Porteus Kiosk

Porteus Kiosk version 20250420

- upgraded to sof-firmware-2025.01

- upgraded to expat-2.7.1, ncurses-6.5_p20250125, libpng-1.6.46, libpcre2-10.45, sqlite-3.49.1, libSM-1.2.6, nss-3.101.3, alsa-lib-1.2.13-r3, userspace-rcu-0.15.1, libX11-1.8.12, xinit-1.4.4, e2fsprogs-1.47.2-r3, xfsprogs-6.12.0, libxml2-2.13.7, dhcpcd-10.2.2, libxslt-1.1.43, nghttp2-1.65.0-r1, curl-8.12.1, libjpeg-turbo-3.1.0, xkeyboard-config-2.44, libtasn1-4.20.0, libxkbcommon-1.8.0, gnutls-3.8.9-r1, cairo-1.18.4, harfbuzz-10.4.0-r1, imlib2-1.12.3-r1, tigervnc-1.15.0, gtk+-3.24.48

- upgraded to mozilla-firefox-128.9.0

- kiosk fix set the primary/secondary keyboard layout again when the USB keyboard is plugged in

- new feature added support for most popular languages and webpage localizations to the Firefox and Chrome browsers: Czech (cs), Danish (da), German (de), Spanish (es), Finnish (fi), French (fr), Italian (it), Norwegian Bokmal (nb), Dutch (nl), Polish (pl), Portuguese (pt-pt), Swedish (sv), preference link.

- upgraded to usb_modeswitch-2.6.1-r1

- upgraded to openssh-9.9_p2-r3

- upgraded to qpdf-12.0.0, sane-backends-1.3.1-r1, ghostscript-gpl-10.04.0, poppler-25.03.0, cups-filters-2.0.1

- added hplip-plugin-3.24.4

Porteus Kiosk version 20250330

- major kernel upgrade upgraded to linux-6.12.20

- upgraded kernel firmware to latest version from git

- upgraded to glib-2.82.5, libdrm-2.4.124, libva-2.22.0, libva-utils-2.22.0, libva-intel-driver-2.4.1-r6, gmmlib-22.5.5, libva-intel-media-driver-24.4.4-r1, llvm-15.0.7-r7, llvm-19.1.7, mesa-24.3.4-r1

- added spirv-tools-1.4.304.0

- upgraded to mozilla-firefox-128.8.1

- new feature added support for accepting media devices (webcam, microphone) without displaying a prompt in the browser: link

- new feature added 'onscreen_buttons=' support for the Chrome browser

Porteus Kiosk version 20250302

- upgraded to linux-6.6.80, intel-microcode-20250211_p20250211

- upgraded to libffi-3.4.6-r3, alsa-ucm-conf-1.2.13, hwdata-0.391, timezone-data-2025a-r1, nettle-3.10.1, tiff-4.7.0-r1, openssl-3.3.3, libgcrypt-1.11.0-r2, alsa-lib-1.2.13-r2, gnutls-3.8.8, sqlite-3.47.2-r1, alsa-utils-1.2.13-r2, libXt-1.3.1-r1, xinit-1.4.3, util-linux-2.40.4, systemd-utils-255.15-r1, e2fsprogs-1.47.2, rsyslog-8.2412.0, dhcpcd-10.1.0-r1, freetds-1.4.24, libwacom-2.14.0, libinput-1.27.1, nghttp2-1.64.0, curl-8.11.1-r2, xf86-input-synaptics-1.10.0, xf86-video-ast-1.2.0

- major Chrome upgrade upgraded to google-chrome-133.0.6943.126

- new feature added support for skipping updates for certain day(s) in a week: link

- upgraded to tcl-8.6.15, tk-8.6.15, ppp-2.5.2, wpa_supplicant-2.10-r6

- upgraded to openssh-9.9_p2

Porteus Kiosk version 20250119

- security fix libxml2-2.12.9: Regression in consumer protection from CVE-2012-0037 (CVE-2024-40896) #943198

- security fix rsync-3.3.0-r2: Multiple vulnerabilities (CVE-2024-12084, CVE-2024-12085, CVE-2024-12086, CVE-2024-12087, CVE-2024-12088, CVE-2024-12747) #948106

- security fix openssl-3.3.2-r1: Low-level invalid GF(2^m) parameters lead to OOB memory access (CVE-2024-9143) #941643

- security fix expat-2.6.4: NULL pointer dereference through function XML_ResumeParser (CVE-2024-50602) #942969

