogs-1.45.2, libX11-1.6.8, libevdev-1.7.0, xkeyboard-config-2.27, libXt-1.2.0, libXi-1.7.10, xinit-1.4.1, mesa-19.0.8, libepoxy-1.5.3-r1, xorg-server-1.20.5, xf86-input-elographics-1.4.2
003-settings:
- kiosk fix screensaver video: detect screen size properly for the video outputs which are marked as 'primary' in the xrandr output
005-thinclient.xzm:
- upgraded to libvncserver-0.9.12-r2
05-flash.xzm:
- upgraded to adobe-flash-32.0.0.223
09-x11vnc.xzm:
- upgraded to libvncserver-0.9.12-r2
vmlinuz and 000-kernel.xzm:
- upgraded to linux-4.19.57, intel-microcode-20190514_p20190623
001-core:
- security fix dbus-1.12.16: authentication bypass through manipulated symlinks (CVE-2019-12749) #687900
- security fix expat-2.2.7 stable request due to denial-of-service vulnerability in <2.2.7 (CVE-2018-20843) #688734
- upgraded to elfutils-0.176-r1
vmlinuz and 000-kernel.xzm:
- upgraded to linux-4.19.54, intel-microcode-20190514_p20190608
001-core:
- upgraded to util-linux-2.33.2, wget-1.20.3-r1, rsyslog-8.1904.0
003-settings:
- kiosk fix if 'homepage_append=mac' parameter is used then wait on IP until its assigned by DHCP otherwise MAC address cant be determined
- kiosk fix added '-nomodtweak' by default to the VNC service startup script in order to resolve 'Shift' key related problems
05-flash.xzm:
- upgraded to adobe-flash-32.0.0.207
07-java.xzm:
- security fix icedtea-bin-3.12.0: Multiple vulnerabilties #685480
vmlinuz and 000-kernel.xzm:
- upgraded to linux-4.19.49, intel-microcode-20190514_p20190525
002-chrome:
upgraded to google-chrome-74.0.3729.169
003-settings.xzm:
- kiosk fix disabled 'Ctrl+period' and 'Ctrl+semicolon' key shortcuts by default when Chrome has navigation bar disabled to prevent restarting the browser by the kiosk users
004-wifi.xzm:
- upgraded to wireless-regdb-20190603
09-x11vnc.xzm:
- upgraded to x11vnc-0.9.16-r2
10-printing.xzm:
- security fix cups-2.2.11: Linux session cookies use a predictable random number seed (CVE-2018-4700) #672742
- upgraded to poppler-0.77.0
vmlinuz and 000-kernel.xzm:
- upgraded to linux-4.19.46, intel-microcode-20190514_p20190512
001-core.xzm:
- security fix sqlite-3.28.0: use-after-free in window function leading to remote code execution (CVE-2019-5018) #685838
- security fix libxslt-1.1.33-r1: xsltCheckRead and xsltCheckWrite routines security bypass by crafted URL (CVE-2019-11068) #684206
- security fix curl-7.65.0: multiple vulnerabilities (CVE-2019-5435, CVE-2019-5436) #686050
- upgraded to llvm-7.1.0, libvdpau-1.2, usbutils-010-r1
003-settings.xzm:
- kiosk fix fixed screensaver video not working correctly on rotated screens
- kiosk security fix disabled 'Ctrl+Shift+N' key shortcut by default when Chrome has navigation bar disabled (works in fullscreen) to prevent opening a new browser instance in a new, normal mode window. This bug affected only kiosks with private mode enabled.
004-wifi.xzm:
- upgraded to crda-3.18-r3
05-flash.xzm:
- upgraded to adobe-flash-32.0.0.192
09-x11vnc.xzm:
- upgraded to libvncserver-0.9.12
10-printing.xzm:
- upgraded to net-snmp-5.8-r1, gutenprint-5.3.1, perl-5.28.2-r1
vmlinuz and 000-kernel.xzm:
- upgraded to linux-4.19.42
- kernel config: set Hyper-V framebuffer to FullHD resolution by default as userspace can not control the screen size on Hyper-V virtual machines
001-core.xzm:
- security fix dhcpcd-7.1.1-r3 - dhcpv6: potential read overflow with D6_OPTION_PD_EXCLUDE #685264
- upgraded to libxml2-2.9.9-r1, libcroco-0.6.13, at-spi2-core-2.30.1, gdk-pixbuf-2.38.1, pango-1.42.4-r1, atk-2.30.0, librsvg-2.40.20, at-spi2-atk-2.30.1, gtk+-3.24.8, adwaita-icon-theme-3.30.1
002-chrome:
- major Chrome upgrade upgraded to google-chrome-74.0.3729.131
003-settings.xzm:
- kiosk fix Network wizard: moved 'Set time' utility from the wifi page to the final network configuration page as incorrect system time may affect also wired connections (expired SSL certificates)
- kiosk fix added random delay to the tunneling script. This is to lower the impact on Porteus Kiosk Server resources in case of large number of clients connecting to it at the same time (e.g. server reboot or network connection interrupt).
- new feature added user guest to the cdrom group by default so its possible to play DVDs/Audio CDs in kiosk
005-thinclient.xzm:
- upgraded to libsoup-2.64.2, vte-0.54.4
- added libpsl-0.21.0, libidn2-2.1.1a-r1
vmlinuz and 000-kernel.xzm:
- upgraded to linux-4.19.37, intel-microcode-20180807a_p20190420
001-core.xzm:
- security fix libpng-1.6.37: use-after-free vulnerability in png_image_free (CVE-2018-14048, CVE-2018-14550, CVE-2019-7317) #683366
- security fix dhcpcd-7.1.1-r2 - multiple vulnerabilities #684430
- upgraded to bzip2-1.0.6-r11, libcap-2.26-r2, sqlite-3.27.2, pixman-0.38.4, libXau-1.0.9, libXdmcp-1.1.3, xkeyboard-config-2.26-r1, libfontenc-1.1.4, libxkbcommon-0.8.4, ntfs3g-2017.3.23-r2, libXext-1.3.4, libxkbfile-1.1.0, xmodmap-1.0.10, libXcomposite-0.4.5, libXrandr-1.5.2, libXdamage-1.1.5, libXmu-1.1.3, libXcursor-1.2.0, xev-1.2.3, xdotool-3.20160805.1, libXft-2.3.3, xorg-server-1.20.4, gtk+-3.24.4-r1, xf86-video-nouveau-1.0.16, xf86-video-ati-19.0.1, xf86-video-amdgpu-19.0.1, xf86-video-intel-2.99.917_p20190301
003-settings.xzm:
- kiosk fix installation wizard: properly list Access Points which contain spaces in SSID. This bug affected only fallback 'iw' utility which is used in environments with over hundred APs in range.
- kiosk fix Cloud/ThinClient: do not remount the device automatically when 'Eject removable devices' button is pressed
- kiosk fix 'refresh_webpage=' parameter shouln't prevent restarting the session when 'session_idle_forced=' parameter is used
- kiosk fix hide 'onscreen buttons' under the screensaver window when browser is restarted through the 'session_idle=' parameter
005-thinclient.xzm:
- upgraded to libgpg-error-1.36, libpcre2-10.32
10-printing.xzm:
- security fix tiff-4.0.10: potential out-of-bounds write in JBIGDecode() (CVE-2018-18557) #669948
- upgraded to jbig2dec-0.14
initrd:
- never clear the screen when booting with 'kernel_parameters=debug' enabled. It allows to see kernel oopses and crashes caused by drivers loaded later in the booting process by udev.
vmlinuz and 000-kernel.xzm:
- upgraded to linux-4.19.34
001-core.xzm:
- security fix wget-1.20.3: buffer overflow vulnerability (CVE-2019-5953) #682994
- security fix cairo-1.16.0-r3: invalid free in cairo_ft_apply_variations (CVE-2018-19876) #672908
- security fix elfutils-0.173-r1: dwfl_segment_report_module doesn't check whether the dyn data read from core (CVE-2019-7150) #676974
- security fix gnutls-3.6.7: multiple vulnerabilities (CVE-2019-3829, CVE-2019-3836, GNUTLS-SA-2019-03-27) #681846
- upgraded to glibc-2.28-r6, libdrm-2.4.97, glib-2.58.3, curl-7.64.1, stunnel-5.50-r1, dhcpcd-7.1.1-r1, mesa-18.3.6, mesa-progs-8.4.0
003-settings.xzm:
- new feature if remote management is enabled then report remote config name to Porteus Kiosk Server
05-flash.xzm:
- upgraded to adobe-flash-32.0.0.171
uefi.zip:
- upgraded to grub-2.03 from git. Latest verion is needed to boot some CoffeLake and GeminiLake systems which supports EFI firmware only.
vmlinuz and 000-kernel.xzm:
- upgraded to linux-4.19.32
001-core.xzm:
- upgraded to glibc-2.28-r5, alsa-lib-1.1.8, alsa-utils-1.1.8, nettle-3.4.1, hwids-20190316, gnutls-3.6.6, harfbuzz-2.3.1
004-wifi.xzm:
- upgraded to ppp-2.4.7-r7
005-thinclient.xzm:
- upgraded to opus-1.3
vmlinuz and 000-kernel.xzm:
- upgraded to linux-4.19.29, intel-microcode-20180807a_p20190309
001-core.xzm:
- security fix openssl-1.0.2r - undisclosed vulnerabilities (CVE-2019-1559) #678564
- security fix ntp-4.2.8_p13: Crafted null dereference attack in authenticated mode 6 packet (CVE-2019-8936) #679742
- upgraded to ethtool-4.19, sysvinit-2.93, feh-3.1.1, rsyslog-8.1901.0
005-thinclient.xzm:
- upgraded to lz4-1.8.3
05-flash.xzm:
- upgraded to adobe-flash-32.0.0.156
08-ssh.xzm:
- security fix openssh-7.9_p1-r4: multiple vulnerabilities (CVE-2019-{6109,6110,6111}) #675522
10-printing.xzm:
- security fix poppler-0.73.0: a reachable abort in FileSpec::FileSpec in FileSpec.cc (CVE-2018-20650) #674666
- upgraded to sane-backends-1.0.27-r3
This is an emergency update which covers Chrome browser 'zero-day' vulnerability: link
002-chrome:
- upgraded to google-chrome-72.0.3626.121
vmlinuz and 000-kernel.xzm:
- upgraded to linux-4.19.26
001-core.xzm:
- security fix libxml2-2.9.8-r1: Out-of-bounds read in htmlParseTryOrFinish (CVE-2017-8872) #618110
- upgraded to libpcre-8.42, xf86-video-intel-2.99.917_p20180214-r2, dbus-1.12.12-r1
002-chrome:
- upgraded to google-chrome-72.0.3626.109
004-wifi.xzm:
- upgraded to wireless-regdb-20190301
06-fonts.xzm:
- upgraded to libertine-5.3.0.20120702-r3
vmlinuz and 000-kernel.xzm:
- upgraded to linux-4.19.23, intel-microcode-20180807a_p20190204
001-core.xzm:
- security fix curl-7.64.0 - multiple vulnerabilities (CVE-2018-16890, CVE-2019-3822, CVE-2019-3823) #677346
- upgraded to kmod-25, mc-4.8.22, lm_sensors-3.5.0, expat-2.2.6
002-chrome:
- major Chrome upgrade upgraded to google-chrome-72.0.3626.96, pepperflash-32.0.0.114
003-settings.xzm:
- kiosk fix when client_id is not in range 1024-65535, is missing or is set to a string then default to 'client_id=automatic'
- kiosk fix resolved issues with parsing some proxy pac files
05-flash.xzm:
- upgraded to adobe-flash-32.0.0.142
10-printing.xzm:
- upgraded to cups-filters-1.21.6, qpdf-8.2.1, sane-backends-1.0.27-r2
11-citrix.xzm:
- upgraded to icaclient-19.1.0.9
vmlinuz and 000-kernel.xzm:
- upgraded to linux-4.19.19
001-core.xzm:
- upgraded to hwids-20180917, pixman-0.36.0, libevdev-1.6.0, xinit-1.4.0-r1, cairo-1.16.0-r2, xf86-video-mga-2.0.0, nss-3.40.1-r1
003-settings.xzm:
- kiosk fix added guest user to the 'usb' and 'plugdev' groups so it's possible to connect to the mobile phones and photo cameras in order to download the files from them
07-java.xzm:
- security fix icedtea-bin-3.10.0: Multiple vulnerabilties #676152
Tagged as Porteus Kiosk 4.8.0 release
Wizard 4.8.0 features: all new features implemented on the wizard level can be found here
Other changes which sums up this release: new features implemented in the ISO level, bugfixes and package upgrades are listed in the changelog below.
Long live Porteus Kiosk!
vmlinuz and 000-kernel.xzm:
- major kernel upgrade upgraded to linux-4.19.16
- upgraded to intel-microcode-20180807a_p20181215
001-core.xzm:
- upgraded to conky-1.10.8-r4, coreutils-8.30, harfbuzz-2.0.2-r1, e2fsprogs-1.44.5, e2fsprogs-libs-1.44.5, libunistring-0.9.10
003-settings.xzm:
- new feature ask for confirmation when restarting kiosk wizard, this is to prevent accidental restarts and losses of wizard choices
initrd:
- busybox: added aliases support to the 'ash' shell
vmlinuz and 000-kernel.xzm:
- upgraded to linux-4.14.93
001-core.xzm:
- security fix openssl-1.0.2q: side-channel vulnerability (CVE-2018-5407) #673056
- security fix wget-1.20.1: password and metadata leak via extended filesystem attributes (CVE-2018-20483) #674170
- security fix glib-2.56.4: multiple vulnerabilities #668474
- security fix ntp-4.2.8_p12: Stack-based buffer overflow in ntpq and ntpdc allows denial of service or code execution (CVE-2018-12327) #658576
- upgraded to mc-4.8.20-r1, timezone-data-2018i, xvkbd-3.9, ca-certificates-20180409.3.37, util-linux-2.33-r1, tint2-16.6.1, mesa-18.2.8
- added xcompmgr-1.1.7-r1, xf86-video-vboxvideo-1.0.0
003-settings.xzm:
- kiosk fix added mc="mc -u" alias to disable subshell otherwise midnight commander starts slowly on the ash shell
05-flash.xzm:
- upgraded to adobe-flash-32.0.0.114
10-printing.xzm:
- security fix poppler-0.68.0: multiple vulnerabilities #659828
- upgraded to openjpeg-2.3.0-r1, hplip-3.18.12, perl-5.26.2
vmlinuz and 000-kernel.xzm:
- upgraded to linux-4.14.90, intel-microcode-20180807a_p20181215
001-core.xzm:
- upgraded to acpid-2.0.31, libestr-0.1.11, rsyslog-8.40.0-r1, timezone-data-2018g-r1
003-settings.xzm:
- kiosk fix added support for xterm-256color terminals for ncurses based apps (alsamixer, midnight commander, etc) which can be run over SSH
vmlinuz and 000-kernel.xzm:
- upgraded to linux-4.14.88
001-core.xzm:
- upgraded to atk-2.28.1, curl-7.62.0, libpng-1.6.35-r1, nspr-4.20, nss-3.40.1, sqlite-3.25.3, sysvinit-2.91-r1, tofrodos-1.7.13, rsyslog-8.38.0-r2, fribidi-1.0.5, at-spi2-core-2.26.2, at-spi2-atk-2.26.2, harfbuzz-2.0.2, gtk+-2.24.32-r1, gtk+-3.24.1, fuse-2.9.8, mesa-18.2.7
003-settings.xzm:
- kiosk fix kiosk wizard: make proxy.pac file working in case when it returns the 'DIRECT' connection (no proxy used)
004-wifi.xzm:
- security fix wpa_supplicant-2.6-r10: Unauthenticated EAPOL-Key decryption in wpa_supplicant (CVE-2018-14526) #663172
005-thinclient.xzm:
- upgraded to json-glib-1.4.4
05-flash.xzm:
- upgraded to adobe-flash-32.0.0.101
vmlinuz and 000-kernel.xzm:
- upgraded to linux-4.14.85
002-chrome:
- upgraded to google-chrome-70.0.3538.110
003-settings.xzm:
- kiosk fix start VNC service with 10 seconds delay to allow clipboard copying between the host and the VNC clients
- kiosk fix delete caches folder when screensaver webpage and video is closed to free up the space in the RAM
- kiosk fix 'session_idle=' parameter must kill also the Ctirix session
005-thinclient.xzm:
- security fix freerdp-2.0.0_rc4: multiple vulnerabilities (CVE-2018-{8784,8785,8786,8787,8788,8789}) #672010
05-flash.xzm:
- upgraded to adobe-flash-31.0.0.153
10-printing.xzm:
- security fix openldap-2.4.45: Double free vulnerability in servers/slapd/back-mdb/search.c (CVE-2017-9287) #620204
- security fix ghostscript-gpl-9.26: 1Policy operator gives access to .forceput (CVE-2018-18284) #668846
11-citrix.xzm:
- major Citrix Receiver upgrade upgraded to icaclient-18.10.0.11
- kiosk fix run Citrix window in maximized mode instead of fullscreen as it causes 100% CPU usage with xorg server 1.20.x. Unfortunately all Citrix versions are affected by this bug and its 5 months old already so we are not sure when it will be fixed by upstream: link
vmlinuz and 000-kernel.xzm:
- upgraded to linux-4.14.81, intel-microcode-20180807a_p20181117
001-core.xzm:
- upgraded to baselayout-2.6-r1, timezone-data-2018g, openssl-1.0.2p-r1, wget-1.19.5-r1, mesa-18.2.5, tigervnc-1.9.0-r1
002-chrome:
- upgraded to google-chrome-70.0.3538.102
003-settings.xzm:
- kiosk fix fixed calibration not working for touch controllers containing 'Ⓡ' symbol in their name
- kiosk fix wait 4 seconds before rotating the touch input as some screens are slow to initialize
- kiosk fix wait up to 120 seconds for the gateway as some setups require starting the local server first and many times the kiosk is faster
005-thinclient.xzm:
- upgraded to spice-gtk-0.35
- added lz4-1.8.2
05-flash.xzm:
- upgraded to adobe-flash-31.0.0.148
vmlinuz and 000-kernel.xzm:
- upgraded to linux-4.14.79, intel-microcode-20180807a_p20181027
- added wifi firmware needed for Surface Pro 2s laptop
001-core.xzm:
- major Xorg upgrade upgraded xorg-server to version 1.20.3 and bumped whole Xorg stack: libdrm-2.4.96, libSM-1.2.3, libX11-1.6.7, libepoxy-1.5.3, mesa-18.2.4, xkeyboard-config-2.25, xf86-video-r128-6.12.0, xf86-video-ati-18.1.0, xf86-video-amdgpu-18.1.0
- upgraded to glibc-2.27-r6, sshpass-1.06, acpid-2.0.30, rsyslog-8.38.0-r1
002-chrome:
- upgraded to google-chrome-70.0.3538.77
003-settings.xzm:
- kiosk fix fallback to the 'iw' utility for scanning for available wireless networks when there are 100+ Access Points in range
004-wifi.xzm:
- upgraded to wireless-regdb-20181024
- added iw-4.9
vmlinuz and 000-kernel.xzm:
- upgraded to linux-4.14.72, intel-microcode-20180807a_p20180922
001-core.xzm:
- upgraded to alsa-lib-1.1.6-r1, alsa-utils-1.1.6, lm_sensors-3.4.0_p20180923, apulse-0.1.12-r4, harfbuzz-1.9.0, libnotify-0.7.7-r1
002-chrome:
- major Chrome upgrade upgraded to google-chrome-70.0.3538.67, pepperflash-31.0.0.122
003-settings.xzm:
- kiosk fix fixed full persistence not working when kiosk was installed on some eMMC and NVME devices (/dev/mmcblk2 and /dev/nvme0n2 nodes)
- kiosk fix fixed calibration not working for touch controllers containing additional spaces in their names. Example: "ELO Touch Solutions ELO Touch Solutions AccuTouch 2218" has two spaces between "Solutions" and "ELO" strings.
005-thinclient.xzm:
- security fix libssh-0.8.4: Authentication bypass vulnerability in the server code (CVE-2018-10933) #668788
05-flash.xzm:
- upgraded to adobe-flash-31.0.0.122
07-java.xzm:
- security fix icedtea-bin-3.9.0: Multiple vulnerabilties #667920
001-core.xzm:
- upgraded to libbsd-0.9.1, libxcb-1.13.1, rsyslog-8.38.0, dosfstools-4.1, dbus-glib-0.110, mesa-18.1.9
- added librsvg-2.40.18, libcroco-0.6.12-r1
005-thinclient.xzm:
- upgraded to remmina-1.2.31.3
- added json-glib-1.2.8, libsoup-2.58.2
10-printing.xzm:
- security fix ghostscript-gpl-9.25: Multiple vulnerabilities (CVE-2018-{15908,15909,15910,15911,16509,16510,16511,16513,16539,16540,16541,16542,16543,16585,16802}) #635426
initrd:
- do not search for the GPU driver if PCI bus in not available (Hyper-V Gen2 platform and some ARM boxes)
vmlinuz and 000-kernel.xzm:
- upgraded to linux-4.14.71, intel-microcode-20180807a_p20180916
- kernel config: enabled support for Hyper-V Gen2 platform
001-core.xzm:
- security fix libxkbcommon-0.8.2: multiple vulnerabilities (CVE-2018-{15853,15854,15855,15856,15857,15858,15859,15861,15862,15863,15864}) #665702
- upgraded to nspr-4.19, nss-3.37.3, xfsprogs-4.17.0-r1
05-flash.xzm:
- upgraded to adobe-flash-31.0.0.108
10-printing.xzm:
- security fix python-2.7.15: Heap-Buffer-Overflow and Heap-Use-After-Free in Objects/fileobject.c (CVE-2018-1000030) #647862
- security fix tiff-4.0.9-r4: NULL pointer dereference in tif_print.c:TIFFPrintDirectory() causes crash (CVE-2017-18013) #645982
- upgraded to cups-filters-1.20.4
001-core.xzm:
- security fix openssl-1.0.2o-r6: Client DoS due to large DH parameter (CVE-2018-0732) #663654
- security fix curl-7.61.1: NTLM password overflow via integer overflow (CVE-2018-14618) #665292
- upgraded to timezone-data-2018e
003-settings.xzm:
- kiosk fix Remmina: remember connection passwords (SSH, VNC, RDP, etc) when persistence is set to full
004-wifi.xzm:
- upgraded to wireless-regdb-20180907
001-core.xzm:
- security fix libjpeg-turbo-1.5.3-r2: Denial of Service (CVE-2018-1152, CVE-2018-11813) #658624
- security fix libX11-1.6.6: Multiple vulnerabilities (CVE-2018-14598, CVE-2018-14599, CVE-2018-14600) #664184
- security fix pango-1.42.4: assertion which can be triggered by invalid Unicode sequences #664108
- upgraded to bzip2-1.0.6-r10, fontconfig-2.13.0-r4, libdrm-2.4.93, gnutls-3.5.19, libevdev-1.5.9-r1, pciutils-3.5.6, llvm-6.0.1, libXinerama-1.1.4, libXScrnSaver-1.2.3, libwacom-0.30, libXaw3d-1.6.3, sqlite-3.24.0, xkbcomp-1.4.2, xf86-video-fbdev-0.5.0, mesa-18.1.6, xf86-video-vmware-13.3.0
- added fribidi-0.19.7
05-flash.xzm:
- upgraded to adobe-flash-30.0.0.154
08-ssh.xzm:
- security fix openssh-7.7_p1-r9: User enumeration via malformed packets in authentication requests (CVE-2018-15473) #664264
vmlinuz and 000-kernel.xzm:
- upgraded to linux-4.14.62, intel-microcode-20180807_p20180808-r1
001-core.xzm:
- added localization files from 'libX11' package so Citrix Receiver can work correctly with non english keyboard layouts
002-chrome:
- upgraded to google-chrome-68.0.3440.105
003-settings.xzm:
- kiosk fix 'screensaver_video' and 'screensaver_webpage' parameters will properly handle URLs containing '&' sign
- new feature allow 'screensaver_webpage' to work with webpage stored on a local filesystem, e.g. 'screensaver_webpage=file:///opt/www/index.html'
vmlinuz and 000-kernel.xzm:
- upgraded to intel-microcode-20180721-r1
002-chrome:
- major Chrome upgrade upgraded to google-chrome-68.0.3440.75
003-settings.xzm:
- kiosk fix set the timezone before rsyslogd is started
- new feature added remote kiosk config name to the debug report. For security reasons we cant reveal full kiosk config location, however - config name itself should be enough for the admins to figure out which remote config the kiosk is currently using.
05-flash.xzm:
- upgraded to adobe-flash-30.0.0.134
vmlinuz and 000-kernel.xzm:
- upgraded to linux-4.14.55, intel-microcode-20180703
001-core.xzm:
- security fix curl-7.61.0: Heap-based Buffer Overflow (CVE-2018-0500) #660894
- upgraded to coreutils-8.29-r1, libcap-2.25, util-linux-2.32-r4, imlib2-1.5.1, rsyslog-8.35.0-r1, harfbuzz-1.8.1, gtk+-3.22.30, gtk+-2.24.32
002-firefox.xzm:
- critical security fix mozilla-firefox-52.9.0. Changelog: link
vmlinuz and 000-kernel.xzm:
- upgraded to linux-4.14.52
001-core.xzm:
- upgraded to ntfs3g-2017.3.23-r1, zlib-1.2.11-r2
004-wifi.xzm:
- upgraded to libnl-3.4.0
07-java.xzm:
- upgraded to icedtea-web-1.6.2
11-citrix.xzm:
- upgraded to icaclient-13.10.0.20
IMPORTANT:
GCC 7.3.0 is finally stable now in upstream Gentoo project. This is important as linux kernel compiled with this compiler version provides full mitigation for Spectre v2 vulnerability. Check below is performed on Intel m3-6Y30 CPU which is fully protected with this update:
root@tablet:~# dmesg | grep microcode
[ 0.000000] microcode: microcode updated early to revision 0xc6, date = 2018-04-17
root@tablet:~# grep . /sys/devices/system/cpu/vulnerabilities/*
/sys/devices/system/cpu/vulnerabilities/meltdown:Mitigation: PTI
/sys/devices/system/cpu/vulnerabilities/spec_store_bypass:Mitigation: Speculative Store Bypass disabled via prctl and seccomp
/sys/devices/system/cpu/vulnerabilities/spectre_v1:Mitigation: __user pointer sanitization
/sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Full generic retpoline, IBPB, IBRS_FW
vmlinuz and 000-kernel.xzm:
- upgraded to linux-4.14.51, intel-microcode-20180616
001-core.xzm:
- upgraded to gcc-7.3.0-r3
08-ssh.xzm:
- upgraded to openssh-7.7_p1-r5
Tagged as Porteus Kiosk 4.7.0 release
Wizard 4.7.0 features: all new features implemented on the wizard level can be found here
Other changes which sums up this release: new features implemented in the ISO level, bugfixes and package upgrades are listed in the changelog below.
Long live Porteus Kiosk!
vmlinuz and 000-kernel.xzm:
- upgraded to linux-4.14.50
001-core.xzm:
- upgraded to: acpid-2.0.29-r1, llvm-5.0.2, xf86-input-wacom-0.36.0-r2
002-firefox.xzm:
- critical security fix mozilla-firefox-52.8.1. Changelog: link
003-settings.xzm:
- kiosk fix system upgrade/reconfiguration notification will be visible all the time so users can know there is an action happening in the backgroud
004-wifi.xzm:
- security fix ppp-2.4.7-r6: Buffer Overflow in pppd EAP-TLS implementation (CVE-2018-11574) #657656
005-thinclient.xzm:
- upgraded to libgcrypt-1.8.3, libgpg-error-1.29
05-flash.xzm:
- major flashplayer upgrade upgraded to adobe-flash-30.0.0.113
07-java.xzm:
- security fix icedtea-bin-3.8.0: Multiple vulnerabilties #657704
08-ssh.xzm:
- upgraded to openssh-7.7_p1-r4
vmlinuz and 000-kernel.xzm:
- upgraded to linux-4.14.47, intel-microcode-20180527-r1
001-core.xzm:
- security fix procps-3.3.15: multiple vulnerabilities (qualys audit) (CVE-2018-1120, CVE-2018-1121, CVE-2018-1122, CVE-2018-1123, CVE-2018-1124) #656022
- upgraded to: glibc-2.26-r7, timezone-data-2018d, stunnel-5.43, conky-1.10.8-r1, openssl-1.0.2o-r3, xf86-input-synaptics-1.9.1, xf86-input-evdev-2.10.6
003-settings.xzm:
- kiosk fix enable flashplayer by default for Chrome browser when 'screensaver_url=' parameter is used
004-wifi.xzm:
- upgraded to wireless-regdb-20180531
vmlinuz and 000-kernel.xzm:
- upgraded to linux-4.14.42
- kernel config: enabled touchpad compatibility layer for older hardware
001-core.xzm:
- security fix wget-1.19.5: Cookie injection allows malicious website to write arbitrary cookie entries into cookie jar (CVE-2018-0494) #655216
- security fix curl-7.60.0: multiple vulnerabilities (CVE-2018-1000300, CVE-2018-1000301) #655266
- security fix libidn-1.34 - multiple vulnerabilities #655668
- security fix freetype-2.9.1: crash with certain malformed variation fonts (CVE-2018-6942) #654696
- upgraded to: e2fsprogs-libs-1.43.9, libpciaccess-0.14, libxshmfence-1.3, xkeyboard-config-2.23.1-r1, libevdev-1.5.9, rsyslog-8.34.0, usbutils-009, libxkbcommon-0.8.0, e2fsprogs-1.43.9, libdrm-2.4.91, libxcb-1.13, libxkbfile-1.0.9-r1, xkbcomp-1.4.1, xinit-1.4.0, tigervnc-1.8.0-r3, libepoxy-1.5.1, xorg-server-1.19.5-r2, xf86-video-vesa-2.4.0, xf86-input-wacom-0.36.0, xf86-video-intel-2.99.917_p20180214, xf86-video-ati-18.0.1, xf86-video-amdgpu-18.0.1
002-chrome.xzm:
- upgraded to google-chrome-66.0.3359.181, pepper-flash-29.0.0.171
002-firefox.xzm:
- critical security fix mozilla-firefox-52.8. Changelog: link
003-settings.xzm:
- kiosk fix replaced '--start-fullscreen' with '--kiosk' flag for Chrome screensaver to get rid of 'Press F11 to exit fullscreen' notification
- kiosk fix made 'Cancel' button same size as other buttons in shutdown menu so its easier to press this button on touchscreens
- new feature enabled "DRI3" and "TearFree" features on Intel DDX driver by default
004-wifi.xzm:
- upgraded to wireless-regdb-20180509
005-thinclient.xzm:
- upgraded to freerdp-2.0.0_rc2-r1
05-flash.xzm:
- upgraded to adobe-flash-29.0.0.171
10-printing.xzm:
- upgraded to cups-2.2.7, gutenprint-5.2.13
vmlinuz and 000-kernel.xzm:
- upgraded to linux-4.14.39
- kernel config: added support for DM-Crypt so its possible to encrypt partitions or files with cryptsetup
001-core.xzm:
- security fix shadow-4.6: unprivileged user can drop supplementary groups (CVE-2018-7169) #647790
- upgraded to: conky-1.10.8, libxml2-2.9.8, libxslt-1.1.32, harfbuzz-1.7.6, gdk-pixbuf-2.36.12, gtk+-3.22.29, mesa-17.3.9
- added haveged-1.9.2-r1
002-chrome.xzm:
- major Chrome upgrade upgraded to google-chrome-66.0.3359.139
11-citrix.xzm:
- new feature allow redirecting USB devices to the Citrix session by default
001-core.xzm:
- security fix openssl-1.0.2o: multiple vulnerabilities (CVE-2018-0733, CVE-2018-0739) #651730
- security fix sqlite-3.23.1: Denial of Service vulnerability through corrupted schemas (CVE-2018-8740) #650952
- upgraded to: ca-certificates-20170717.3.36.1, ethtool-4.13, gnutls-3.5.18, libpng-1.6.34, logrotate-3.14.0, nettle-3.4
004-wifi.xzm:
- upgraded to wpa_supplicant-2.6-r6
05-flash.xzm:
- upgraded to adobe-flash-29.0.0.140
vmlinuz and 000-kernel.xzm:
- upgraded to linux-4.14.33
001-core.xzm:
- security fix glibc-2.25-r11: Heap pointer deference vulnerability on powerpc (CVE-2018-6551) #646492
- security fix ncurses-6.1: Stack buffer overflow vulnerability (CVE-2017-16879) #639706
- security fix libtasn1-4.13: CVE-2018-6003: stack overflow due to unbounded recursion/DOS #647012
- upgraded to: libdrm-2.4.89, mesa-17.3.8, pango-1.40.14-r1, rsyslog-8.32.0-r4
002-firefox.xzm:
- critical security fix mozilla-firefox-52.7.3. Changelog: link
003-settings.xzm:
- kiosk fix wizard: repeat calibration twice for touch devices with swapped axes. This is needed to get accurate calibration data.
- kiosk fix unblock 'Ctrl + left mouse click' during installation so its possible to select multiple devices for calibration in the wizard
- kiosk fix kill old VNC connections before restarting vnc service
004-wifi.xzm:
- upgraded to usb_modeswitch-2.5.2
11-citrix.xzm:
- security fix libvorbis-1.3.6: out of bounds write (CVE-2018-5146) #650654
- upgraded to icaclient-13.9.1.6
vmlinuz and 000-kernel.xzm:
- upgraded to linux-4.14.30
- upgraded to intel-microcode-20180312
001-core.xzm:
- security fix curl-7.59.0: multiple vulnerabilities (CVE-2018-1000120, CVE-2018-1000121, CVE-2018-1000122) #650056
- security fix ntp-4.2.8_p11: multiple vulnerabilities (CVE-2018-7170, CVE-2018-7182, CVE-2018-7183, CVE-2018-7184, CVE-2018-7185) #649612
- security fix ncurses-6.1: Stack buffer overflow vulnerability (CVE-2017-16879) #639706
- upgraded to: dbus-1.10.24, dhcpcd-7.0.1
003-settings.xzm:
- new feature wizard: do not ask for the client ID, SSH and VNC details when pointing kiosk to existing remote config hosted on Porteus Kiosk Server. These details does not matter at the installation stage as kiosk will be reconfigured anyway as per remote config settings. Installation of multiple clients should be faster now.
004-wifi.xzm:
- upgraded to usb_modeswitch-2.4.0-r1
005-thinclient.xzm:
- security fix spice-gtk-0.34: Denial of Service/RCE vulnerability through malicious messages #650878
- new feature Chrome browser: associate ".ica" files with Citrix Receiver. Receiver standalone application opens now automatically after clicking on the ".ica" file.
- upgraded to freerdp-2.0.0_rc1-r1
05-flash.xzm:
- upgraded to adobe-flash-29.0.0.113
10-printing.xzm:
- security fix tiff-4.0.9: Heap-based buffer overflow in tiff2pdf (CVE-2017-11335) #645980
11-citrix.xzm:
- added libogg-1.3.3, libvorbis-1.3.5, speex-1.2.0-r1
vmlinuz and 000-kernel.xzm:
- upgraded to linux-4.14.25
001-core.xzm:
- upgraded to: sqlite-3.22.0, util-linux-2.30.2-r1, xorg-server-1.19.5-r1, xset-1.2.4, xsetroot-1.1.2
003-settings.xzm:
- kiosk fix default to first proxy IP in case when multiple proxies are returned for automatic proxy configuration (proxy PAC files) for cli utilities respecting 'http_proxy=' variable
- kiosk fix rotate touch input if at least one screen is rotated
005-thinclient.xzm:
- upgraded to: opus-1.2.1
07-java.xzm:
- security fix icedtea-bin-3.7.0: Multiple vulnerabilties #649968
001-core.xzm:
- security fix rsync-3.1.3: Security bypass vulnerability (CVE-2018-5764) #646818
- upgraded to: cairo-1.14.12, dhcpcd-6.11.5, glibc-2.25-r10, hwids-20171003, rsyslog-8.32.0-r3, sqlite-3.21.0
002-chrome.xzm:
- upgraded to google-chrome-64.0.3282.186
10-printing.xzm:
- upgraded to poppler-0.62.0-r1
vmlinuz and 000-kernel.xzm:
- upgraded to linux-4.14.18
- downgraded to intel-microcode-20171117-r1 as per Intel recommendations #646646
05-flash.xzm:
- upgraded to adobe-flash-28.0.0.161
vmlinuz and 000-kernel.xzm:
- upgraded to linux-4.14.17
001-core.xzm:
- security fix curl-7.58.0: multiple vulnerabilities (CVE-2018-1000005, CVE-2018-1000007) #645698
- upgraded to: libfastjson-0.99.8, rsyslog-8.32.0-r1, eudev-3.2.5
002-chrome.xzm:
IMPORTANT:
This release brings mitigations against web-exploitable Spectre flaw enabled on the application level.
- major Chrome upgrade upgraded to google-chrome-64.0.3282.140
003-settings.xzm:
- kiosk fix make stunnel aware of 'proxy_exceptions=' parameter when connecting to PK Server
- kiosk fix fixed 'managed_bookmarks=' parameter being ignored in the PCID section of remote config
- new feature list SDIO devices in the debug report
004-wifi.xzm:
- upgraded to wireless-regdb-20171223-r1
vmlinuz and 000-kernel.xzm:
- upgraded to linux-4.14.15
- kernel config: enabled retpoline support. Spectre V2 mitigation is still not complete as we are waiting on GCC compiler update from upstream (Spectre V1 is not even touched yet).
001-core.xzm:
- security fix gdk-pixbuf-2.36.11: Integer overflow in io-gif.c:gif_get_lzw() can lead to memory corruption and potential code execution (CVE-2017-1000422) #644770
- security fix libidn-1.33-r2: Integer overflow results in denial of service (CVE-2017-14062) #631130
- upgraded to: kmod-24, glib-2.52.3, libxml2-2.9.7, adwaita-icon-theme-3.24.0, at-spi2-core-2.24.1, atk-2.24.0, pango-1.40.14, at-spi2-atk-2.24.1
002-firefox.xzm:
- critical security fix mozilla-firefox-52.6.0. Changelog: link
005-thinclient.xzm:
- upgraded to: remmina-1.2.0_rc24, vte-0.48.4
05-flash.xzm:
- upgraded to adobe-flash-28.0.0.137
06-fonts.xzm:
- added corefonts-1-r7
10-printing.xzm:
- security fix qpdf-7.0.0: multiple infinite loop (CVE-2017-11624, CVE-2017-11625, CVE-2017-11626, CVE-2017-11627, CVE-2017-9208, CVE-2017-9209, CVE-2017-9210) #626446
- upgraded to cups-filters-1.17.9
11-citrix.xzm:
- upgraded to icaclient-13.8.0.10299729
IMPORTANT:
This system revision fixes Meltdown attack for the Intel CPUs (AMD is not affected) and partially mitigates Spectre vulnerability for the Firefox browser. Chrome users should enable Site Isolation for Chrome 63.x using 'browser_preferences=' parameter unless they are affected by some known issues of this feature (thats why enterprise policies are not enabled by default).
More patches to come as Meltdown/Spectre bugs are still a work in progress. Pushing what we have right now as first exploits are available publicly already.
Tagged as Porteus Kiosk 4.6.0 release
Wizard 4.6.0 features: all new features implemented on the wizard level can be found here
Other changes which sums up this release: new features implemented in the ISO level, bugfixes and package upgrades are listed in the changelog below.