- upgraded to glibc-2.40-r5, gcc-14.2.1_p20241116, glib-2.80.5-r1, alsa-plugins-1.2.12, hwdata-0.390, pacparser-1.4.5, ethtool-6.10, libgpg-error-1.51, libcap-2.7, libXau-1.0.12, libxshmfence-1.3.3, libICE-1.1.2, libSM-1.2.5, procps-4.0.4-r2, libgcrypt-1.11.0-r1, nspr-4.36, sshpass-1.10, libX11-1.8.10-r1, libXrender-0.9.12, libXt-1.3.1, libXcursor-1.2.3, libXxf86vm-1.1.6, libXv-1.0.13, xrandr-1.5.3, xcompmgr-1.1.10, lsof-4.99.4, rsyslog-8.2404.0-r3, xfsprogs-6.11.0, iptables-1.8.11-r1, pixman-0.44.2, libxcvt-0.1.3, usbutils-018, curl-8.10.1-r2, libltdl-2.5.4, libwacom-2.13.0, libinput-1.27.0, at-spi2-core-2.52.0, lm-sensors-3.6.2, freetype-2.13.3, harfbuzz-10.1.0, xorg-server-21.1.15-r99, tigervnc-1.14.1-r3, gdk-pixbuf-2.42.12, xf86-input-wacom-1.2.3, xf86-video-fbdev-0.5.1, xf86-video-nouveau-1.0.18, librsvg-2.58.5, gtk+-3.24.42-r1, adwaita-icon-theme-46.2

- upgraded to libssh-0.11.1-r1, xdg-utils-1.2.1-r8, json-glib-1.10.6

Porteus Kiosk version 20241222

- upgraded to linux-6.6.67, intel-microcode-20241112_p20241103, sof-firmware-2024.09.2

- security fix mozilla-firefox-128.5.2 Changelog: link

Porteus Kiosk version 20241124

- security fix wget-1.25.0: Vulnerability with shorthand FTP URLs (CVE-2024-10524) #943275

- upgraded to baselayout-2.17, libpng-1.6.44, elfutils-0.191-r2, libXi-1.8.2, util-linux-2.40.2, xfsprogs-6.10.1, libxml2-2.12.8, dhcpcd-10.1.0, libxslt-1.1.39-r1, libevdev-1.13.3, xkeyboard-config-2.43, tigervnc-1.14.0-r2, curl-8.10.1-r1, abseil-cpp-20240722.0, libinput-1.26.2, wayland-1.23.1, cairo-1.18.2-r1, xorg-server-21.1.14-r99, librsvg-2.57.3-r2, xf86-input-evdev-2.11.0, xf86-input-libinput-1.5.0, xf86-video-mga-2.1.0, xf86-video-r128-6.13.0

- upgraded to net-snmp-5.9.4-r1, cups-2.4.11, hplip-3.24.4

Porteus Kiosk version 20241020

- upgraded to linux-6.6.57, intel-microcode-20240910_p20240915, sof-firmware-2024.06

- security fix curl-8.9.1: ASN.1 date parser overread (CVE-2024-7264) #937125

- upgraded to alsa-ucm-conf-1.2.12, libgpg-error-1.50, openssl-3.3.2, kmod-33, alsa-lib-1.2.12, libgcrypt-1.11.0, gnutls-3.8.7.1-r1, userspace-rcu-0.14.1, sqlite-3.46.1, alsa-utils-1.2.12, nss-3.101.2, systemd-utils-254.17, dhcpcd-10.0.10, libjpeg-turbo-3.0.3-r1, fontconfig-2.15.0-r1, harfbuzz-9.0.0, imlib2-1.12.3, pango-1.52.2, feh-3.10.3

- security fix mozilla-firefox-128.3.1 Changelog: link

- major Chrome upgrade upgraded to google-chrome-130.0.6723.58

- upgraded to wireless-regdb-20240508, tcl-8.6.14, libnl-3.10.0, wpa_supplicant-2.10-r5, iw-6.7

- upgraded to libsodium-1.0.20, libssh-0.10.6-r1

- upgraded to openssh-9.8_p1-r2

- security fix openjpeg-2.5.2: Heap-buffer-overflow in color.c:379:42 in sycc420_to_rgb (CVE-2021-3575) #832007

- security fix cups-2.4.10-r1: Missing PPD attribute validation #940316

- upgraded to libpaper-2.1.3, jbig2dec-0.20, libjpeg-turbo-3.0.3-r1, qpdf-11.9.1, lcms-2.16-r1, poppler-24.08.0