Long live Porteus Kiosk!
initrd:
- enabled busybox applet: strings
vmlinuz and 000-kernel.xzm:
- major kernel upgrade upgraded to linux-4.14.13
- kernel config: compiled Intel and AMD microcode directly into kernel so its loaded early in the booting process (required for Haswell CPUs and never)
- upgraded to intel-microcode-20180108
001-core.xzm:
- upgraded to expat-2.2.5, iptables-1.6.1-r2, libpcre-8.41-r1, lm_sensors-3.4.0_p20170901, xfsprogs-4.14.0
002-chrome.xzm:
- upgraded to google-chrome-63.0.3239.132
002-firefox.xzm:
- critical security fix mozilla-firefox-52.5.3. Changelog: link
003-settings.xzm:
- new feature make sure kernel version matches kernel modules version before performing system upgrade
004-wifi.xzm:
- moved wifi firmware to 000-kernel.xzm module
001-core.xzm:
- upgraded to sqlite-3.20.1-r1, gdk-pixbuf-2.36.10-r2, gtk+-3.22.19, hicolor-icon-theme-0.17, libdrm-2.4.88, libgudev-232, libusb-1.0.21, libxml2-2.9.6, llvm-4.0.1-r1, mesa-17.2.7, pango-1.40.12, procps-3.3.12-r1, shared-mime-info-1.9, timezone-data-2017c
002-chrome.xzm:
- upgraded to google-chrome-63.0.3239.108
003-settings.xzm:
- kiosk fix make full persistence working when kiosk is installed on NVME devices
- kiosk fix skip gateway check for modem connections
- kiosk fix for dialup connections default to first MAC address found (even from wired NIC) when reporting to PK Server as ppp0 interface does not have a MAC addess itself
05-flash.xzm:
- major flashplayer upgrade upgraded to adobe-flash-28.0.0.126
001-core.xzm:
- security fix openssl-1.0.2n: multiple vulnerabilities (CVE-2017-{3737,3738}) #640172
- security fix rsync-3.1.2-r2: Multiple vulnerabilities (CVE-2017-{17433,17434}) #640570
- security fix harfbuzz-1.7.2: Use-of-uninitialized-value in OT::RangeRecord::cmp #621644
002-firefox.xzm:
- critical security fix mozilla-firefox-52.5.2. Changelog: link
003-settings.xzm:
- kiosk fix switched i915 Mesa (3D) driver from gallium to classic version as gallium one causes Firefox tabs to crash on Intel Alviso (gen3) GPUs on certain websites, e.g. https://www.seznam.cz
001-core.xzm:
- security fix curl-7.57.0: Multiple vulnerabilities (CVE-2017-8816, CVE-2017-8817, CVE-2017-8818) #638734
- security fix libXfont2-2.0.3: Open files with O_NOFOLLOW (symlink attack) (CVE-2017-16611) #639064
- security fix libXcursor-1.1.15: Heap overflows when parsing malicious files (CVE-2017-16612) #639062
- security fix libxslt-1.1.30: integer overflow (CVE-2017-5029) #612194
- upgraded to elfutils-0.170-r1, gmp-6.1.2, html-xml-utils-7.1, libdrm-2.4.82, mesa-17.1.10
- added xvkbd-3.8
002-chrome.xzm:
- major Chrome upgrade upgraded to google-chrome-63.0.3239.84
003-settings.xzm:
- kiosk fix mirror the screens properly when 'screen_settings=' parameter is used
- kiosk fix source (rather than execute) 'persistence' script in rc.S to make sure it completes before moving to runlevel 3
- kiosk fix allow flash content by default on all websites for Chrome browser
10-printing.xzm:
- security fix poppler-0.57.0-r1: Null pointer dereference in the JPXStream::readUByte function #619558
- upgraded to hplip-3.17.10-r1, python-2.7.14-r1
initrd:
- Mention 'Win32DiskImager' and 'dd' utilities directly in the 'Error - kiosk data not found' info
vmlinuz and 000-kernel.xzm:
- recompiled with gcc-6.4.0
001-core.xzm:
- security fix rsync-3.1.2-r1: Heap-based buffer over-read in receive_xattr function (CVE-2017-16548) #636714
- upgraded to coreutils-8.28-r1, gcc-6.4.0, logrotate-3.13.0
003-settings.xzm:
- new feature added 'search for printer' function to the printer list in the wizard
05-flash.xzm:
- security fix adobe-flash-27.0.0.187: Multiple vulnerabilities (CVE-2017-11213, CVE-2017-11215, CVE-2017-11225, CVE-2017-3112, CVE-2017-3114) #637630
08-ssh.xzm:
- security fix openssh-7.5_p1-r3: sftp-server was incorrectly permitting creation of zero-length files #633428
10-printing.xzm:
- security fix lcms-2.9: Heap-buffer-overflow in TetrahedralInterpFloat #628478
- upgraded to hplip-3.17.10
initrd:
- copy modules to RAM one by one rather than in parallel, it should resolve occasional MD5 sum mismatches seen on some devices
vmlinuz and 000-kernel.xzm:
- upgraded to linux-4.12.14
001-core.xzm:
- security fix openssl-1.0.2m: bn_sqrx8x_internal carry bug on x86_64 (CVE-2017-3736) #636264
- upgraded to glibc-2.25-r9, util-linux-2.30.2
002-chrome.xzm:
- major Chrome upgrade upgraded to google-chrome-62.0.3202.89
003-settings.xzm:
- kiosk fix disabled "Control + left mouse click" and "Control + Shift + left mouse click" shortcuts as they open URLs as new tabs. This is unwanted when navigation bar is disabled.
- kiosk fix disabled 'captive portals check' function for Firefox as it slows down booting for offline kiosks (browser waits till connection times out)
07-java.xzm:
- security fix icedtea-bin-3.6.0: Multiple vulnerabilties #636522
10-printing.xzm:
- security fix sane-backends-1.0.27: SANE_NET_CONTROL_OPTION response packet may contain memory contents of the server (CVE-2017-6318) #622422
- upgraded to libieee1284-0.2.11-r6, python-2.7.14
001-core.xzm:
- security fix net-misc/wget-1.19.1-r2: multiple vulnerabilities (CVE-2017-13089, CVE-2017-13090) #635496
- security fix curl-7.56.1: IMAP FETCH response out of bounds read (CVE-2017-1000257) #635140
- security fix libXfont2-2.0.2: multiple vulnerabilities (CVE-2017-13720, CVE-2017-13722) #634044
- upgraded to libidn-1.33-r1
003-settings.xzm:
- kiosk fix determine IP address and MAC of default NIC just before sending data to the server
05-flash.xzm:
- upgraded to adobe-flash-27.0.0.183
001-core.xzm:
- security fix xorg-server-1.19.5: multiple vulnerabilities (CVE-2017-13721, CVE-2017-13723) #633910
- upgraded to e2fsprogs-libs-1.43.6, e2fsprogs-1.43.6, gnutls-3.5.15, xinit-1.3.4-r3
002-firefox.xzm:
- critical security fix mozilla-firefox-52.4.1. Changelog: link
003-settings.xzm:
- new feature set window title in PS1 prompt, helps finding e.g. to which kiosk you are connected over ssh
004-wifi.xzm:
- security fix wpa_supplicant-2.6-r3: WPA packet number reuse with replayed messages and key reinstallation #634436
05-flash.xzm:
- upgraded to adobe-flash-27.0.0.170
10-printing.xzm:
- security fix perl-5.24.3: multiple vulnerabilities (CVE-2017-12837, CVE-2017-12883) #630610
vmlinuz and 000-kernel.xzm:
- kernel config: compiled pinctrl drivers directly into kernel otherwise its not possible to initialize some MMC devices and boot from them
001-core.xzm:
- upgraded to baselayout-2.4.1-r2, coreutils-8.26, libbsd-0.8.6, logrotate-3.12.3-r1, oxygen-gtk-1.4.6-r1
003-settings.xzm:
- new feature play sound when battery capacity reaches 10% and display notification with emergency status (must be clicked to disappear)
06-fonts.xzm:
- upgraded to noto-20170403
10-printing.xzm:
- security fix poppler-0.57.0: buffer over-read in the GfxImageColorMap::getGray function (CVE-2017-9865) #627390
- upgraded to cups-filters-1.16.4, libieee1284-0.2.11-r5
003-settings.xzm:
- kiosk fix wait 20 seconds and if gateway is not found during boot then start network initialization script once again to catch all devices which are slow to initialize, e.g. usb wifi dongles
- kiosk fix remove 'new tab' button from Firefox interface when address bar is disabled
vmlinuz and 000-kernel.xzm:
- major kernel upgrade upgraded to linux-4.12.12
001-core.xzm:
- security fix libtasn1-4.12-r1: Denial of Service Vulnerability (NULL pointer dereference) (CVE-2017-10790) #627014
- security fix gdk-pixbuf-2.36.9: multiple vulnerabilities (CVE-2017-6311, CVE-2017-6312, CVE-2017-6313, CVE-2017-6314) #611390
003-settings.xzm:
- new feature added 'show desktop' launcher to Server/Cloud/ThinClient systems by default
005-thinclient.xzm:
- security fix libgcrypt-1.8.1: Side channel attack on Curve25519 (CVE-2017-0379) #629160
05-flash.xzm:
- major flashplayer upgrade upgraded to adobe-flash-27.0.0.130
07-java.xzm:
- upgraded to icedtea-bin-3.5.1
Tagged as Porteus Kiosk 4.5.0 release
Wizard 4.5.0 features: all new features implemented on the wizard level can be found here
Other changes which sums up this release: new features implemented in the ISO level, bugfixes and package upgrades are listed in the changelog below.
Long live Porteus Kiosk!
vmlinuz and 000-kernel.xzm:
- upgraded to linux-4.9.45
001-core.xzm:
- security fix curl-7.55.0: Multiple vulnerabilities (CVE-2017-1000099, CVE-2017-1000100, CVE-2017-1000101) #626776
- security fix libpcre-8.41: two stack-based buffer overflow write in pcre32_copy_substring (pcre_get.c) (CVE-2017-7245, CVE-2017-7246) #614052
- security fix libxml2-2.9.4-r3: Missing validation for external entities in xmlParsePEReference (CVE-2017-7375) #623206
- upgraded to openssl-1.0.2l
002-chrome.xzm:
- major Chrome upgrade upgraded to google-chrome-60.0.3112.113
003-settings.xzm:
- kiosk fix keep bookmarks visible in Firefox when managed bookmarks are enabled and navigation bar is set to autohide
- kiosk fix parameter 'client_id=automatic' wont cause new ID to be assigned to the client when default NIC (MAC address) changes
- new feature run wpa_supplicant against all available wireless network interfaces and not only the first one. This is handy e.g. if your internal wifi card does not work (hardware failure, weak connection, mising driver/firmware) and you want to use a wifi dongle.
- new feature Kiosk Wizard: present available network interfaces in a dropdown list which makes easier to find interface names
005-thinclient.xzm:
- security fix libpcre2-10.30: pcre2_match.c out of bounds write (CVE-2017-8399) #617944
- upgraded to freerdp-2.0.0_rc0, net-misc/remmina-1.2.0_rc19
10-printing.xzm:
- security fix openjpeg-2.2.0: Multiple vulnerabilities (CVE-2016-1626, CVE-2016-1628, CVE-2016-9112) #602180
- upgraded to dbus-python-1.2.4
001-core.xzm:
- security fix shadow-4.5: newusers tool could be made to manipulate internal data structures (CVE-2017-12424) #627044
- upgraded to ca-certificates-20161130.3.30.2, libfastjson-0.99.6, rsyslog-8.28.0
05-flash.xzm:
- upgraded to adobe-flash-26.0.0.151
vmlinuz and 000-kernel.xzm:
- upgraded to linux-4.9.41
001-core.xzm:
- upgraded to libwacom-0.25, pacparser-1.3.7, nettle-3.3-r2
002-firefox.xzm:
- critical security fix mozilla-firefox-52.3.0. Changelog: link
004-wifi.xzm:
- upgraded to wpa_supplicant-2.6-r2
- added wifi firmware needed for Surface Pro 4 laptop
005-thinclient.xzm:
- new feature disable system-tray applet for Remmina, this is needed for auto looping Remmina connections
initrd:
- enabled busybox applet: setsid
vmlinuz and 000-kernel.xzm:
- upgraded to linux-4.9.40
002-chrome.xzm:
- upgraded to pepperflash-26.0.0.137
003-settings.xzm:
- kiosk fix do not override existing user.js when adding Firefox preferences through 'browser_preferences=' parameter
- kiosk fix rotate touch with 2 seconds delay after rotating the screen otherwise some touchscreens wont rotate the touch input properly
- kiosk fix full persistence: do not overwrite hash file for PepperFlash as it may be upgraded in the background by Chrome
- new feature start tunneling service as a daemon so its not restarted when Xorg session is closed or system runlevel is changed
11-citrix.xzm:
- upgraded to icaclient-13.6.0.10243651
This release fixes few issues like standalone Receiver application crashing upon start and smartcards not being redirected to Ctirix session properly.
vmlinuz and 000-kernel.xzm:
- upgraded to linux-4.9.38, intel-microcode-20170707
001-core.xzm:
- security fix elfutils-0.169-r1: multiple vulnerabilities (CVE-2017-7607, CVE-2017-7608, CVE-2017-7609, CVE-2017-7610, CVE-2017-7611, CVE-2017-7612, CVE-2017-7613) #618004
- upgraded to libpng-1.6.29, sqlite-3.19.3, xfsprogs-4.9.0, harfbuzz-1.4.6-r2, libgudev-231, pango-1.40.6, gtk+-3.22.16
005-thinclient.xzm:
- upgraded to vte-0.46.2
05-flash.xzm:
- security fix adobe-flash-26.0.0.137: multiple vulnerabilities (APSB17-21, CVE-2017-3080, CVE-2017-3099, CVE-2017-3100) #624620
initrd:
- display 'Device not ready' message not earlier than 10 seconds after boot
vmlinuz and 000-kernel.xzm:
- upgraded to linux-4.9.35, intel-microcode-20170511
001-core.xzm:
- upgraded to dbus-glib-0.108, liblogging-1.0.6, rsyslog-8.27.0-r1
002-chrome.xzm:
- major Chrome upgrade upgraded to 59.0.3071.115
003-settings.xzm:
- kiosk fix removed 16 characters password limit for the 'session_password=' parameter
- kiosk fix enable capture channels for the microphone during system start
- kiosk fix toggle tabs function should not prevent restarting the browser when 'session_idle_forced=' parameter is used
004-wifi.xzm:
- added more brcm sdio firmware
005-thinclient.xzm:
- security fix libgcrypt-1.7.8: flush+reload side-channel attack on RSA secret keys: "Sliding right into disaster" (CVE-2017-7526) #623006
vmlinuz and 000-kernel.xzm:
- upgraded to linux-4.9.33
001-core.xzm:
- security fix curl-7.54.0: --write-out out of buffer read (CVE-2017-7407) #615870
- security fix expat-2.2.1: External entity infinite loop DoS (CVE-2017-9233) #622046
- security fix glibc-2.23-r4: arbitrary code execution through crafted LD_LIBRARY_PATH values (CVE-2017-1000366) #622220
- security fix ntp-4.2.8_p10: multiple vulnerabilities (CVE-2017-6451, CVE-2017-6452, CVE-2017-6455, CVE-2017-6458, CVE-2017-6459, CVE-2017-6460, CVE-2017-6462, CVE-2017-6463, CVE-2017-6464) #613550
- security fix tigervnc-1.8.0: multiple vulnerabilities (CVE-2017-7392, CVE-2017-7393, CVE-2017-7394, CVE-2017-7395, CVE-2017-7396) #614742
002-firefox.xzm:
- critical security fix mozilla-firefox-52.2.0. Changelog: link
003-settings.xzm:
- new feature removed shutdown, reboot and sleep options from the bottom panel's 'exit menu' of the Cloud and ThinClient systems. If you need to have them present then please add 'shutdown_menu=yes' parameter to your kiosk config.
004-wifi.xzm:
- upgraded to wpa_supplicant-2.6-r1
005-thinclient.xzm:
- security fix libgcrypt-1.7.7: Possible timing attack on EdDSA session key #621218
05-flash.xzm:
- upgraded to adobe-flash-26.0.0.131
08-ssh.xzm:
- security fix openssh-7.5_p1: Multiple Vulnerabilities (CVE-2016-10009, CVE-2016-10010, CVE-2016-10011, CVE-2016-10012) #603100
10-printing.xzm:
- security fix jbig2dec-0.13-r4 : multiple integer overflow (CVE-2017-7885, CVE-2017-7975, CVE-2017-7976) #616464
- security fix gnutls-3.5.13: Crash upon receiving well-formed status_request extension #622038
- security fix ghostscript-gpl-9.21 : Memory corruption / type confusion (CVE-2017-8291) #616814
vmlinuz and 000-kernel.xzm:
- upgraded to linux-4.9.31
001-core.xzm:
- security fix bzip2-1.0.6-r8: heap use after free in bzip2recover (CVE-2016-3189) #620466
- upgraded to logrotate-3.12.2, libdrm-2.4.80, libevdev-1.5.7, xkbcomp-1.4.0, libxkbcommon, mesa-17.0.6, libepoxy-1.4.2, xorg-server-1.19.3, xf86-video-amdgpu-1.3.0, xf86-video-nouveau-1.0.15, xf86-video-openchrome-0.6.0, xf86-video-intel-2.99.917_p20170313, xf86-video-ati-7.9.0
005-thinclient.xzm:
- security fix icu-58.2-r1 : heap overflow (CVE-2017-7867, CVE-2017-7868) #616468
10-printing.xzm:
- security fix perl-5.24.1-r2: chmod() logic in rmtree() and remove_tree() functions can be abused (CVE-2017-6512) #620304
- security fix libtasn1-4.10-r2: asn1_find_node() based stackoverflow (CVE-2017-6891) #619686
- upgraded to cups-filters-1.13.5
Tagged as Porteus Kiosk 4.4.0 release
Wizard 4.4.0 features: all new features implemented on the wizard level can be found here
Other changes which sums up this release: new features implemented in the ISO level, bugfixes and package upgrades are listed in the changelog below.
Long live Porteus Kiosk!
initrd:
- enabled busybox applet: stat
vmlinuz and 000-kernel.xzm:
- upgraded to linux-4.9.30
001-core.xzm:
- security fix freetype-2.8: multiple overflows (CVE-2016-10328, CVE-2017-7857, CVE-2017-7858, CVE-2017-7864, CVE-2017-8105, CVE-2017-8287) #616730
- upgraded to gtk+-3.22.15, libjpeg-turbo-1.5.1, rsyslog-8.26.0-r1
002-chrome.xzm:
- major Chrome upgrade upgraded to 58.0.3029.110
002-firefox.xzm:
- critical security fix mozilla-firefox-52.1.2. Changelog: link
003-settings.xzm:
- kiosk fix timeout connecting to the server after 60 seconds when trying to download files from it. Kiosk can still boot even is server in not accessible at the moment.
- new feature start screensaver immediately when idle time is set to 0
- new feature added support for storing SSL certificate on the server through the 'import_certificates=server://certificate.crt' parameter
- new feature added proxy auto configuration support for stunnel so clients behind proxy can connect to Porteus Kiosk Server
005-thinclient.xzm:
- upgraded to libssh-0.7.4
07-java.xzm:
- security fix icedtea-bin-3.4.0: Multiple vulnerabilties (CVE-2017-{3509,3511,3512,3514,3526,3533,3539,3544}) #618874
- added crippled 'java-config' utility to keep java plugin quiet in the logs
10-printing.xzm:
- security fix tiff-4.0.8: Multiple Vulnerabilities (CVE-2017-7592, CVE-2017-7593, CVE-2017-7594) #618610
- upgraded to gnutls-3.5.12
- added libunistring-0.9.7
vmlinuz and 000-kernel.xzm:
- upgraded to linux-4.9.27
003-settings.xzm:
- kiosk fix use hp backend for HP printers connected directly to kiosk
- kiosk fix decorate Chrome popup windows by default so its possible to close them
- kiosk fix ignore lines starting with space/tabs in kiosk config as they break PCID sections
- new feature enable CloudPrinting by default for Cloud/ThinClient variants with Chrome browser
005-thinclient.xzm:
- upgraded to spice-gtk-0.33-r2
05-flash.xzm:
- upgraded to adobe-flash-25.0.0.171
vmlinuz and 000-kernel.xzm:
- upgraded to linux-4.9.25
- kernel config: compiled nvme driver directly into kernel so its possible to install kiosk on NVME devices, added support for loading Intel/AMD microcode by the kernel
- added microcode firmware needed by some Intel/AMD CPUs
001-core.xzm:
- security fix dbus-1.10.16: two symlink attacks #611392
- security fix feh-2.18.3: Integer overflow in wallpaper.c while receiving an IPC message (CVE-2017-7875) #616470
- security fix nss-3.29.5: Out-of-bounds write in Base64 encoding in NSS (CVE-2017-5461) #616032
- upgraded to apulse-0.1.10, gdk-pixbuf-2.36.6, pango-1.40.5, gtk+-3.22.12
003-settings.xzm:
- kiosk fix regenerate playlist and restart screensaver slideshow when online zip archive was updated
- kiosk fix refresh ripples screensaver every 10 minutes to avoid background picture distortions
- kiosk fix process only connected displays for 'screen_settings=' parameter
- kiosk fix display a warning message and skip installation/reconfiguration/upgrade if generated kiosk ISO is larger than system partition (900 MB)
005-thinclient.xzm:
- upgraded to usbredir-0.7.1_p20170503
001-core.xzm:
- upgraded to harfbuzz-1.4.5
- added apulse-0.1.9
002-firefox.xzm:
- major Firefox ESR release mozilla-firefox-52.1.0 changelog: 46.0 47.0 48.0 49.0 50.0 51.0 52.0
05-flash.xzm:
- upgraded to adobe-flash-25.0.0.148
10-printing.xzm:
- upgraded to perl-5.24.1-r1
vmlinuz and 000-kernel.xzm:
- upgraded to linux-4.9.21
001-core.xzm:
- upgraded to atk-2.22.0, ethtool-4.8, gdk-pixbuf-2.36.5, glib-2.50.3-r1, hwids-20170328, libnotify-0.7.7, llvm-3.9.1-r1, nettle-3.3-r1, pango-1.40.4, rsyslog-8.24.0-r2, sqlite-3.17.0
002-chrome.xzm:
- upgraded to google-chrome-57.0.2987.133
003-settings.xzm:
- kiosk fix fixed the case when 'persistence=none' parameter was preventing the booting media to be powered off
005-thinclient.xzm:
- upgraded to at-spi2-core-2.22.1, at-spi2-atk-2.22.0, adwaita-icon-theme-3.22.0, gtk+-3.22.11, vte-0.46.1
- added libpcre2-10.22
10-printing.xzm:
- upgraded to gutenprint-5.2.12, foomatic-db-4.0.20170331
initrd.xz:
- new feature added support for 'kernel_parameters=boot_from_usb' which forces booting the system from removable device even if second kiosk installation is available on the hard drive. This is useful e.g. if you want to test new kiosk version on specific PC using usb stick before updaing main system installation on the hard drive.
vmlinuz and 000-kernel.xzm:
- upgraded to linux-4.9.17
001-core.xzm:
- security fix wget-1.19.1-r1: CRLF injection in the url_parse function in url.c (CVE-2017-6508) #612326
- security fix freetype-2.7.1-r2: parse_charstrings function in type1/t1load.c does not ensure that a font contains a glyph name #612192
- security fix libpcre-8.40-r1: OOB read / application crash (CVE-2017-6004) #609592
- major Xorg upgrade upgraded xorg-server to version 1.19.2 and bumped whole Xorg stack: libdrm-2.4.75, libevdev-1.5.6, xkeyboard-config-2.20, libICE-1.0.9-r1, libxcb-1.12-r2, libXfont2-2.0.1, libX11-1.6.5, libXi-1.7.9, mesa-13.0.5, xauth-1.0.10, libepoxy-1.4.1, cairo-1.14.8, xorg-server-1.19.2, xf86-video-r128-6.10.2, xf86-video-vmware-13.2.1, xf86-video-trident-1.3.8, xf86-video-amdgpu-1.2.0, xf86-video-openchrome-0.5.0, xf86-video-nouveau-1.0.13, xf86-video-tdfx-1.4.7, xf86-video-sisusb-0.9.7, xf86-video-glint-1.2.9, xf86-video-savage-2.3.9, xf86-input-synaptics-1.9.0, xf86-video-mga-1.6.5, xf86-video-sis-0.10.9, xf86-video-siliconmotion-1.7.9, xf86-video-qxl-0.1.5, xf86-video-chips-1.2.7, xf86-input-evdev-2.10.5, xf86-video-intel-2.99.917_p20170216, xf86-video-ati-7.8.0, libwacom-0.24, xf86-input-wacom-0.34.0
- upgraded to timezone-data-2017a, wmctrl-1.07-r2, xdotool-3.20150503.1-r1, tint2-0.12.12, rsyslog-8.24.0-r1
- added libxkbcommon-0.6.0, xf86-video-virtualbox
002-chrome.xzm:
- major Chrome upgrade upgraded to google-chrome-google-chrome-57.0.2987.110
003-settings.xzm:
- kiosk fix copy client files recursively and bind two ports with one ssh command when initializing a tunnel to the PK Server. This is to avoid unnecessary connections and lower server overhead when multiple clients are starting at the same time.
- kiosk fix force opening Chrome on webpage(s) defined in the "RestoreOnStartupURLs" policy. This is to resolve an issue where Chrome started with a blank page when 'persistence=full' was enabled and kiosk was not shutdown cleanly, e.g. due to a power cut.
- kiosk fix set 'kiosk-printer' globally as default printer through the lpoptions command. Seems that Chrome-55.x and up respect this setting now instead of a local one included in the master preferences file.
- kiosk fix Alt-Home and Alt-KP_Home keyboard shortcuts are allowed when Chrome works with navigation bar disabled
- kiosk fix fixed the case where parameter 'shared_printer=no' was still initializing shared printing
- new feature all plugins for Chrome are enabled by default including "Widevine Content Decryption Module" so its possible to watch e.g. Netfilx movies
- new feature check if at least one video output is active in the VNC startup script, if not then create virtual mode with 1920x1080 size and assign it to a disconnected output. This way VNC service can work properly on kiosks which have no monitor attached.
005-thinclient.xzm:
- recompiled libssh with gcrypt and ssh1 support
- upgraded to libgpg-error-1.27-r1, libgcrypt-1.7.6
05-flash.xzm:
- upgraded to adobe-flash-25.0.0.127
Tagged as Porteus Kiosk 4.3.0 release
Wizard 4.3.0 features: all new features implemented on the wizard level can be found here
Other changes which sums up this release: new features implemented in the ISO level, bugfixes and package upgrades are listed in the changelog below.
Long live Porteus Kiosk!
vmlinuz and 000-kernel.xzm:
- upgraded to linux-4.9.14
001-core.xzm:
- security fix shadow-4.4-r2: su: user can send SIGKILL with root privileges to other processes (CVE-2017-2616) #610804
- security fix nss-3.28: multiple vulnerabilities (CVE-2016-{5285,8635,9074}) #604916
- security fix curl-7.53.0: SSL_VERIFYSTATUS ignored (CVE-2017-2629) #610572
- upgraded to sqlite-3.16.2
002-firefox.xzm:
- critical security fix mozilla-firefox-45.8.0. Changelog: link
003-settings.xzm:
- kiosk fix rotate /var/log/x11vnc.log every day so it wont grow in size too much
- kiosk fix skip system reconfiguration/upgrade if ISO is burned on an optical media
- kiosk fix skip system reconfiguration/upgrade if ISO was manually burned on a partition (e.g. /dev/sda1) while it should be burned on a device (e.g. /dev/sda)
- new feature use OpenDNS as secondary DNS server in the installation wizard for static IP configuration
004-wifi.xzm:
- upgraded to wireless-regdb-20170307
10-printing.xzm:
- security fix lcms-2.8-r1: Out-of-bounds read in Type_MLU_Read() (CVE-2016-10165) #591452
- security fix jbig2dec-0.13-r1: Heap-buffer overflow due to Integer overflow in jbig2_image_new function #607188
- upgraded to libtasn1-4.10
vmlinuz and 000-kernel.xzm:
- upgraded to linux-4.9.11
001-core.xzm:
- upgraded to libbsd-0.8.3, gtk+-2.24.31-r1
05-flash.xzm:
- upgraded to adobe-flash-24.0.0.221
10-printing.xzm:
- security fix ghostscript-gpl-9.20-r1: Multiple vulnerabilities (CVE-2016-7976, CVE-2016-7977, CVE-2016-7978, CVE-2016-7979, CVE-2016-8602) #596576
- added openjpeg-2.1.1_p20160922
vmlinuz and 000-kernel.xzm:
- major kernel upgrade upgraded to linux-4.9.9
001-core.xzm:
- security fix ntfs3g-2016.2.22-r2: incorrect filtering of environment variables leading to privilege escalation (CVE-2017-0358) #607912
003-settings.xzm:
- new feature added warning when there may be not enough RAM available on the PC to perform system installation. Kiosks with 512MB of RAM may fail the installation if there large in size components enabled, e.g. java.
004-wifi.xzm:
- upgraded wifi firmware to match new kernel
05-flash.xzm:
- major flashplayer upgrade upgraded to adobe-flash-24.0.0.194
07-java.xzm:
- security fix icedtea-bin-3.3.0: Multiple vulnerabilties (CVE-2016-{2183,5546,5547,5548,5549,5552}, CVE-2017-{3231,3241,3252,3253,3260,3261,3272,3289}) #607676
vmlinuz and 000-kernel.xzm:
- upgraded to linux-4.4.45
001-core.xzm:
- security fix openssl-1.0.2k: Multiple vulnerabilities (CVE-2016-7055, CVE-2017-3730, CVE-2017-3731, CVE-2017-3732) #607318
- security fix lua-5.1.5-r4: overflow flaw in vararg functions (CVE-2014-5461) #520480
- upgraded to kmod-23, util-linux-2.28.2
002-chrome.xzm:
- major Chrome upgrade upgraded to google-chrome-55.0.2883.87
002-firefox.xzm:
- critical security fix mozilla-firefox-45.7.0. Changelog: link
003-settings.xzm:
- kiosk fix removed obsolete Chrome policies: DisableSpdy, DnsPrefetchingEnabled
- new feature activate 'serial' backend for CUPS as some usb printers require it for direct connection
- new feature if kiosk installation fails then debug info will be displayed in the browser in order to help identifying the problem, e.g. I/O errors on target media
005-thinclient.xzm:
- security fix opus-1.1.3-r1: Memory corruption during media file and data processing (CVE-2017-0381) #605894
09-x11vnc.xzm:
- security fix libvncserver-0.9.11: multiple vulnerabilities (CVE-2016-9941, CVE-2016-9942) #605326
10-printing.xzm:
- upgraded to openldap-2.4.44
vmlinuz and 000-kernel.xzm:
- upgraded to linux-4.4.42
001-core.xzm:
- security fix glibc-2.23-r3: buffer overflow with GLOB_ALTDIRFUNC due to incorrect NAME_MAX limit assumption #576726
- security fix libxml2-2.9.4-r1: NULL pointer deref in XPointer range-to #597116
- security fix ibpng-1.6.27: NULL pointer dereference (CVE-2016-10087) #604082
- upgraded to ca-certificates-20161102.3.27.2-r2, acpid-2.0.28, libfastjson-0.99.4, zlib-1.2.11, logrotate-3.11.0, curl-7.52.1-r1, libva-1.7.3, libva-intel-driver
002-firefox.xzm:
- security fix fmpeg-2.8.10: multiple vulnerabilities #596760
003-settings.xzm:
- kiosk fix configure input devices first and then screen settings so rotated touchscreen devices are calibrated properly
- kiosk fix set hostname before starting rsyslog so proper kiosk hostname is saved in the logs (especially important when logs are transported to Kiosk Server)
- new feature paramter 'client_id=automatic' will automatically asign the client ID to the kiosk - no need for manual configuration. Following range will be used for automatic IDs: 2000 - 4999.
10-printing.xzm:
- security fix gnutls-3.3.26: two memory corruption vulnerabilities (CVE-2017-5334, CVE-2017-5335, CVE-2017-5336, CVE-2017-5337, GNUTLS-SA-2017-1, GNUTLS-SA-2017-2) #605238
vmlinuz and 000-kernel.xzm:
- upgraded to linux-4.4.39
001-core.xzm:
- security fix curl-7.52.1: uninitialized random (CVE-2016-9594) #603574
- upgraded to alsa-lib-1.1.2, alsa-utils-1.1.2, conky-1.10.4, lm_sensors-3.4.0_p20160725, stunnel-5.36
- added mtr-0.87
002-firefox.xzm:
- critical security fix mozilla-firefox-45.6.0. Changelog: link
003-settings.xzm:
- new feature if bookmark name is not defined in the 'managed_bookmarks=' parameter and the page title is not available then default to the raw URL for the bookmark name
004-wifi.xzm:
- upgraded to libnl-3.2.28
005-thinclient.xzm:
- upgraded to opus-1.1.3, freerdp-2.0.0_pre20161219
10-printing.xzm:
- security fix perl-5.22.3_rc4: unsafe module load path (CVE-2016-1238) #589680
- upgraded to libieee1284-0.2.11-r4, libtasn1-4.9-r1, sane-backends-1.0.25-r1
vmlinuz and 000-kernel.xzm:
- upgraded to linux-4.4.38
001-core.xzm:
- security fix ntfs3g-2016.2.22 [-external-fuse]: incorrect filtering of environment variables could cause privilege escalation (CVE-2015-3202) #550970
- upgraded to e2fsprogs-1.43.3-r1, e2fsprogs-libs-1.43.3, feh-2.18, libpcre-8.39, ncurses-6.0-r1, procps-3.3.12
003-settings.xzm:
- kiosk fix fixed the list of foomatic drivers which was generated incorrectly for 4.2.0 release
004-wifi.xzm:
- security fix ppp-2.4.7-r3: buffer overflow in radius plug-in's rc_mksid() (CVE-2015-3310) #546554
09-x11vnc.xzm:
- upgraded to x11vnc-0.9.14_p20161013
10-printing.xzm:
- upgraded to qpdf-5.1.1-r1
Tagged as Porteus Kiosk 4.2.0 release
Wizard 4.2.0 features: all new features implemented on the wizard level can be found here
Other changes which sums up this release: new features implemented in the ISO level, bugfixes and package upgrades are listed in the changelog below.
Long live Porteus Kiosk!
vmlinuz and 000-kernel.xzm:
- upgraded to linux-4.4.36
001-core.xzm:
- security fix expat-2.2.0-r1: Undefined behavior and pointer overflows (CVE-2016-4472) #585510
- security fix ntp-4.2.8_p9: Multiple vulnerabilities (CVE-2016-{7426,7427,7429,7428,7431,7434,7433,9310,9311,9312}) #600430
- upgraded to coreutils-8.25, libpng-1.6.25, rsyslog-8.19.0
002-firefox.xzm:
- critical security fix mozilla-firefox-45.5.1. Changelog: link
005-thinclient.xzm:
- security fix icu-58.1: Stack based buffer overflow in locid.cpp (CVE-2016-7415) #594494
07-java.xzm:
- security fix icedtea-bin-3.2.0: Multiple vulnerabilties (CVE-2016-{5542,5554,5568,5573,5582,5597}) #600224
09-x11vnc.xzm:
- upgraded to x11vnc-0.9.14-r1
10-printing.xzm:
- security fix libtasn1-4.8: infinite loop while parsing DER certificates #579748
- security fix openldap-2.4.43: ber_get_next denial of service vulnerability #560424
- security fix python-2.7.12: smtplib StartTLS stripping attack (CVE-2016-0772) #585946
- security fix tiff-4.0.7: Multiple vulnerabilities #599746
vmlinuz and 000-kernel.xzm:
- upgraded to linux-4.4.32
001-core.xzm:
- security fix curl-7.51.0: Multiple vulnerabilities (CVE-2016-8615, CVE-2016-8616, CVE-2016-8617, CVE-2016-8618, CVE-2016-8619, CVE-2016-8620, CVE-2016-8621, CVE-2016-8622, CVE-2016-8623, CVE-2016-8624, CVE-2016-8625) #597760
- upgraded to hwids-20161103, libXi-1.7.8, timezone-data-2016h
002-chrome.xzm:
- major Chrome upgrade upgraded to google-chrome-54.0.2840.100
002-firefox.xzm:
- critical security fix mozilla-firefox-45.5.0. Changelog: link
003-settings.xzm:
- kiosk fix disable 'C++' and 'C--' keyboard shortcuts properly when 'disable_zoom_controls=yes' parameter is used
005-thinclient.xzm:
- upgraded to libwebp-0.4.2, remmina-1.2.0_rc16, vte-0.44.3
05-flash.xzm:
- security fix adobe-flash-11.2.202.644: Multiple vulnerabilities (CVE-2016-7857, CVE-2016-7858, CVE-2016-7859, CVE-2016-7860, CVE-2016-7861, CVE-2016-7862, CVE-2016-7863, CVE-2016-7864, CVE-2016-7865) #599204
08-ssh.xzm:
- security fix openssh-7.3_p1-r7: Memory exhaustion due to unregistered KEXINIT handler after receiving message(CVE-2016-8858) #597360
10-printing.xzm:
- upgraded to cups-2.1.4, foomatic-db-4.0.20161101
vmlinuz and 000-kernel.xzm:
- upgraded to linux-4.4.27
001-core.xzm:
- security fix libX11-1.6.4, libXfixes-5.0.3, libXi-1.7.7, libXrandr-1.5.1, libXrender-0.9.10, libXtst-1.2.3, libXv-1.0.11, libXvMC-1.0.10 - Multiple vulnerabilities #596182
- security fix dbus-1.10.12: format string vulnerability #596772
004-wifi.xzm:
- security fix wpa_supplicant-2.6: Multiple vulnerabilities (CVE-2015-5310, CVE-2015-5315, CVE-2015-5316, CVE-2016-4477) #596042
05-flash.xzm:
- security fix adobe-flash-11.2.202.637: Multiple vulnerabilities (APSB16-32, CVE-2016-4273, CVE-2016-4286, CVE-2016-6981, CVE-2016-6982, CVE-2016-6983, CVE-2016-6984, CVE-2016-6985, CVE-2016-6986, CVE-2016-6987, CVE-2016-6989, CVE-2016-6990, CVE-2016-6992) #596896
11-citrix.xzm:
- upgraded to icaclient-13.4.0.10109380-r1
001-core.xzm:
- kiosk fix recompiled xf86-video-intel driver without DRI3 support which causes issues on Intel Alviso (gen3) GPUs
- upgraded to cronbase-0.3.7-r4, gtkdialog-0.8.3-r2, mesa-12.0.3
003-settings.xzm:
- kiosk fix make parameter 'vga_driver=modesetting' working
vmlinuz and 000-kernel.xzm:
- upgraded to linux-4.4.23
001-core.xzm:
- security fix openssl-1.0.2j: Multiple vulnerabilities (CVE-2016-6309, CVE-2016-7052) #595186
- upgraded to acpid-2.0.27, atk-2.20.0, cronbase-0.3.7-r3, cronie-1.5.0-r1, dhcpcd-6.11.3, fuse-2.9.7, gdk-pixbuf-2.34.0, glib-2.48.2, gtk+-2.24.31, harfbuzz-1.3.1, libgudev-230-r1, logrotate-3.10.0, pango-1.40.3, sqlite-3.13.0
005-thinclient.xzm:
- upgraded to at-spi2-atk-2.20.1, at-spi2-core-2.20.2, gtk+-3.20.9, libgpg-error-1.24, libsoup-2.54.1-r1, vte-0.44.2
08-ssh.xzm:
- security fix openssh-7.3_p1-r6: Remote pre-auth crash #595342
10-printing.xzm:
- security fix gnutls-3.3.24-r1: OCSP validation issue (CVE-2016-7444) #594738
- upgraded to gmp-6.1.0, net-snmp-5.7.3-r5
001-core.xzm:
- security fix curl-7.50.3: escape and unescape integer overflows (CVE-2016-7167) #593716
- security fix openssl-1.0.2i: Multiple vulnerabilities (CVE-2016-2180, CVE-2016-2183, CVE-2016-6303, CVE-2016-6304, CVE-2016-6305, CVE-2016-6306, CVE-2016-6307, CVE-2016-6308) #594500
- major Xorg upgrade upgraded xorg-server to version 1.18.4 and bumped whole Xorg stack: libdrm-2.4.70, libXdmcp-1.1.2-r1, pixman-0.34.0, libevdev-1.5.2, libxcb-1.12, libXfixes-5.0.2, libXi-1.7.6, xkbcomp-1.3.1, xkeyboard-config-2.17, xrandr-1.5.0, mesa-12.0.1, mesa-progs-8.3.0, xorg-server-1.18.4, xf86-video-r128-6.10.1, xf86-input-evdev-2.10.3, xf86-video-amdgpu-1.1.0, xf86-input-synaptics-1.8.3, xf86-video-nouveau-1.0.12, xf86-input-aiptek-1.4.1-r1, xf86-video-openchrome-0.4.0, xf86-video-intel-2.99.917_p20160621-r1, xf86-video-ati-7.7.0, xf86-input-wacom-0.33.0
- added libbsd-0.8.2
002-chrome.xzm:
- upgraded to google-chrome-53.0.2785.116
002-firefox.xzm:
- critical security fix mozilla-firefox-45.4.0. changelog: link
05-flash.xzm:
- security fix adobe-flash-11.2.202.635 Multiple vulnerabilities (APSB16-29) #593684
vmlinuz and 000-kernel.xzm:
- upgraded to linux-4.4.20
001-core.xzm:
- security fix curl-7.50.2: Incorrect reuse of client certificates (CVE-2016-7141) #592974
002-chrome.xzm:
- major Chrome upgrade upgraded to google-chrome-53.0.2785.113
003-settings.xzm:
- kiosk fix make sure SSH tunnel connection is established fully before trying to download remote config from Porteus Kiosk Server
06-fonts.xzm:
- upgraded to noto-20160531
10-printing.xzm:
- upgraded to perl-5.22.2
Tagged as Porteus Kiosk 4.1.0 release
Wizard 4.1.0 features: all new features implemented on the wizard level can be found here
Other changes which sums up this release: new features implemented in the ISO level, bugfixes and package upgrades are listed in the changelog below.