Porteus Kiosk version 20240915

- upgraded to linux-6.6.51, intel-microcode-20240813_p20240815, sof-firmware-2024.03

- upgraded AMD CPU microcode to latest version from git

- security fix openssl-3.0.14: Checking excessively long DSA keys or parameters may be very slow (CVE-2024-4603) #932317

- security fix expat-2.6.3: multiple vulnerabilities (CVE-2024-45490, CVE-2024-45491, CVE-2024-45492) #938894

- upgraded to libffi-3.4.6, nettle-3.10, libpcre2-10.44-r1, compose-tables-1.8.10, libX11-1.8.10, libXtst-1.2.5, logrotate-3.22.0, shadow-4.14.8, abseil-cpp-20240116.2-r4, libgudev-238-r2, libwacom-2.12.2, wayland-1.23.0-r1, libXfont2-2.0.7, speech-dispatcher-0.11.5, tigervnc-1.14.0-r1

- security fix ghostscript-gpl-10.03.1: Multiple vulnerabilities (CVE-2023-52722, CVE-2024-29510, CVE-2024-33869, CVE-2024-33870, CVE-2024-33871) #932125

- security fix net-snmp-5.9.4: multiple vulnerabilities (CVE-2022-44792, CVE-2022-44793) #880231

- upgraded to perl-5.40.0, libieee1284-0.2.11-r9, poppler-24.06.1

Porteus Kiosk version 20240818

- upgraded to hwdata-0.383, ethtool-6.9, sqlite-3.46.0, rsync-3.3.0-r1, elfutils-0.191-r1, util-linux-2.39.4-r1, e2fsprogs-1.47.1, rsyslog-8.2404.0-r1, pciutils-3.13.0, xfsprogs-6.8.0, libevdev-1.13.2, xkeyboard-config-2.42, libwacom-2.11.0, libinput-1.26.1, libxkbcommon-1.7.0-r1, nghttp2-1.62.1, curl-8.8.0-r1, gtk+-3.24.41-r1

- security fix mozilla-firefox-128.1.0 Changelog: link

- upgraded to icaclient-24.5.0.76

Porteus Kiosk version 20240720

- upgraded to llvm-17.0.6, mesa-24.0.9, mesa-progs-9.0.0, gmmlib-22.3.19, libdrm-2.4.121, libva-2.21, libva-utils-2.21.0, libva-intel-media-driver-24.1.5

- added speech-dispatcher-0.11.4-r2

- major Firefox ESR release mozilla-firefox-128.0 changelog: 116.0 117.0 118.0 119.0 120.0 121.0 122.0 123.0 124.0 125.0 126.0 127.0 128.0

- kiosk fix disabled webpage translation popup by default for the Firefox browser

- new feature sync the time automatically when making a connection to porteus-kiosk.org server during system installation. Display a message that time must be set manually in the wizard if it's not correct (case where the NTP protocol/server is blocked in the network).

Porteus Kiosk version 20240707

- upgraded to linux-6.6.37, intel-microcode-20240514_p20240514

- kernel config: added support for PCI based UFS host controllers which are used in some laptops and miniPCs

- security fix libxml2-2.12.7: Buffer overread with xmllint --htmlout #931977

- security fix procps-4.0.4: ps buffer overflow (CVE-2023-4016) #931408

- security fix coreutils-9.5: chmod -R TOCTOU vulnerability #928062

- upgraded to hwdata-0.38, nettle-3.9.1-r1, libcap-2.70, kmod-32-r2, dhcpcd-10.0.8, harfbuzz-8.5.0

- major Chrome upgrade upgraded to google-chrome-126.0.6478.126

- kiosk fix fixed screensaver slideshow/webpage/video incompatibility with 'onscreen buttons'

- kiosk fix disabled 'Reading mode' feature for the Chrome browser

- kiosk fix disabled 'In Product help' Chrome popup related to the settings menu

- upgraded to libsodium-1.0.19_p20240117, remmina-1.4.35-r2

- security fix openssh-9.7_p1-r6: Remote code execution (CVE-2024-6387) #935271

Porteus Kiosk version 20240616

- security fix wget-1.24.5: cookie leakage with HSTS and subdomains #930041

- upgraded to libgpg-error-1.49, pacparser-1.4.3, dmidecode-3.6, rsync-3.3.0, systemd-utils-254.13, pciutils-3.12.0, xfsprogs-6.6.0-r1, iptables-1.8.10-r1, html-xml-utils-8.6, libcec-6.0.2-r2, fontconfig-2.15.0, harfbuzz-8.4.0, openbox-3.6.1-r9