Long live Porteus Kiosk!
vmlinuz and 000-kernel.xzm:
- upgraded to linux-4.4.19
001-core.xzm:
- upgraded to libestr-0.1.10
003-settings.xzm:
- kiosk fix clients behind the proxy can connect to Porteus Kiosk Server properly
- new feature screensaver slideshow will sort the pictures according to their filename
10-printing.xzm:
- upgraded to gutenprint-5.2.11
vmlinuz and 000-kernel.xzm:
- upgraded to linux-4.4.18
001-core.xzm:
- security fix curl-7.50.1: multiple vulnerabilities #590482
- upgraded to dejavu-2.37
003-settings.xzm:
- kiosk fix keep cron logs in a separate file so they wont be flooding main system log
- kiosk fix disabled geolocation and OCSP services for Firefox as they make troubles for kiosks which uses proxies with authentication (long wait for a timeout when connecting to Mozilla services)
- new feature report kernel version to the Server
07-java.xzm:
- security fix icedtea{,-bin}-{7.2.6.7,3.1.0}: Multiple vulnerabilties (CVE-2016-{3458,3485,3500,3508,3550,3587,3598,3606,3610}) #590590
10-printing.xzm:
- security fix nettle-3.2-r1 : RSA code is vulnerable to cache-timing related attacks #590484
initrd:
- enabled busybox applet: mktemp
- do not start splash if 'debug' kernel parameter is used
vmlinuz and 000-kernel.xzm:
- upgraded to linux-4.4.16
001-core.xzm:
- added c_rehash-1.7-r1, hicolor-icon-theme-0.15
- upgraded to hwids-20160801, timezone-data-2016e
002-chrome.xzm:
- upgraded to google-chrome-52.0.2743.116
002-firefox.xzm:
- critical security fix mozilla-firefox-45.3.0. changelog: link
003-settings.xzm:
- kiosk fix escape '?' character for Firefox's whitelist/blacklist functions so URLs containing this characters are handled correctly
- kiosk fix make sure that ssh tunnel was established properly before forwarding client's data to the Server. This is to avoid 'password not found' error which could appear when establishing VNC connection from Administration Panel to the client.
10-printing.xzm:
- added sane-backends-1.0.24-r6, net-snmp-5.7.3-r3
- recompiled hplip with scanner and fax support
- upgraded to poppler-0.45.0
11-citrix.xzm:
- new feature linked /opt/Citrix/ICAClient/keystore/cacerts directory to /etc/ssl/certs so system certificates could be used
vmlinuz and 000-kernel.xzm:
- upgraded to linux-4.4.15
001-core.xzm:
- upgraded to llvm-3.7.1-r3
002-chrome.xzm:
- major Chrome upgrade upgraded to google-chrome-52.0.2743.82
003-settings.xzm:
- kiosk security fix do not mount removable device and start the browser if session is locked by the "session password" window
- kiosk security fix blocked Shift+Enter key combination by default as it was opening a new Firefox window when user clicked on download link and then pressed Shift+Enter
- kiosk fix browser idle: prevent very first browser restart if no user activity was detected
- kiosk fix update DNS properly when dialup connection is used
- kiosk fix block 'Ctrl+p' key combination if printing component is not enabled
- kiosk fix stunnel: reduced logging level from "warning" to "critical" to get rid of warning entries flooding the log when remote server is down
- new feature enable bootsplash by default for post installation ISO
- new feature default search engine is set to Google, you may change it to DuckDuckGo with 'search_engine=duckduckgo' parameter
- new feature shutdown menu: restart session is back, all services are aware that Xorg session can be restarted
- new feature browser idle: notify the user that user activity was detected and session wont be restarted
05-flash.xzm:
- security fix adobe-flash-11.2.202.632 - Multiple vulnerabilities (CVE-2016-{4217,4218,4219,4220,4221,4222,4223,4224,4225,4226,4227,4228,4229,4230,4231,4232,4233,4234,...,4249}) #588738
initrd:
- enabled busybox applet: eject
001-core.xzm:
- security fix expat-2.1.1-r2: Using XML_Parse before rand() results in non-random output (CVE-2016-5300) #577928
- security fix libpcre-8.38-r1: stack buffer overflow for (*ACCEPT) with deeply nested parentheses #575546
- security fix openssl-1.0.2h-r2: Non-constant time codepath followed for certain operations in DSA implementation (CVE-2016-2178) #585276
- security fix wget-1.18: Lack of filename checking allows arbitrary file upload via FTP redirect (CVE-2016-4971) #585926
- security fix libjpeg-turbo-1.5.0: Out-of-Bounds Read via unusually long Blocks in MCU #585782
- added: json-c-0.12, libestr-0.1.9, liblogging-1.0.5, rsyslog-8.16.0-r1, startup-notification-0.12-r1
- upgraded to stunnel-5.34-r1
003-settings.xzm:
- new feature rsyslog replaces metalog as default logging daemon - its more configurable and supports remote logging
- new feature if association with Kiosk Server is enabled then bind remote rsyslog port locally (over SSL tunnel). System logs in severity warning and above will be logged on the Server side - useful for proactive support.
- new feature if hostname is not specified and if Kiosk Server association is enabled then use client_id as hostname
- new feature automatically eject optical disc after successful installation
004-wifi.xzm:
- upgraded to wireless-regdb-20160610
10-printing.xzm:
- security fix gnutls-3.3.24: Certificate verification issue when used with the p11-kit trust module (GNUTLS-SA-2016-2) #588306
- recompiled poppler with cairo support
- upgraded to cups-2.1.3-r1
initrd:
- mention Win32DiskImager explicitly in the booting failure message
vmlinuz and 000-kernel.xzm:
- upgraded to linux-4.4.14
001-core.xzm:
- upgraded to gtk+-2.24.30, harfbuzz-1.2.7, libxml2-2.9.4, timezone-data-2016d
002-chrome.xzm:
- upgraded to google-chrome-51.0.2704.106
003-settings.xzm:
- kiosk fix fixed character conversion issue for Citrix Receiver
- kiosk fix make sure that authorized_keys file was copied correctly from Porteus Kiosk Server
- kiosk fix add '--disable-pinch' to Chrome flags if 'disable_zoom=yes' parameter is used
- kiosk fix make signons work again for Chrome
- kiosk fix removed 'restart session' option from shutdown menu as its causing troubled in certain situations. Please use 'reboot' option instead.
- new feature kiosk config can be hosted on FTP servers
- new feature list touch devices in debug report
05-flash.xzm:
- security fix adobe-flash-11.2.202.626 - Critical vulnerability (CVE-2016-{4120,4171}) #586044
initrd:
- added quirk for nVidia GPUs
vmlinuz and 000-kernel.xzm:
- upgraded to linux-4.4.13
001-core.xzm:
- security fix expat-2.1.1-r1: Expat XML Parser Crashes on Malformed Input (CVE-2016-0718) #583268
- security fix ntp-4.2.8_p8: Multiple vulnerabilities (CVE-2016-{4953,4954,4955,4956,4957}) #584954
- security fix ntfs3g-2015.3.14 [-external-fuse]: incorrect filtering of environment variables could cause privilege escalation (CVE-2015-3202) #550970
- upgraded to cairo-1.14.6, dosfstools-4.0-r1, elfutils-0.166, nss-3.23, sysvinit-2.88-r9, xfsprogs-4.5.0
002-chrome.xzm:
- major Chrome upgrade upgraded to google-chrome-51.0.2704.84
002-firefox.xzm:
- critical security fix mozilla-firefox-45.2.0. changelog: link
003-settings.xzm:
- kiosk security fix if ssh service is enabled then allow login to Porteus Kiosk Server as kiosk user only from localhost interface (force using SSL tunnel)
- kiosk fix when multiple homepages are defined and 'homepage_check=' parameter is enabled then query only first homepage to prevent "homepage is not available" message
- kiosk fix fixed 'scheduled_actions=' parameter not working correctly when hour or minute was staring with '0' number (e.g. 09:04)
Tagged as Porteus Kiosk 4.0.0 release
Wizard 4.0.0 features: all new features implemented on the wizard level can be found here
Other changes which sums up this release: new features implemented in the ISO level, bugfixes and package upgrades are listed in the changelog below.
Long live Porteus Kiosk!
initrd:
- use 'uvesafb' driver to display splash screen during boot when native framebuffer driver is not available
- when booting fails show an info how to burn the kiosk ISO correctly on the usb sticks
vmlinuz and 000-kernel.xzm:
- upgraded to linux-4.4.11
001-core.xzm:
- security fix curl-7.49.0: TLS certificate check bypass with mbedTLS/PolarSSL (CVE-2016-3739) #583394
- upgraded to bzip2-1.0.6-r7, freetype-2.6.3-r1, hwids-20160421, libpng-1.6.21, procps-3.3.11-r3, pciutils-3.4.1, wget-1.17.1-r1
003-settings.xzm:
- kiosk security fix disabled access to four chrome:// facilities which slipped through our blacklist filter. Vulnerability reported by Blaze Information Security - thank you!
- kiosk fix enabled logging for x11vnc daemon
06-fonts.xzm:
- added libertine-5.3.0.20120702-r2, noto-20160305-r1 packages
- upgraded to dejavu-2.35, liberation-fonts-2.00.1-r2
vmlinuz and 000-kernel.xzm:
- upgraded to linux-4.4.10
001-core.xzm:
- security fix imlib2-1.4.9: integer overflow resulting in insufficient heap allocation #580038
- upgraded to glib-2.46.2-r3, kmod-22, timezone-data-2016c
- added dosfstools-4.0, mesa-progs-8.2.0
002-chrome.xzm:
- upgraded to google-chrome-50.0.2661.102
003-settings.xzm:
- kiosk fix fixed installation on SD cards which broke after switching to the GRUB bootloader
- kiosk fix disabled 'horizontal overscroll' in Chrome as this feature may cause privacy concerns
- new feature added OpenGL info to debug report
004-wifi.xzm:
- upgraded to crda-3.18-r1
05-flash.xzm:
- security fix adobe-flash-11.2.202.621 - many vulnerabilities (CVE-2016-{1096,1097,1098,1099,1100,1101,1102,1103,1104,1105,1106,1107,1108,1109,1110,...,4117}) #582670
07-java.xzm:
- major Java upgrade upgraded to icedtea-bin-3.0.1 (java-1.8.x)
- upgraded to icedtea-web-1.6.1-r1
10-printing.xzm:
- security fix poppler-0.42.0: heap buffer overflow #579752
- recompiled tiff with jpeg support
- upgraded to foomatic-db-4.0.20160504
vmlinuz and 000-kernel.xzm:
- upgraded to linux-4.4.9
001-core.xzm:
- security fix openssl-1.0.2h: Multiple vulnerabilities (CVE-2016-2105, CVE-2016-2106, CVE-2016-2107, CVE-2016-2108, CVE-2016-2109, CVE-2016-2176) #581234
002-firefox.xzm:
- security fix mozilla-firefox-45.1.1
004-wifi.xzm:
- upgraded to wireless-regdb-20160502
vmlinuz and 000-kernel.xzm:
- upgraded to linux-4.4.8
001-core.xzm:
- security fix ntp-4.2.8_p7: multiple vulnerabilities #581528
002-firefox.xzm:
- critical security fix mozilla-firefox-45.1.0. changelog: link
002-chrome.xzm:
- upgraded to google-chrome-50.0.2661.94
003-settings.xzm:
- kiosk fix 'persistence=session' parameter should not depend on 'disable_private_mode=yes'
- kiosk fix allow for filepicker in Chrome when support for removable media is enabled
- new feature display /media location in the filepicker left side panel so its easier to find where removable media were mounted
- new feature enable shared VNC access by default
07-java.xzm:
- security fix icedtea-bin-7.2.6.6: Multiple vulnerabilties (CVE-2016-{0686,0687,0695,3425,3427}) #581028
initrd and initrdpxe.xz:
- upgraded to busybox-1.24.2
vmlinuz and 000-kernel.xzm:
- upgraded to linux-4.4.7
- kernel config: enabled x86_64 architecture by default - we are dropping support for 32bit CPUs. Enabled drivers for hardware monitoring, PVSCSI SCSI Controller and added support for POSIX Message Queues
001-core.xzm:
- security fix glibc-2.22-r4: nss_dns: Stack overflow in getnetbyname implementation (CVE-2016-3075) #578602
- security fix sqlite-3.12.0: Buffer overread, buffer overflow, integer overflow #578940
- new feature upgraded userland (all kiosk modules) to 64bit architecture. We are droping support for 32bit CPUs.
- upgraded to gdk-pixbuf-2.32.3, libwacom-0.18, openbox-3.6.1, timezone-data-2016a, stunnel-5.30
- added lm_sensors-3.3.5, tslib-1.0-r3, xev-1.2.2, xf86-input-tslib-0.0.6-r3
002-chrome.xzm:
- major Chrome upgrade upgraded to google-chrome-50.0.2661.75
003-settings.xzm:
- kiosk fix when in debug mode unset homepage_append parameter so debug report can be displayed in the browser correctly
- kiosk fix keep screensaver window on top when browser works with navigation bar disabled and is restarted by 'browser_idle=' parameter
05-flash.xzm:
- security fix adobe-flash-11.2.202.616 Arbitrary code execution vulnerability (APSA16-01, CVE-2016-1019) #579166
07-java.xzm:
- security fix icedtea-bin-7.2.6.5: unspecified vulnerability (CVE-2016-0636) #578300
vmlinuz and 000-kernel.xzm:
- upgraded to linux-4.4.6-porteus
001-core.xzm:
- security fix openssl-1.0.2g-r2: Multiple vulnerabilities (CVE-2016-{0702,0703,0704,0705,0797,0798,0799,0800}) #575548
- security fix ntp-4.2.8_p6: multiple vulnerabilities (CVE-2015-7973, CVE-2015-7974, CVE-2015-7975, CVE-2015-7976, CVE-2015-7977, CVE-2015-7978, CVE-2015-7979, CVE-2015-8138, CVE-2015-8139, CVE-2015-8140, CVE-2015-8158) #572452
- security fix sqlite-3.11.1: arbitrary code execution on databases with malformed schema, buffer overreads (CVE-2015-7036) #574420
- security fix nss-3.22.2 : multiple vulnerabilities (CVE-2016-{1950..1979}, CVE-2016-{2790..2802}) #576862
- security fix imlib2-1.4.7: multiple vulnerabilities (CVE-2014-9762) #572884
- added following packages: conky-1.9.0-r3, cronbase-0.3.7-r1, cronie-1.5.0, e2fsprogs-1.42.13, e2fsprogs-libs-1.42.13, fuse-2.9.4, gsimplecal-1.6, libpcre-8.38, logrotate-3.9.2, mc-4.8.14, metalog-3-r1, ncurses-5.9-r5, popt-1.16-r2, rsync-3.1.2, tint2-0.12.3, volumeicon-0.4.6, xcb-util-0.4.0, xf86-video-fbdev-0.4.4, xfsprogs-3.2.4
- upgraded to gtk+-2.24.29
002-firefox.xzm:
- security fix ffmpeg-2.8.6: Multiple vulnerabilities (CVE-2016-{2213,2328,2329,2330}) #577458
003-settings.xzm:
- kiosk fix wizard: remote management 'test config' button downloads the config using wget and displays in gtkdialog window rather than the browser.
05-flash.xzm:
- security fix adobe-flash-11.2.202.577: Multiple vulnerabilities (APSB16-08, CVE-2016-0960, CVE-2016-0961, CVE-2016-0962, CVE-2016-0963, CVE-2016-0986, CVE-2016-0987, CVE-2016-0988, CVE-2016-0989, CVE-2016-0990, CVE-2016-0991, CVE-2016-0992, CVE-2016-0993, CVE-2016-0994, CVE-2016-0995, CVE-2016-0996, CVE-2016-0997, CVE-2016-0998, CVE-2016-0999, CVE-2016-1000, CVE-2016-1001, CVE-2016-1002, CVE-2016-1005, CVE-2016-1010) #576980
08-ssh.xzm:
- security fix openssh-7.2_p2: Multiple vulnerabilities (CVE-2016-1908, CVE-2016-3115) #576954
10-printing.xzm:
- security fix tiff-4.0.6: Buffer overflow (CVE-2013-4243) #484542
initrd:
- removed Broadcom BCM57780 quirk
vmlinuz and 000-kernel.xzm:
- upgraded to linux-4.4.5
001-core.xzm:
- upgraded to atk-2.18.0, glib-2.46.2-r2, gtk+-2.24.28-r1, harfbuzz-1.1.3, libnotify-0.7.6-r3, libxml2-2.9.3, pango-1.38.1
002-firefox.xzm:
- major Firefox ESR release mozilla-firefox-45.0 changelog: 39.0 40.0 41.0 42.0 43.0 44.0 45.0
003-settings.xzm:
- new feature welcome wizard: display link quality info after AP name in the scanning result
004-wifi.xzm:
- added missing mt7601u.bin firmware
Tagged as Porteus Kiosk 3.7.0 release
Wizard 3.7.0 features: all new features implemented on the wizard level can be found here
Other changes which sums up this release: new features implemented in the ISO level, bugfixes and package upgrades are listed in the changelog below.
Long live Porteus Kiosk!
vmlinuz and 000-kernel.xzm:
- upgraded to linux-4.4.3-porteus.
003-settings.xzm:
- kiosk fix blacklist drm kernel modules when 'gpu_driver=vesa' parameter is used
initrd:
- do not load uvesafb as it broke with 4.4 kernel
vmlinuz and 000-kernel.xzm:
- upgraded to linux-4.4.2-porteus. Moving early to kernel 4.4.x LTS as we need proper support for Intel Skylake processors.
- kernel config: added support for Microsoft Hyper-V virtualization platform
001-core.xzm:
- security fix glibc-2.21-r2: stack overflow in getaddrinfo (CVE-2015-7547) #574880
- security fix dhcpcd-6.10.0: two vulnerabilities (CVE-2016-{1503,1504}) #571152
- upgraded to libva-1.6.2, libva-intel-driver-1.6.2
003-settings.xzm:
- kiosk fix fixed kiosk client -> Porteus Kiosk Server communication when ssh services are working on non default ssh port
- kiosk fix generate system report only once when debug mode is enabled
004-wifi.xzm:
- upgraded to ca-certificates-20151214.3.21, wpa_supplicant-2.5-r1
06-fonts.xzm:
- added liberation-fonts-2.00.1-r1 package
initrd:
- do not count modules when copying to RAM as we want quieter booting
vmlinuz and 000-kernel.xzm:
- upgraded to linux-4.1.17
- kernel config: switched to UVESA which is a modern replacement for VESA
001-core.xzm:
- security fix nss-3.21-r2: Weak RSA-MD5 signature allows attack on client certificate authentication (part of SLOTH attack), miscalculations in bignum lib (CVE-2015-7575, CVE-2016-1938) #571086
- added 'synclient' utility so its possible to configure touchpads
- added following packages: v86d-0.1.10, fbv-1.0b
- upgraded to libusb-1.0.19-r1, timezone-data-2015g
002-firefox.xzm:
- critical security fix mozilla-firefox-38.6.1. changelog: link
003-settings.xzm:
- kiosk fix managed bookmarks: if bookmark title is not discovered automatically then use URL as a title instead of the generic 'Bookmark' name
- kiosk fix eliminated fault conditions when underscore sign was used in kiosk parameters
- new feature 'import_certificates=' parameter: added support for downloading and injecting standalone certificate to browser cert8.db/cert9.db. Sample: import_certificates=http://domain.com/files/certificate-1.crt http://domain.com/files/certificate-2.crt
004-wifi.xzm:
- upgraded to wireless-regdb-20160208
05-flash.xzm:
- security fix adobe-flash-11.2.202.569 : Multiple vulnerabilities (APSB16-04, CVE-2016-0964, CVE-2016-0965, CVE-2016-0966, CVE-2016-0967, CVE-2016-0968, CVE-2016-0969, CVE-2016-0970, CVE-2016-0971, CVE-2016-0972, CVE-2016-0973, CVE-2016-0974, CVE-2016-0975, CVE-2016-0976, CVE-2016-0977, CVE-2016-0978, CVE-2016-0979, CVE-2016-0980, CVE-2016-0981, CVE-2016-0982, CVE-2016-0983, CVE-2016-0984, CVE-2016-0985) #574284
10-printing.xzm:
- security fix nettle-3.2: Miscalculations of elliptic curve multiplications (CVE-2015-8803,CVE-2015-8804,CVE-2015-8805) #573646
vmlinuz and 000-kernel.xzm:
- upgraded to linux-4.1.16
001-core.xzm:
- security fix openssl-1.0.2f: Multiple vulnerabilities (CVE-2015-3197,CVE-2016-0701) #572854
002-firefox.xzm:
- critical security fix mozilla-firefox-38.6.0. changelog: link
- security fix ffmpeg-2.8.5: stealing local files with HLS+concat (CVE-2016-{1897,1898}) #571868
003-settings.xzm:
- kiosk fix kill hhpc process properly when exiting screensaver slideshow/video
- kiosk fix fixed touchscreen calibration/rotating for touch controllers which reports two input devices (e.g. PQLabs EN320006897)
- new feature disabled system notification messages in order to achieve quiet boot and shutdown. Messages appears only when there is an issue or when kiosk reconfigures/upgrades itself.
004-wifi.xzm:
- upgraded to usb_modeswitch-2.2.6
07-java.xzm:
- security fix icedtea-bin-7.2.6.4: Mulitple vulnerabilities (CVE-2015-{7575,8126,8472}, CVE-2016-{0402,0448,0466,0483,0494}) #572716
10-printing.xzm:
- security fix cups-filters-1.5.0: foomatic-rip - consider the back tick as an illegal shell escape character (CVE-2015-{8327,8560}) #567286
initrd:
- enabled busybox applets: gzip, gunzip, tty, zcat
vmlinuz and 000-kernel.xzm:
- kernel config: enabled support for CIFS protocol (Windows network shares) and VESA framebuffer
002-chrome.xzm:
- upgraded to google-chrome-47.0.2526.111_p1
003-settings.xzm:
- kiosk fix remote config: allow for [[GLOBAL]] and [[PCID]] strings with no space between the bracket and data
- kiosk fix 'browser_preferences=' parameter should append to user.js rather than overwrite it
- kiosk fix fixed time calculation in the screensaver script - it can run now continuously for 11 500 days
- kiosk fix remove whitespaces at the end of the parameters in the kiosk config prior to parsing. This bug was breaking for example 'printer_connection=' parameter.
- kiosk fix wizard: save manual edits to kiosk config when user clicks on the 'save config' button
- new feature wizard: added 'Back' button so you can restart it if you want to redo kiosk configuration
- new feature wizard: added video tutorial button presenting how to save and load kiosk config/ISO from removable device
- new feature added 'Raw Queue' printer driver for models which uses their own drivers
- new feature use 1MB for the block size when burning the ISO during installation/reconfiguration/upgrade making this operation significantly faster
08-ssh.xzm:
- security fix openssh-7.1_p2: Multiple vulnerabilities related to roaming (CVE-2016-{0777,0778}) #571892
uefi.zip:
- upgraded to Grub 2.02 beta2 and patched its sources for quiet boot
initrd and initrdpxe.xz:
- went back to wget applet from busybox and added SSL helper as statically linked wget for some reasons does not perform hostname resolution correctly
vmlinuz and 000-kernel.xzm:
- kernel config: enabled i586 architecture by default. We are dropping support for i486 CPUs.
001-core.xzm:
- security fix libjpeg-turbo-1.4.2: buffer overflow #531418
- new feature recompiled userland with 'march=i586' compiler flag which seems to be a minimum requirement for latest Mesa ('march=i486' causes system hangs on Intel GPUs). We are droping support for i486 CPUs.
- upgraded to mesa-11.0.6
002-chrome.xzm:
- upgraded to google-chrome-47.0.2526.106_p1
003-settings.xzm:
- kiosk fix run wget with '-U Mozilla' flag when doing the homepage check as some http servers reject connection when user agent is not set for the client
- kiosk fix Chrome: disable 'pinch to zoom' touch gesture when navigation bar is disabled
- kiosk fix handle displays with dash in name (e.g. VGA-0) properly when 'screen_settings=' parameter is provided and screen positioning function is used
- kiosk fix recompiled openbox without xinerama support so applications get maximized across all available screens in mulit seat setup (e.g. video wall)
- new feature added md5sum check of main system components after burning the ISO on the storage media. If md5sum does not match then burning is repeated up to 3 times.
004-wifi.xzm:
- upgraded to libnl-3.2.27
05-flash.xzm:
- security fix adobe-flash-11.2.202.559: Multiple vulnerabilities (CVE-2015-{8459,8460,8634,8635,8636,8638,8639,8640,8641,8642,8643,8644,8645,8646,8647,8648,8649,8650,8651}) #570040
09-x11vnc.xzm:
- upgraded to x11vnc-0.9.14
- added libvncserver-0.9.10-r3
10-printing.xzm:
- security fix libpcre-8.38: Heap Overflow Vulnerability in find_fixedlength() (CVE-2015-5073) #553300
initrd and initrdpxe.xz:
- replaced busybox 'wget' applet with full wget application to allow downloading files from SSL protected sites
vmlinuz and 000-kernel.xzm:
- upgraded to linux-4.1.15
- kernel config: enabled IP Multicast feature which is needed for receiving RTP/UDP video streams, compiled MPT drivers into kernel so its possible to install kiosk on SCSI/SAS hard drives in VMware and VirtualBox
- configured ath10k driver to never search for a file containing wifi parameters otherwise network cant be initialized until this file is provided (its specific to each unit so there is no chance to make everyone happy)
001-core.xzm:
- security fix openssl-1.0.2e: Multiple vulnerabilities (CVE-2015-{1794,3193,3194,3195,3196}) #567476
- major Xorg upgrade upgraded xorg-server to version 1.17.4 and bumped whole Xorg stack: libX11-1.6.3, libXdmcp-1.1.2, libXi-1.7.5, libXrandr-1.5.0, libXrender-0.9.9, libXt-1.1.5, libdrm-2.4.65, libepoxy-1.3.1, libevdev-1.4.4, libfontenc-1.1.3, libpciaccess-0.13.4, libxcb-1.11.1, libxkbfile-1.0.9, setxkbmap-1.3.1, sqlite-3.9.2, udev-225, xf86-input-evdev-2.9.2, xf86-input-synaptics-1.8.2, xf86-input-wacom-0.31.0, xf86-video-ast-1.1.5, xf86-video-intel-2.99.917-r2, xf86-video-mga-1.6.4, xf86-video-qxl-0.1.4, xf86-video-r128-6.10.0, xf86-video-vesa-2.3.4, xinit-1.3.4-r1, xinput-1.6.2, xkeyboard-config-2.16, xmodmap-1.0.9, xorg-server-1.17.4
- added attr-2.4.47-r2, libcap-2.24-r2, wmctrl-1.07-r1, xf86-video-amdgpu-0.0.01_pre20150814
002-chrome.xzm:
- major Chrome upgrade upgraded to google-chrome-47.0.2526.80_p1
002-firefox.xzm:
- critical security fix mozilla-firefox-38.5.0. changelog: link
003-settings.xzm:
- kiosk fix inject 'file:///tmp' to the whitelist automatically if 'screensaver_video=' parameter is used
- kiosk fix start screensaver video with 'always on top' attribute so its not covered by restarted browser when 'browser_idle=' function is active
- kiosk fix Firefox: disabled 'restore previous session' feature which shows up when persistence is enabled and browser crashes or is restarted by the 'browser_idle=' parameter
004-wifi.xzm:
- added qualcomm ath10k firmware
05-flash.xzm:
- security fix adobe-flash-11.2.202.554: Multiple vulnerabilities #567838
- upgraded to curl-7.45.0
05-flash_legacy.xzm:
- upgraded to curl-7.45.0
07-java.xzm:
- security fix icedtea-bin-7.2.6.3: Vulnerability (CVE-2015-4871) #567850
Tagged as Porteus Kiosk 3.6.0 release
Wizard 3.6.0 features: all new features implemented on the wizard level can be found here
Other changes which sums up this release: new features implemented in the ISO level, bugfixes and package upgrades are listed in the changelog below.
Long live Porteus Kiosk!
vmlinuz and 000-kernel.xzm:
- kernel config: added support for VMware virtual machines
001-core.xzm:
- security fix libpng-1.6.19: Buffer overflow vulnerabilities in png_get_PLTE/png_set_PLTE functions #565678
- added elfutils-0.163, libepoxy-1.2, libva-1.6.1, libva-intel-driver-1.6.1, libvdpau-1.1.1, llvm-3.5.0, mesa-10.3.7-r1, xf86-video-vmware
002-firefox.xzm:
- added ffmpeg-2.6.3
003-settings.xzm:
- kiosk fix run the screensaver slideshow with 'always on top' attribute so its never covered by other windows (e.g. browser could be automatically restarted through the browser_idle* parameter and cover the slideshow)
- new feature Firefox preferences: enabled support for h264 playback in the html5 video tag
- new feature added /etc/rc.d/local_shutdown.d for local commands which should be executed during system reboot/shutdown: killing processes gracefully, stopping LAMP services, unmounting remote share or persistent storage
- new feature compare kernel and kernel modules version and stop booting when they do not match as networking would not be initialized anyway
07-java.xzm:
- security fix icedtea-bin7.2.6.2: Multiple vulnerabilities (CVE-2015-4734,4803,4805,4806,4835,4840,4842,4843,4844,4860,4872,4881,4882,4883,4893,4903,4911}) #565842
10-printing.xzm:
- upgraded to hplip-3.15.11
11-citrix.xzm:
- upgraded to icaclient-13.2.1.328635
initrd:
- display OS version during PXE boot
- create /dev/shm by default
- upgraded to busybox-1.24.1
- enabled busybox applets: reset, time, arping, uptime, pgrep
vmlinuz and 000-kernel.xzm:
- upgraded to linux-4.1.13
001-core.xzm:
- security fix libxml2-2.9.2-r4: Out-of-bounds memory access when parsing unclosed HTML comment #560524
- security fix nspr-4.10.10: use-after-poison, buffer overflow, integer overflow (CVE-2015-{7181,7182,7183}) #564834
- security fix nss-3.20.1: use-after-poison, buffer overflow, integer overflow (CVE-2015-{7181,7182,7183}) #564834
- upgraded to glib-2.44.1-r1, kmod-4.21, pango-1.36.8-r1, procps-3.3.10-r1, stunnel-5.24, xf86-video-rendition-4.2.6
002-chrome.xzm:
- upgraded to google-chrome-46.0.2490.86_p1
002-firefox.xzm:
- critical security fix mozilla-firefox-38.4.0. changelog: link
003-settings.xzm:
- kiosk fix improved compatibility of old wifi drivers and WPA2 Enterprise encryption scheme
08-ssh.xzm:
- security fix openssh-7.1_p1-r2: MaxAuthTries bypass attack Vulnerability (CVE-2015-5600) #555518
05-flash.xzm:
- security fix adobe-flash-11.2.202.548: multiple vulnerabilities #565318
vmlinuz and 000-kernel.xzm:
- upgraded to linux-4.1.12
- kernel config: added NFS client support
001-core.xzm:
- upgraded to glibc-2.21-r1
002-chrome.xzm:
- major Chrome upgrade upgraded to google-chrome-46.0.2490.80_p1
003-settings.xzm:
- kiosk fix blocked Shift+F8 key combination by default
- kiosk fix start "scheduled tasks" with 40 sec delay to avoid situation when system is restarted twice within the same minute (kiosk reboots very fast)
- kiosk fix use default network interface instead of first one listed in /sys/class/net when determining MAC addres for the 'homepage_append=mac' function
- new feature display warning when battery reaches 10% and repeat every 60 secs until AC is connected
- new feature added /etc/rc.d/local_net.d for local scripts which should be run once networking is initialized
04-wfi.xzm:
upgraded to wireless-regdb-20151022
vmlinuz and 000-kernel.xzm:
- upgraded to linux-4.1.10
001-core.xzm:
- security fix gdk-pixbuf-2.32.1: Heap overflow when scaling a GIF file (CVE-2015-7674) #562878
- added stunnel-5.20, sshpass-1.05, xf86-video-virtualbox
- upgraded to gtkdialog-0.8.3-r1, html-xml-utils-6.9, libpng-1.6.18, timezone-data-2015f
003-settings.xzm:
- kiosk fix fixed Google Chrome not starting during PXE boot
05-flash.xzm:
- security fix adobe-flash-11.2.202.540: Multiple vulnerabilities (APSB15-27) (CVE-2015-{7645,7646,7647,7648}) #563172
10-printing.xzm:
- upgraded to gmp-6.0.0a
vmlinuz and 000-kernel.xzm:
- upgraded to linux-4.1.8
001-core.xzm:
- upgraded to pixman-0.32.8, util-linux-2.26.2, xf86-video-s3virge-1.10.7, xf86-video-chips-1.2.6
002-chrome.xzm:
- upgraded to google-chrome-45.0.2454.101_p1
002-firefox.xzm:
- critical security fix mozilla-firefox-38.3.0. changelog: link
003-settings.xzm:
- kiosk fix fixed the 'homepage check' function preventing the browser from starting in some rare cases
- new feature wizard/updates: restart network service after 5 failed download attempts of the additional components
004-wifi.xzm:
- upgraded to libnl-3.2.26, wireless-regdb-20150925
- added iwlwifi-7265D-13.ucode firmware
05-flash.xzm:
- security fix flashplayer-plugin-11.2.202.521
10-printing.xzm:
- upgraded to gnutls-3.3.17.1, nettle-3.1.1, python-2.7.10
003-settings.xzm:
- kiosk fix removed user agent parameter from wget flags ('-U Mozilla') as it breaks dropbox.com compatibility with remote management
- upgraded to wget-1.16.3-r1
004-wifi.xzm:
- added rtl8812aefw.bin and rtl8812aefw_wowlan.bin firmware
vmlinuz and 000-kernel.xzm:
- upgraded to linux-4.1.7
001-core.xzm:
- security fix openssl-1.0.2d: Alternate chains certificate forgery (CVE-2015-1793) #554172
- security fix gdk-pixbuf-2.30.8-r2: heap overflow and DoS #556314
- added xf86-video-sis-0.10.8 package
- upgraded to atk-2.16.0-r1, dhcpcd-6.9.3, harfbuzz-0.9.41, glib-2.44.1
002-chrome.xzm:
- major Chrome upgrade upgraded to google-chrome-45.0.2454.93_p1
003-settings.xzm:
- kiosk fix 'localhost' is resolved to '127.0.0.1' address properly
- kiosk fix added 'localhost,127.0.0.1' to proxy exceptions by default to resolve printing problems when proxy is used
- new feature added support for remote management when kiosk is booted over network (PXE boot)
- new feature wizard: added possibility to test printing before burning the ISO
- new feature wizard: added new window which appears after setting up the network with 4 buttons: a) launch wizard (first run - no previous kiosk config exist), b) point device to existing remote kiosk configuration, c) load config from the network, d) load config from removable device
- new feature wizard: added support for nested configurations when loading the config from the network/removable device
07-java.xzm:
- upgraded to icedtea-bin-7.2.6.1
Tagged as Porteus Kiosk 3.5.0 release
Wizard 3.5.0 features: all new features implemented on the wizard level can be found here
Other changes which sums up this release: new features implemented in the ISO level, bugfixes and package upgrades are listed in the changelog below.
Long live Porteus Kiosk!
vmlinuz and 000-kernel.xzm:
- kernel config: added support for userspace parallel port printer drivers (required by hplip)
001-core.xzm:
- upgraded to dhcpcd-6.9.2 to resolve PXE boot issues
003-settings.xzm:
- kiosk fix if removable media are enabled then whitelist file:///media automatically
- kiosk fix fixed custom sound level feature which got broken in 3.4.0 release
- kiosk fix remove all non printable characters before parsing remote configs
- new feature implemented support for nested configurations in remote management
vmlinuz and 000-kernel.xzm:
- upgraded to linux-4.1.6
001-core.xzm:
- upgraded to nss-3.20
002-chrome.xzm:
- major Chrome upgrade upgraded to google-chrome-44.0.2403.157_p1
002-firefox.xzm:
- critical security fix mozilla-firefox-38.2.1. changelog: link
003-settings.xzm:
- kiosk fix generate all required ssh keys automatically with 'ssh-keygen -A' command
- new feature when private mode is disabled and Google Chrome is used then following functions will be enabled by default: form autofilling, editing bookmarks (bookmark bar is always enabled), Chrome applications, spellcheck, sync, translate, signing into the profile
- new feature added foomatic printing database with support for over 4k of new drivers
- new feature remote config is downloaded with PC ID string appended to the kiosk config URL. This way you can find out in the server logs which kiosk downloaded it.
10-printing.xzm:
- added support for Bixolon thermal printers
- added foomatic-db-4.0.20150819, foomatic-db-engine-4.0.12, perl-5.20.2 packages
- upgraded to hplip-3.15.7
vmlinuz and 000-kernel.xzm:
- major kernel upgrade upgraded to linux-4.1.5
- kernel config: added Virtio support
001-core.xzm:
- security fix gdk-pixbuf-2.30.8-r1: heap overflow and DoS #556314
- added feh-2.9.3, giblib-1.2.4, html-xml-utils-6.8, xinput_calibrator-0.7.5 packages
- upgraded to pciutils-3.3.1, timezone-data-2015e
003-settings.xzm:
- new feature in case of touchscreens rotate the touch input automatically to the position of the screen
- new feature activate touch gestures in Chrome if touch capable device is found
05-flash.xzm:
- security fix flashplayer-plugin-11.2.202.508
10-printing.xzm:
- security fix cups-2.0.3: multiple vulnerabilities (CVE-2015-{1158,1159}) #551846
- added pygobject-2.28.6-r55 package
vmlinuz and 000-kernel.xzm:
- upgraded to linux-4.0.9
001-core.xzm:
- security fix expat-2.1.0-r5: Heap-buffer-overflow (CVE-2015-1283) #555642
- upgraded to dunst-1.1.0
003-settings.xzm:
- kiosk security fix blocked access to Firefox preferences through 'about:preferences#preferences' URL
- kiosk fix remote management: if kiosk is signed to the 'automatic updates' service then download components directly from such channel to avoid double reburn.