- added abseil-cpp-20230125.3-r3

- security fix mozilla-firefox-115.12.0 Changelog: link

- upgraded to wvdial-1.61-r1, libnl-3.9.0

Porteus Kiosk version 20240519

- upgraded to linux-6.6.30, intel-microcode-20240312_p20240312, sof-firmware-2023.12.1

- security fix glibc-2.38-r13: Multiple vulnerabilities in nscd (CVE-2024-33599, CVE-2024-33600, CVE-2024-33601, CVE-2024-33602, GLIBC-SA-2024-0005, GLIBC-SA-2024-0006, GLIBC-SA-2024-0007, GLIBC-SA-2024-0008) #930667

- security fix glib-2.78.6: Signal subscription vulnerabilities (CVE-2024-3439) #931507

- upgraded to gcc-13.2.1_p20240210, alsa-ucm-conf, alsa-lib-1.2.11, alsa-utils-1.2.11, ncurses-6.4_p20240414, sysvinit-3.09, zlib-1.3.1-r1, sqlite-3.45.3, libpcre2-10.43, zstd-1.5.6, kmod-32-r1, libxml2-2.12.6, libpciaccess-0.18.1, libgpg-error-1.48, libusb-1.0.27-r1, ca-certificates-20240203.3.98, libevdev-1.13.1-r1, libwacom-2.10.0, curl-8.7.1-r4, libxkbcommon-1.7.0, mtdev-1.1.7, libX11-1.8.9, libepoxy-1.5.10-r3, rsyslog-8.2404.0, librsvg-2.57.3, libxcb-1.17.0, libXmu-1.2.1, xf86-input-wacom-1.2.2

- added alsa-plugins-1.2.7.1-r1, libpulse-17.0, pulseaudio-daemon-17.0-r1, libltdl-2.4.7-r1, libsndfile-1.2.2-r2, speexdsp-1.2.1, webrtc-audio-processing-1.3-r3

- kiosk fix removed the 1 pixel white line at the top of the kiosk screen which was visible when Firefox displayed the screensaver webpage

- new feature switched the sound subsystem from ALSA to PulseAudio. 'default_sound_card=' and 'default_microphone=' parameters are now obsolete. If they are present in the kiosk config then system falls back to using ALSA.

Porteus Kiosk version 20240421

- upgraded to timezone-data-2024a-r1, ethtool-6.7, libunistring-1.2, attr-2.5.2-r1, libpng-1.6.43, openssl-3.0.13-r2, sqlite-3.45.1-r1, coreutils-9.4-r1, libxcrypt-4.4.36-r3, libXdmcp-1.1.5, util-linux-2.39.3-r7, systemd-utils-254.10-r1, libxcb-1.16.1, libXext-1.3.6, at-spi2-core-2.50.2, ca-certificates-20230311.3.97, libpciaccess-0.18, libxkbfile-1.1.3, pixman-0.43.4, xkeyboard-config-2.41, libfontenc-1.1.8, nss-3.99, rsyslog-8.2402.0, inih-58, libXcursor-1.2.2, dhcpcd-10.0.6-r2, startup-notification-0.12-r2, libXaw-1.0.16, xev-1.2.6, iptables-1.8.10, xkbcomp-1.4.7, libXaw3d-1.6.6, nghttp2-1.61.0, curl-8.7.1-r2, pango-1.52.1, gtk+-3.24.41, imlib2-1.11.0, xorg-server-21.1.13-r99, conky-1.19.8, xf86-input-elographics-1.4.4, xf86-input-wacom-1.2.1

- major Chrome upgrade upgraded to google-chrome-124.0.6367.60

- security fix mozilla-firefox-115.10.0 Changelog: link

- kiosk fix disabled "In Product Help" popup which appears when password is saved in Chrome for the first time in the password manager

- kiosk fix disabled "In Product Help" popup which appears when you select "Search this page with Google" option in the Chrome's 3 dot settings menu

- upgraded to ppp-2.5.0-r7, wpa_supplicant-2.10-r4

- upgraded to libsodium-1.0.19-r2, freerdp-2.11.5-r10, remmina-1.4.35-r1

Porteus Kiosk version 20240328

- updated init script to use overlayfs instead of aufs

- kernel config: enabled overlayfs support and removed aufs as it causes 'kernel panic' during boot on certain PC models and kernel 6.6.x