- kiosk fix fixed download progress bar not showing on slow networks (20 KB/s and below)
- kiosk fix do not download uefi.zip during installation if booting from UEFI ISO
- kiosk fix apply proxy/proxypac settings straight during installation so its possible to use browsers as normal
- new feature wizard: added 'setup keyboard layout' button on the very first screen. Handy in case you are using different layout then English (US)
- new feature wizard: added 'time setup' utility on the wifi configuration screen as wifi may fail to connect if system clock is set incorrectly
- new feature wizard: display wireless MAC address on the wifi configuration screen (some wireless networks are filtered per MAC and this info is needed to allow the kiosk to connect)
- new feature wizard: added possibility for testing default sound card and custom sound level
- new feature wizard: show the list of printer manufacturers on first screen and then display relevant printer models (list is shorter so its easier to find desired model)
- new feature wizard: save in real time to the kiosk config when doing manual edits (*Save Edits* button is no longer needed)
08-ssh.xzm:
- security fix openssh-6.9_p1-r2: two security issues (CVE-2015-5352) #553724
10-printing.xzm:
- security fix cups-filters-1.0.71: Incorrect fix for heap-based buffer overflow (CVE-2015-3279) #553836
- added support for Zebra and Star thermal printers
- added pnm2ppa-1.13-r1 (support for HP Deskjet 710, 712, 720, 722, 820, 1000 series)
001-core.xzm:
- critical security fix nss-3.19.2: Multiple vulnerabilities (CVE-2015-{2721,4000}) #550288
002-chrome.xzm:
- upgraded to google-chrome-43.0.2357.134_p1
05-flash.xzm:
- critical security fix adobe-flash-11.2.202.491: Multiple vulnerabilities allowing for ACE and DoS (CVE-2015-{5122,5123}) #554882
vmlinuz and 000-kernel.xzm:
- upgraded to linux-4.0.8
001-core.xzm:
- security fix openssl-1.0.1p: Alternate chains certificate forgery (CVE-2015-1793) #554172
- security fix ntp-4.2.8_p3: remote code execution in some configs, and a leap second issue (CVE-2015-5146) #553682
002-chrome.xzm:
- upgraded to google-chrome-43.0.2357.132_p1
05-flash.xzm:
- security fix adobe-flash-11.2.202.481: use after free / "hackingteam" vuln (CVE-2015-5119) #554220
- security fix curl-7.43.0: Multiple vulnerabilities (CVE-2015-{3236,3237}) #552618
05-flash_legacy.xzm:
- security fix curl-7.43.0: Multiple vulnerabilities (CVE-2015-{3236,3237}) #552618
vmlinuz and 000-kernel.xzm:
- upgraded to linux-4.0.7
001-core.xzm:
- upgraded to gtk+-2.24.28-r1, sqlite-3.8.10.2
002-chrome.xzm:
- upgraded to google-chrome-43.0.2357.130_p1
- 'kiosk-printer' is set as default instead of the 'Save as PDF' option
- new feature enabled native 'print preview' window for Chrome
002-firefox.xzm:
- critical security fix mozilla-firefox-38.1.0. changelog: link
003-settings.xzm:
- kiosk fix do not prefer gutenprint drivers over other ones as they could offer more functions or better print quality (e.g. Xerox proprietary drivers)
- kiosk fix removed workaround to the '100% CPU load' cups bug as its fixed upsteream now #549732
- kiosk fix when homepage is not defined then default to porteus-kiosk.org to avoid showing of the welcome page in Chrome browser
05-flash.xzm:
- security fix adobe-flash-11.2.202.468: heap buffer overflow (CVE-2015-3113) #552946
10-printing.xzm:
- security fix cups-filters-1.0.70: remote code execution (CVE-2015-3258) #553644
- upgraded to cups-2.0.2-r2
uefi.zip:
- 32bit EFI support: renamed bootx32.efi to bootia32.efi to make possible direct booting from isohybrid images (no need for EFI shell workaround)
vmlinuz and 000-kernel.xzm:
- kernel config: added support for namespaces (NET_NS, PID_NS, USER_NS) which are required for Google Chrome sandbox to work
001-core.xzm:
- security fix openssl-1.0.1o: - multiple vulnerabilities (CVE-2014-8176,CVE-2015-{1788,1789,1790,1791,1792,4000}) #551832
- added xdotool-2.20110530.1 package
- upgraded to ethtool-3.18
002-chrome.xzm:
- upgraded to google-chrome-43.0.2357.125_p1
Google Chrome got better locking so it works now in a similar way to Firefox:
- removed default Chrome profile (/home/guest/.config/google-chrome) as all preferences are managed now through the Group Policy Objects, master_preferences and chrome-flags.conf (saved in 003-settings.xzm/opt/google/chrome folder)
- locked down all Chrome settings (including chrome://*) so its not possible to change enything even when navigation bar is enabled
- when user create an application shortcut (Chrome menu -> More Tools -> Create application shortcuts) then it will be opened as decorated and maximized
- popup windows will open as maximized and decorated so its possible to close them
- disabled downloads, bookmarks, password manager and profile syncing (guest mode is forced)
- disabled developer tools
- disabled print preview
- disabled following plugins by default: Chrome Remote Desktop Viewer, Native Client, Widevine Content Decryption Module
- form autofilling is possible when private mode is disabled
- new feature enabled controling of the 'file://' protocol through the 'enable_file_protocol=yes' kiosk setting. If your kiosks are managed centrally then you may add this parameter to your remote config.
- new feature enabled blacklisting/whitelisting through the 'blacklist=' and 'whitelist=' kiosk settings. If your kiosks are managed centrally then you may add these parameters to your remote config.
003-settings.xzm:
- kiosk security fix blocked 'view-source:' protocol in Firefox which was giving an access to some system files (the ones readable by the user 'guest') despite of the 'file://' protocol being disabled. Blocked accessing the Firefox menu through the 'Alt' key when new browser window is opened with the tab dragging gesture. Both issues were reported by an anonymous researcher working with Beyond Security's SecuriTeam Secure Disclosure program. Thank you.
vmlinuz and 000-kernel.xzm:
- major kernel upgrade upgraded to linux-4.0.5
- kernel config: added support for Qemu virtual machines and enabled Tun/Tap driver (required for example by OpenVPN)
001-core.xzm:
- added xf86-video-qxl-0.1.3 package
- upgraded to acpid-2.0.23, dhcpcd-6.9.0, ntfs3g-2014.2.15-r, usbutils-008-r1
002-chrome.xzm:
- upgraded to google-chrome-43.0.2357.124_p1
002-firefox.xzm:
- major Firefox ESR release mozilla-firefox-38.0.1 changelog: 32.0 33.0 34.0 35.0 36.0 37.0 38.0
- browser is started as maximized rather than fullscreen by default. This allows to launch HTML5 apps like pdf viewer, youtube video player and other in real fullscreen with no firefox navigation bar visible at the top. To restart the browser you have to close its last tab - same as in Google Chrome.
- stop/refresh buttons are back in their original position (right side of the URL bar).
- disabled openh264 plugin which is needed only for video chats (Firefox Hello communication client) and would have to be downloaded during every browser restart due to license restrictions
- disabled Enhanced Tiles by default
- disabled HeartBeat rating system and Google SafeBrowsing service
003-settings.xzm:
- kiosk fix Google Chrome - fixed handling of homepages containing '&' sign
- kiosk fix close 'shutdown menu' when going back from sleep
- kiosk fix removed Chinese/Japanese/Korean layouts from the keyboard mapping list in the wizard as they need external input method application not supported in kiosk by default
- new feature when private mode is disabled then open new tab as 'about:newtab' rather than 'about:blank'
04-wifi.xzm:
- upgraded to wireless-regdb-20150605
05-flash.xzm:
- security fix adobe-flash-11.2.202.466: multiple vulnerabilities (CVE-2015-{3096,3097,3098,3099,3100,3101,3102,3103,3104,3105,3106,3107,3108}) #551658
10-printing.xzm:
- upgraded to ghostscript-gpl-9.15-r1, libpcre-8.36
Tagged as Porteus Kiosk 3.4.0 release
Wizard 3.4.0 features: all new features implemented on the wizard level can be found here
Other changes which sums up this release: new features implemented in the ISO level, bugfixes and package upgrades are listed in the changelog below.
Long live Porteus Kiosk!
vmlinuz and 000-kernel.xzm:
- upgraded to linux-3.18.14
- kernel config: added many new drivers for better support of the tablets and x86 embedded devices
001-core.xzm:
- added ntfs3g-2014.2.15, nspr-4.10.8 and nss-3.17.4 packages
- upgraded to alsa-lib-1.0.29, alsa-utils-1.0.29, cairo-1.14.2, xf86-video-geode-2.11.17, xf86-video-mach64-6.9.5
002-chrome.xzm:
- added google-chrome-43.0.2357.81. Welcome Google Chrome!
002-firefox.xzm:
- removed libs doubled in 001-core.xzm (from nss and nspr packages)
003-settings.xzm:
- kiosk fix scale only connected and initialized video outputs (skip cases when crtc cant be find)
- kiosk fix no matter what user selects in the wizard - keep navigation/address bar enabled when in debug mode
- new feature set custom resolution on all active displays and not just the first one
04-wifi.xzm:
- security fix wpa_supplicant-2.4-r3: EAP-pwd missing payload length validation (CVE - Pending) #548742
- upgraded to jimtcl-0.76
10-printing.xzm:
- security fix gnutls-3.3.15: MD5-based ServerKeyExchange signature accepted by default (GNUTLS-SA-2015-2) #548636
- security fix libtasn1-4.5: invalid memory access (CVE-2015-3622) #548252
- upgraded to nettle-2.7.1-r4
initrd:
- when kiosk data is not found then display debug info and drop to the shell only after key press (wait 10 secs for it). If no action is taken by the user then shutdown the PC.
vmlinuz and 000-kernel.xzm:
- kernel config: compiled XFS into kernel as its not loaded automatically when mounting device formatted with this filesystem
001-core.xzm:
- upgraded to openssl-1.0.1m
002-firefox.xzm:
- critical security fix mozilla-firefox-31.7.0. changelog: link
003-settings.xzm:
- kiosk fix whitelisted 'about:blank' by default so 'access denied' image is not shown on a new tab
- kiosk fix set default sound level to 90% as 75% may be too low
05-flash.xzm:
- security fix adobe-flash-11.2.202.460: multiple vulnerabilities (CVE-2015-{3044,3077,3078,3079,3080,3081,3082,3083,3084,3085,3086,3087,3088,3089,3090,3091,3092,3093) #546706
- security fix curl-7.42.1: sensitive HTTP server headers also sent to proxies (CVE-2015-3153) #548130
05-flash_legacy.xzm:
- security fix curl-7.42.1: sensitive HTTP server headers also sent to proxies (CVE-2015-3153) #548130
07-java.xzm:
- upgraded to icedtea-bin-7.2.5.5
uefi.zip:
- added support for PCs equipped with 32bit EFI firmware. Some implementations do not support booting from isohybrid ISOs and its necessary to setup 'Internal EFI shell' as default for booting.
initrd:
- PXE boot: default to port 80 if PORT variable is missing in the 'http_server=' parameter
vmlinuz and 000-kernel.xzm:
- upgraded to linux-3.18.13
001-core.xzm:
- upgraded to kmod-20, xf86-video-cirrus-1.5.3, xf86-video-neomagic-1.2.9, xf86-video-savage-2.3.8, xf86-video-siliconmotion-1.7.8
003-settings.xzm:
- kiosk fix fixed handling of SSIDs with whitespaces in name
- new feature automatic updates: inject PC ID to /etc/version so its possible to identify the kiosk through it
- new feature if 'shutdown menu' is not enabled then allow powering off the PC by pressing the power button. If user has a physical access to it then can force kiosk shutdown by holding the button for 5 secs anyway
04-wifi.xzm:
- security fix wpa_supplicant-2.4: action script execution vulnerability (CVE-2014-3686) #524928
05-flash.xzm:
- security fix curl-7.42.0: Multiple vulnerabilities (CVE-2015-{3143,3144,3145,3148}) #547376
05-flash_legacy.xzm:
- security fix curl-7.42.0: Multiple vulnerabilities (CVE-2015-{3143,3144,3145,3148}) #547376
06-fonts.xzm:
- upgraded to wqy-zenhei-0.9.46
vmlinuz and 000-kernel.xzm:
- upgraded to linux-3.18.12
001-core.xzm:
- security fix libxml2-2.9.2-r1: denial of service processing a crafted XML document #546720
- upgraded to dbus-glib-0.102, expat-2.1.0-r4, glibc-2.20-r2, harfbuzz-0.9.38, hwids-20150129, libnotify-0.7.6-r1, timezone-data-2015b
003-settings.xzm:
- kiosk fix fixed default permissions for ntfs so its possible now to mount NTFS formatted removable media
- new feature allow access to 'about:config' when in debug mode
- new feature run all custom scripts from /etc/rc.d/local_cli.d (when in runlevel 3) and /etc/rc.d/local_gui.d (when in runlevel 4) during startup
04-wifi.xzm:
- upgraded to usb_modeswitch-2.2.0_p20140529, wpa_supplicant-2.2-r1
05-flash.xzm:
- security fix adobe-flash-11.2.202.457: multiple vulnerabilities (CVE-2015-{0346,0347,0348,0349,0350,0351,0352,0353,0354,0355,0356,0357,0358,0359,0360,3038,3039,3040,3041,3042,3043,3044}) #546706
10-printing.xzm:
- upgraded to cups-2.0.2-r1, hplip-3.15.4
vmlinuz and 000-kernel.xzm:
- upgraded to linux-3.18.11
003-settings.xzm:
- kiosk fix timeout after 10 secs when waiting on wifi interface so other NICs can be initialized by dhcpcd (wired connection can be used as a fallback for wifi)
- kiosk fix initialize brightness by default on all supported outputs to resolve 'dark screen' bug affecting some Intel GPUs
- kiosk fix installation/reconfguration/upgrade: timeout downloading of components after 20 secs when connection to the server is lost (wget waits 15 mins by default)
- new feature save current time to hardware clock if ntpdate succeeded pulling the date from the internet
06-fonts.xzm:
- upgraded to thaifonts-scalable-0.6.1
10-printing.xzm:
- security fix poppler-0.32.0: segmentation fault in XRef::getEntry at XRef.cc:1317 #542220
vmlinuz and 000-kernel.xzm:
- upgraded to linux-3.18.10
- kernel config: added UDF filesystem support required for mounting of some optical media
001-core.xzm:
- upgraded to util-linux-2.25.2-r2, xf86-video-trident-1.3.7, libwacom-0.11
002-firefox.xzm:
- critical security fix mozilla-firefox-31.6.0. changelog: link
003-settings.xzm:
- kiosk fix setup automatic proxy configuration separately for kiosk config and wallpaper URLs as they may be handled by proxy exceptions
- kiosk fix setup sound level later in the boot process to allow slow sound devices initialize properly
- new feature automount iso9660 and udf formatted CDs and DVDs when 'removable devices' support is enabled
04-wifi.xzm:
- upgraded to libnl-3.2.25, ca-certificates-20140927.3.17.2
10-printing.xzm:
- security fix libtasn1-4.4: stack overflow in DER decoder (CVE-2015-2806) #544922
vmlinuz and 000-kernel.xzm:
- various updates to the kernel config
001-core.xzm:
- security fix openssl-1.0.1l-r1: Multiple vulnerabilities (CVE-2015-0204,0207,0208,0209,0285,0287,0288,0289,0290,0291,0292,0293,1787) #543552
- security fix libXfont-1.5.1: BDF file parsing issues (CVE-2015-1802) #543630
- new feature switched to 'ripples' screensaver which looks nicer and does not leave any distortions on the screen when running for longer
- upgraded to timezone-data-2015a, glib-2.42.2, atk-2.14.0, gtk+-2.24.27
002-firefox.xzm:
- critical security fix mozilla-firefox-31.5.3. changelog: link
003-settings.xzm:
- kiosk fix fixed 'remote management' not working with UEFI PCs
- kiosk fix fixed a bug which prevented having address bar disabled and navigation bar hidden at the same time
- kiosk fix removed tiny white line displayed on top of the screen when navigation bar was disabled
- kiosk fix restart vnc service automatically in case it crashes
- kiosk fix changed default font size to 12 for system messages
- new feature scale smaller screen automatcally when second monitor is connected and there is a mismatch in resolution between internal/external outputs
- new feature disabled 'search for text when i start typing' in firefox preferences so kiosk can work with bar code scanners out of the box
- new feature screensaver runs now in fullscreen mode rather than maximized+undecorated, this allows to have all other applications decorated in kiosk
04-wifi.xzm:
- upgraded to wireless-regdb-20150313
05-flash.xzm:
- security fix adobe-flash-11.2.202.451: multiple vulnerabilities (CVE-2015-{0332,0333,0334,0335,0336,0337,0338,0339,0340,0341,0342}) #543112
10-printing.xzm:
- security fix cups-filters-1.0.66: remove_bad_chars() bypass #542158
vmlinuz and 000-kernel.xzm:
- upgraded to linux-3.18.9
001-core.xzm:
- added pacparser-1.3.1 package required for proxy auto configuration
003-settings.xzm:
- kiosk fix fixed downloading of kiosk remote configs/wallpapers from some SSL protected sites
- kiosk fix apply settings from proxy pac files to all applications and not only firefox
- kiosk fix export 'https_proxy=' and 'ftp_proxy=' environmental variables properly
- kiosk fix fixed discovering of some usb wifi dongles in the welcome wizard
- kiosk fix clear booting screen so system version is not visible when Xorg is restarted through the shutdown menu
- kiosk fix run ntpdate even when clock is set to Factory
- added 'shutdown' utility wrapper
04-wifi.xzm:
- added rtl8188eufw.bin firmware
Tagged as Porteus Kiosk 3.3.0 release
Wizard 3.3.0 features: all new features implemented on the wizard level can be found here and here.
Other changes which sums up this release: new features implemented in the ISO level, bugfixes and package upgrades are listed in the changelog below.
Long live Porteus Kiosk!
initrd:
- upgraded to busybox-0.23.1
- enabled busybox applets: dirname, fgrep, nohup, pkill, printenv, printf, pwd, realpath, seq, touch, uniq, usleep, which, whoami, xargs
vmlinuz and 000-kernel.xzm:
- major kernel upgrade upgraded to linux-3.18.8 and aufs 3.18-20150223
- upgraded firmware to relevant kernel version
001-core.xzm:
- security fix freetype-2.5.5: Multiple vulnerabilities (CVE-2014-{9656,9657,9658,9659,9660,9661,9662,9663,9664,9665,9666,9667,9668,9669,9670,9671,9672,9673,9674,9675}) #539796
- added libevdev-1.3 and xf86-video-s3-0.6.5-r1 packages
- major Xorg upgrade upgraded xorg-server to version 1.16.4 and bumped whole Xorg stack: cairo-1.12.18-r1, libdrm-2.4.59, libICE-1.0.9, libpciaccess-0.13.3, libxcb-1.11-r1, libXext-1.3.3, libXfont-1.5.0, libXft-2.3.2, libXi-1.7.4, libXxf86vm, libxshmfence-1.2, mtdev-1.1.5, pixman-0.32.6, xf86-input-evdev-2.9.1, xf86-input-synaptics-1.8.1, xf86-input-wacom-0.24.0, xf86-video-ast-1.0.1, xf86-video-ati-7.5.0, xf86-video-i740-1.3.5, xf86-video-intel-2.99.917, xf86-video-modesetting-0.9.0, xf86-video-nouveau-1.0.11, xf86-video-tdfx-1.4.6, xinit-1.3.3-r1, xkbcomp-1.3.0, xkeyboard-config-2.14, xorg-server-1.16.4, xrandr-1.4.3
- upgraded to dhcpcd-6.6.7, oxygen-gtk-1.4.6, timezone-data-2014j, xscreensaver-5.32
002-firefox.xzm:
- critical security fix mozilla-firefox-31.5.0. changelog: link
003-settings.xzm:
- kiosk fix removed hplip version from the driver name in the wizard (allows hplip package upgrades in the 'automatic updates' channel)
- kiosk fix fixed handling of WPA passwords containing spaces
- kiosk fix fixed race condition between ssh/vnc services during kiosk startup
- new feature allow outgoing traffic in the firewall on all ports by default. Incoming/forwarded traffic is still blocked as before. This is needed for proxy autoconfiguration service, browsing ftp shares, flovplayer video support, etc ...
- new fature switched to system wide proxy so all applications can use it and not only firefox
- new fature rotate screen on all connected displays and not only on default one
04-wireless.xzm:
- added jimtcl-0.73, ppp-2.4.7, usb_modeswitch-2.1.0_p20140129, wvdial-1.61, wvstreams-4.6.1-r3 which are needed for dialup support in kiosk
10-printing.xzm:
- added gmp-5.1.3-r1, gnutls-3.3.10-r2, libtasn1-4.2, nettle-2.7.1-r1 which are the new dependencies for the cups package (openssl support has been replaced with gnutls for making secure connections)
- upgraded to cups-2.0.1-r1, hplip-3.15.2
initrd:
- enabled 'env' busybox applet required by hplip (hp printers)
vmlinuz and 000-kernel.xzm:
- upgraded to linux-3.14.33
- kernel config: enabled support for more than 4 com ports
001-core.xzm:
- security fix freetype-2.5.4-r1: Multiple vulnerabilities (CVE-2014-{9656,9657,9658,9659,9660,9661,9662,9663,9664,9665,9666,9667,9668,9669,9670,9671,9672,9673,9674,9675}) #539796
- security fix dbus-1.8.16: denial of service in dbus >= 1.4 systemd activation (CVE-2015-0245) #539482
003-settings.xzm:
- kiosk fix automatic updates - check for kiosk server accessibility before performing system update
- kiosk fix wizard - do not accept VNC passwords longer than 8 characters (upstream limit) and keep asking until shorter one is provided
- kiosk fix firefox UI - reintroduced 'back/forward' buttons when address bar is disabled
- kiosk fix firefox config - allow insecure ntlm authentication (disabled by upstream in firefox 30.x)
- new fature firefox UI - moved home button on the right side of the URL bar as it fits better there
- new fature firefox config - enable all firefox plugins (vlc, libreoffice, mozplugin, npica, etc) even if they are not available in kiosk by default
10-printing.xzm:
- added python-2.7.9 and dbus-python-1.2.0-r1 required by hplip (hp printers)
initrd:
- save kiosk version in /etc/version so it can be checked through ssh or from URL bar (if file:// protocol is enabled)
003-settings.xzm:
- kiosk fix wizard installer - fixed listing of devices with white spaces in name
004-wireless.xzm:
- added ca-certificates-20130906-r1 required for WPA/WPA2 Enterprise support
05-flash.xzm:
- security fix adobe-flash-11.2.202.442: Multiple vulnerabilities (CVE-2015-{0314,0315,0316,0317,0318,0319,0320,0321,0322,0323,0324,0325,0326,0327,0328,0329,0330}) #538982
003-settings.xzm:
- kiosk fix do not start firewall in the background as printing exceptions may be not initialized
05-flash.xzm:
- security fix adobe-flash-11.2.202.440: remote code execution (CVE-2015-0311) #537426
initrd:
- added 'readlink' busybox applet
vmlinuz and 000-kernel.xzm:
- upgraded to linux-3.14.29
- kernel config: added back usblp kernel module which is needed by some non standard CUPS drivers
001-core.xzm:
- upgraded to procps-3.3.9-r2, kmod-19, libxdg-basedir-1.2.0-r1
003-settings.xzm:
- kiosk fix improved handling of network interfaces which are showing late in the system (e.g.: usb wifi dongle)
- kiosk fix set volume on all audio channels except for "*Mic*" and "*Boost*" to prevent unwanted noise from the speakers
- new feature 'automatic updates' trial - display a warning that kiosk needs to be reconfigured during the last 10 days of the trial
05-flash.xzm:
- security fix adobe-flash-11.2.202.438: some vulnerability (CVE-2015-0310) #537738
vmlinuz and 000-kernel.xzm:
- upgraded to linux-3.14.28
- kernel config: increased kernel log buffer size, enabled PAT support which improves 2D/3D performance in some cases, enabled PPP protocol which is needed for 3g connections, enabled USB serial drivers
001-core.xzm:
- security fix openssl-1.0.1k: multiple vulnerabilities (CVE-2014-{3569,3570,3571,3572,8275},CVE-2015-{0204,0205,0206}) #536042
- critical security fix xorg-server-1.15.2-r1: multiple vulnerabilities (CVE-2014-{8091,8092,8093,8094,8095,8096,8097,8098,8099,8100,8101,8102,8103}) #532086
- added tofrodos-1.7.12a package
- upgraded to dejavu-2.34, fontconfig-2.11.1-r2
002-firefox.xzm:
- critical security fix mozilla-firefox-31.4.0. changelog: link
003-settings.xzm:
- disabled 'slow script' dialog window in firefox preferences
- list MTRR registers in debug report
004-wireless.xzm:
- upgraded to crda-1.1.3-r1, wireless-regdb-20141118
05-flash.xzm:
- security fix adobe-flash-11.2.202.429: multiple vulnerabilities (CVE-2015-{0301,0302,0303,0304,0305,0306,0307,0308,0309}) #536562
06-fonts.xzm:
- upgraded to dejavu-2.34
10-printing.xzm:
- upgraded to poppler-0.26.5
vmlinuz and 000-kernel.xzm:
- upgraded to linux-3.14.27
- kernel config: added support for 2TB+ drives
001-core.xzm:
- security fix ntp-4.2.8-r1: Multiple vulnerabilities (CVE-2014-{9293,9294,9295,9296}) #533076
- security fix libpng-1.6.16: heap overflow #533358
- added rfkill utility
- upgraded to glib-2.40.2, gtk+-2.24.25, pango-1.36.8
003-settings.xzm:
- kiosk fix unblock all wifi devices during boot with rfkill
- kiosk fix clear also /tmp folder on each firefox restart to make sure that nothing persists there
- kiosk fix hide status bar when navigation bar is disabled
- new feature do not create new ISO prior to installation but burn it 'on the fly'. This allows to install base kiosk ISO (no extra modules added) on a PCs with as little as 128MB of RAM
- new feature set system localization to en-US.UTF8
- new feature allow HTML5 fullscreen api on all pages by default
- new feature first run wizard - notify user when never version of Porteus Kiosk ISO is available for download
We have got some great responses after 3.2.0 release so aside of usual security fixes and upgrades delivered by upstream this version brings esential fixes to the kiosk itself. Thanks a lot for your feedback!
vmlinuz and 000-kernel.xzm:
- upgraded to linux-3.14.26
- kernel config: added support debug messages and printk. Adds about 1MB of size to the ISO but Porteus Kiosk grows rapidly in popularity and we need more debugging info to resolve hardware problems
001-core.xzm:
- security fix libpng-1.6.15: out of bounds memory access #532264
- security fix libxml2-2.9.2: expansion attach (CVE-2014-3660) #525656
- added 'dmesg' applet to busybox and full 'lspci' and 'lsusb' utilities along with pci/usb ids database - needed for debugging
- upgraded to libdrm-2.4.58
003-settings.xzm:
- kiosk fix 'automatic updates' - made it "fool-proof" so random files which (possibly) are added by Windows burning utilities wont break updating process
- kiosk fix fixed bug where homepage could not be set to a page chapter: 'homepage://some_url/#tag
- kiosk fix updated 'disable navigation bar' function which finally works around an age old fullscreen + html video fullscreen issue. Still not resolved by upstream: link
- kiosk fix 'Welcome' wizard - fixed bug when wifi interface was named as eth1 (ipw220 driver) and kiosk could not initialize wireless connection
- kiosk fix remove /var/log/Xorg.0.log as it contains some important system informations: kernel, Xorg, DDX driver version
- new feature added function which discovers and switches wifi interface automatically if hardware configuration has changed (e.g.: wifi 'eth1' becomes 'wlan0'). Works only if 'dhcpcd' is selected in the wizard.
004-wireless.xzm:
- added iwconfig utility
05-flash.xzm:
- security fix adobe-flash-11.2.202.425: multiple vulnerabilities (CVE-2014-{0580,0587,8443,9162,9163,9164}) #532074
10-printing.xzm:
- moved libusb to core as it's needed by 'lsusb' utility
Tagged as Porteus Kiosk 3.2.0 release
Wizard 3.2.0 features: all new features implemented on the wizard level can be found here and here.
Other changes which sums up this release: new features implemented in the ISO level, bugfixes and package upgrades are listed in the changelog below.
Long live Porteus Kiosk!
vmlinuz and 000-kernel.xzm:
- kernel config: added ath6k wifi drivers, minor configuration changes
001-core.xzm:
- upgraded to libSM-1.2.2-r1
002-firefox.xzm:
- critical security fix mozilla-firefox-31.3.0. changelog: link
003-settings.xzm:
- kiosk fix fixed a bug when wifi connection could not be establish in some cases
- added generic PDF, PostScript and text-only drivers to the printer models list
004-wireless.xzm:
- added ath6k firmware
05-flash.xzm:
- security fix adobe-flash-11.2.202.424: additional hardening against CVE-2014-8439 (CVE-2014-8439) #530692
08-ssh.xzm:
- security fix openssh-6.7_p1: openssh client does not check SSHFP if server offers certificate (CVE-2014-2653) #505942
vmlinuz and 000-kernel.xzm:
- upgraded to linux-3.14.25 and aufs 3.14.21+-20141110
- kernel config: disabled an option for loading firmware through userspace as udev-217 dropped this possibility
initrd.xz:
- kiosk fix make sure that only .xzm modules are mounted to /union (aufs) and not other files or folders
001-core.xzm:
- security fix dbus-1.8.10: denial of service via incomplete fix for CVE-2014-3636 #528900
- added xinput and xf86-video-openchrome packages
- upgraded to timezone-data-2014i-r1, xscreensaver-5.30
003-settings.xzm:
- new feature added support for basic authentication for the homepage, e.g.: http://user:name@domain.org
- new feature display notification that unauthorized component has been added to the ISO and kiosk can't be upgraded
- new feature disabled updates of firefox addons by default, we have none in kiosk but this setting comes handy when ISO is customized manually
- maintenance: updated system caches as all packages were recompiled with gcc-4.8.3
004-wireless.xzm:
- added crda and wireless-regdb packages for better wifi support
05-flash.xzm:
- security fix adobe-flash-11.2.202.418: multiple vulnerabilities (CVE-2014-{0573,0574,0576,0577,0581,0582,0583,0584,0585,0586,0588,0589,0590,8437,8438,8440,8441,8442}) #529088
- security fix curl-7.39.0: libcurl duphandle read out of bounds (CVE-2014-3707) #528840
05-flash_legacy.xzm:
- security fix curl-7.39.0: libcurl duphandle read out of bounds (CVE-2014-3707) #528840
07-java.xzm:
- security fix icedtea-bin-7.2.5.3: multiple vulnerabilities #524560
10-printing.xzm:
- added hplip package with support for over 900 HP printers
- upgraded to libusb-1.0.19
vmlinuz and 000-kernel.xzm:
- upgraded to linux-3.14.23 and aufs 3.14.21+-20141020
- kernel config: added support for uinput and other miscellaneous input drivers; added support for eMMC cards
001-core.xzm:
- upgraded to alsa-lib-1.0.28, alsa-utils-1.0.28
003-settings.xzm:
- security fix wget-1.16: arbitrary file creation through ftp symlinks (CVE-2014-4877) #527056
- new feature display 'System is up to date' notification when kiosk works in it's latest version
07-java.xzm:
- upgraded to icedtea-web-1.5.1-r1
10-printing.xzm:
- security fix lcms-2.6-r1: insufficient ICC profile version validation (CVE-2014-0459) #507788
001-core.xzm:
- critical security fix openssl-1.0.1j: multiple vulnerabilities (CVE-2014-{3513,3515,3567,3568}) #525468
- kiosk fix added missing /usr/lib/libgudev-1.0.so library required by /usr/lib/libwacom.so
- upgraded to timezone-data-2014g
003-settings.xzm:
- kiosk fix final fix for the BCM chipset issue.
- kiosk fix fixed handling of the lpd:// printer URI containing authorization string.
initrd.xz:
- added a quirk for loading 'broadcom' driver during PXE boot when BCM57780 chipset is found.
vmlinuz and 000-kernel.xzm:
- upgraded to linux-3.14.22 and aufs 3.14.21+-20141013
002-firefox.xzm:
- critical security fix mozilla-firefox-31.2.0. changelog: link
003-settings.xzm:
- kiosk fix updated 'xzm download' function to resolve remaining md5sum issues. After this upgrade you should never experience them anymore (they may still occur only when there is something wrong with your connection).
- added a quirk for loading 'broadcom' driver during normal boot when BCM57780 chipset is found.
05-flash.xzm:
- security fix adobe-flash-11.2.202.411: multiple vulnerabilities (CVE-2014-{0558,0564,0569}) #525430
001-core.xzm:
- security fix dhcpcd-6.4.7: fast stabilization due to the 'shellshock' issue #523900
- added libwacom-0.7.1 required by xf86-input-wacom package
- upgraded to util-linux-2.24.1-r3
002-firefox.xzm:
- critical security fix mozilla-firefox-31.1.1. changelog: link
07-java.xzm:
- upgraded to icedtea-web-1.4.2-r1
vmlinuz and 000-kernel.xzm:
- upgraded to linux-3.14.19 and aufs 3.14.x-20140915
001-core.xzm:
- security fix dbus-1.8.8: Multiple vulnerabilities (CVE-2014-{3635,3636,3637,3638,3639) #522982
- upgraded to udev-216
003-settings.xzm:
- updated printers list: number of supported printers increased from 1756 to 2483. read more: link
- updated keyboard layout list: added Moldovian and Wolof layouts, removed Catalonian
004-wifi.xzm:
- brought back 'iwlist' utility from the 'wireless-tools' package as it's needed for scanning local SSIDs in the first run wizard
05-flash.xzm:
- security fix adobe-flash-11.2.202.406: Multiple vulnerabilities (CVE-2014-{0547,0548,0549,0550,0551,0552,0553,0554,0555,0556,0557,0559}) #522448
10-printing.xzm:
- security fix cups-1.7.5: two vulnerabilities (CVE-2014-5030) #519792
- upgraded to gutenprint-5.2.10
- added dymo-cups-drivers-1.4.0, splix-2.0.0_p20130826, xerox-drivers-0_p20080123
initrd.xz:
- new feature display the OS version during boot
- clean the screen properly after counting (modules/seconds)
vmlinuz and 000-kernel.xzm:
- upgraded to linux-3.14.18 and aufs 3.14.x-20140825
- kernel config: added 'CONFIG_EFI_FB=y'
001-core.xzm:
- added xf86-input-hyperpen-1.4.1, xf86-input-fpit-1.4.0
- recompiled 'pixman' package with MMX CPU instruction support
- removed 'xrefresh' package as it's not needed anymore
- upgraded to timezone-data-2014f
002-firefox.xzm:
- critical security fix mozilla-firefox-31.1.0. changelog: link
003-settings.xzm:
- switched to MAC based authorization for dhcpcd which is persistent (MAC never changes) unlike duid in kiosk
- upgraded to mkisofs-3.01a24
004-wifi.xzm:
- removed 'wireless-tools' package as was never really needed
08-ssh.xzm:
- recompiled 'openssh' package with X11 forwarding support
09-x11vnc.xzm:
- upgraded to x11vnc-0.9.13-r1
001-core.xzm:
- security fix openssl-1.0.1i: Multiple vulnerabilities (CVE-2014-{3505,3506,3507,3509,3510,3511,3512,5139}) #519264
- security fix dhcpcd-6.4.3: Denial of service #518596
- upgraded to glibc-2.19-r1, timezone-data-2014d, xscreensaver-5.29
003-settings.xzm:
- welcome wizard: fixed support for hidden wifi SSIDs
- maintenance: updated system caches due to upgraded glibc package
05-flash.xzm:
- security fix adobe-flash-11.2.202.400: multiple code execution or security bypass flaws (APSB14-18) (CVE-{2014-0538,0540,0541,0542,0543,0544,0545}) #519790
- upgraded to curl-7.36.0
05-flash_legacy.xzm:
- upgraded to curl-7.36.0
vmlinuz and 000-kernel.xzm:
- upgraded to linux-3.14.13
- upgraded to aufs 3.14.x-20140720
- kernel config: added 'CONFIG_FHANDLE=y' required by latest udev.
- kernel config: removed 'CONFIG_USB_PRINTER=m' as usb printers are now handled by libusb.
001-core.xzm:
- security fix openssl-1.0.1h-r2: Multiple vulnerabilities (CVE-2010-5298,CVE-2014-{0195,0198,0221,0224,3470}) #512506
- security fix freetype-2.5.3-r1: CFF Fonts Stem Hints Processing Buffer Overflow Vulnerability (CVE-2014-2240) #504088
- new feature added 'ntpdate' utlity to sync hardware clock with remote ntp server (pool.ntp.org) if timezone was enabled in the wizard. Outgoing udp traffic on port 123 is enabled in the firewall config.
- upgraded to atk-2.12.0-r1, gdk-pixbuf-2.30.8, glib-2.40.0-r1, gtk+-2.24.24, harfbuzz-0.9.28, imlib2-1.4.6-r2, libglade-2.6.4-r2, libpng-1.6.12, pango-1.36.5
002-firefox.xzm:
- major Firefox ESR release mozilla-firefox-31.0. changelog: 25.0 26.0 27.0 28.0 29.0 30.0 31.0
- firefox config: moved refresh/stop buttons on the left side of the address bar.
- firefox config: removed '100%' button from zoom controls to make them smaller.
- firefox config: allowed java plugin by default so it wont ask for confirmation before running.
003-settings.xzm:
- kiosk wizard: display wpa password and wep key on the welcome wizard config page.
- maintenance: updated system caches.
07-java.xzm:
- upgraded to cups-1.7.3
10-printing.xzm:
- upgraded to cups-1.7.3, gtk+-2.24.24
001-core.xzm:
- upgraded to kmod-18-r1, udev-215
003-settings.xzm:
- kiosk security fix disabled 'Ctrl+Shift+h' keybinding which displays firefox history menu (nothing there as kiosk runs in 'private mode' by default but still we dont need this menu in kiosk) and 'Ctrl+`' keybinding which allows to display prevoius kiosk notifications.
- added empty and non-executable /etc/rc.d/rc.local so users can put their startup commands into it.
05-flash:
- security fix adobe-flash-11.2.202.394: multiple vulnerabilities (CVE-2014-{0537,0539,4671}) #516750
10-printing:
- upgraded to libpcre-8.35
vmlinuz and 000-kernel.xzm:
- upgraded to linux-3.14.11 as 3.14.x kernel line obtained a 'Long Term Support' status: link
- upgraded to aufs 3.14.x-20140630
001-core.xzm:
- critical security fix dbus-1.8.6: two local DoS vulnerabilities in dbus-daemon (CVE-2014-{3532,3533}) #516080
- critical security fix libXfont-1.4.8: integer overflow, unchecked buffer (CVE-2014-{0209,0210,0211}) #510250
- upgraded to iptables-1.4.21-r1
003-settings.xzm:
- kiosk security fix disabled 'Shift + left mouse button' combination to prevent opening new firefox windows when clicked on hyperlinks. This binding is especially dangerous when the navigation bar is disabled as there is no possibility to close any windows in this mode. Multiple firefox instances could slow down the kiosk or even make it unusable.
- kiosk fix once kiosk is fully booted delete unneeded and potentially risky for the kiosk stability utilities like 'wget' or 'dd'.
- new feature if swap support is not enabled in the wizard - spin down all the block media (hd, CD, usb, SD/MMC cards) to save energy and make the kiosk environment friendly.
10-printing:
- recompiled cups-filters against upgraded qpdf libraries
- upgraded to qpdf-5.1.1
vmlinuz and 000-kernel.xzm:
- upgraded to linux-3.12.22
002-firefox.xzm:
- critical security fix mozilla-firefox-24.6.0. changelog: link
003-settings.xzm:
- bugfix: Alt+Ctrl+Del combination will kill only previous instance of the 'kiosk shutdown' utility and not every gtkdialog application (like e.g. welcome wizard).
004-wifi.xzm:
- removed unneeded bluetooth firmware.
05-flash:
- security fix adobe-flash-11.2.202.378: multiple vulnerabilities (CVE-2014-{0531,0532,0533,0534,0535,0536}) #512888
vmlinuz and 000-kernel.xzm:
- upgraded to linux-3.12.21
- upgraded to aufs 3.12.x-20140602
001-core.xzm:
- critical security fix openssl-1.0.1h-r2: SSL/TLS MITM vulnerability (CVE-2014-{0224,0221,0195,0198,3470},CVE-2010-5298) #512506
003-settings.xzm:
- bugfix: always put wifi interface up before scanning for available networks in the first run wizard.
07-java.xzm:
- security fix icedtea-bin-7.2.4.7: multiple vulnerabilities #508270
- security fix icedtea-web-1.4.2: insecure temporary directory use #501472
003-settings.xzm:
- bugfix: export SSID as 'ssid_name=some-name' in the welcome wizard otherwise wifi networking wont be initialized.
Tagged as Porteus Kiosk 3.1.0 release