- kiosk fix temporary disable transparency when starting default (ripples) screensaver otherwise it cannot load a screenshot image

- kiosk fix removed 'print test page' function from the wizard as we cannot inject printing module on the fly to the virtual filesystem after switching to overlayfs

Porteus Kiosk version 20240317

- mount aufs with 'udba=none' flag by default as writable branch is not accessible anyway after switching to /union, that should also give some small boost in aufs performance

- major kernel upgrade upgraded to linux-6.6.21

- upgraded to sof-firmware-2023.12, upgraded kernel firmware to latest version from git

- upgraded to gmmlib-22.3.17, libva-intel-media-driver-24.1.3, xorg-server-21.1.11-r99

- new security feature added support for individual SSL certificates and passwords when connecting to PK Server

- new feature added a 3rd party patch to xorg-server to use the 'modesetting' driver by default on Intel GPUs gen 4 and newer

- new feature added a 3rd party patch to xorg-server to enable the 'TearFree' feature for the 'modesetting' GPU driver

- new feature added a wrapper which should automatically fix the video output names in the 'screen_settings=' parameter after switching to the modesetting driver (no need to manually update the kiosk configs)

- kiosk fix import certificates before 'run_command=' parameter so is possible to download files from webpages configured with self-signed certs if you add a private key to the imported CA cert. Remote config still must be protected by a valid SSL cert, hosted on a PK Server "Premium" or plain http/ftp server (without SSL).

Porteus Kiosk version 20240310

- upgraded to linux-6.1.78

- major Chrome upgrade upgraded to google-chrome-122.0.6261.111

- kiosk security fix always verify SSL certificate on all connections. If you host remote config or kiosk files (e.g. wallpaper) on a web server then please ensure that SSL certificate is valid otherwise the 'remote management' function will not work. This rule applies also to the intranet deployments. Please ensure that the NTP protocol is not blocked in your network as the system time must be correct when validating the SSL certificate.

- kiosk security fix skip proxy when making connections to updates server, Porteus Kiosk Server and remote config server (relevant IPs are added to proxy exceptions by default) as we dont want the sensitive traffic to be intercepted or manipulated by anybody

- kiosk security fix never upload VNC passwords on PK server by default, server will download them from the client when initializing the VNC connection

- new security feature if 'root_password=' is not set in the kiosk config then generate a random one during each kiosk boot. Clients can still be accessed over SSH protocol using PK Server "Premium" which uses SSH keys and not passwords when communicating with the clients. Do not remove 'root_password=' parameter from your kiosk config if you plan to connect to your kiosk directly using e.g. Putty app. If you use PK Server "Premium" then its recommended to remove the root password from the kiosk configs in order to enchance the security on the clients.

- new security feature if 'vnc_password=' is not set in the kiosk config then generate a random one during each kiosk boot. Clients can still be accessed over VNC protocol using PK Server "Premium" which copies VNC password over SSH when initializing the VNC connection to the client. Do not remove 'vnc_password=' parameter from your kiosk config if you plan to connect to your kiosk directly using any VNC client e.g. TigerVNC. If you use PK Server "Premium" then its recommended to remove the VNC password from the kiosk configs in order to enchance the security on the clients.

- kiosk fix ignore "default_sound_card=0.0" parameter as it breaks the sound output in Chrome

- kiosk fix show up to 20 messages on the screen so its possible to see them all during system update

Porteus Kiosk version 20240303

- security fix glibc-2.38-r10: Multiple vulnerabilities (CVE-2023-6246, CVE-2023-6779, CVE-2023-6780, GLIBC-SA-2024-0001, GLIBC-SA-2024-0002, GLIBC-SA-2024-0003) #923352

- security fix openssl-3.0.13: multiple vulnerabilities (CVE-2023-5678, CVE-2023-6129, CVE-2023-6237) #921684

- upgraded to libffi-3.4.4-r4, libcap-2.69-r1, libbsd-0.11.8, bzip2-1.0.8-r5, libpcre2-10.42-r2, sqlite-3.44.2-r2, libxcb-1.16-r1, rsync-3.2.7-r4, e2fsprogs-1.47.0-r3, pixman-0.43.2, zstd-1.5.5-r1, libinput-1.25.0, curl-8.5.0-r3, libdrm-2.4.120, libva-utils-2.20.1, libXaw3d-1.6.5-r1

- security fix mozilla-firefox-115.8 Changelog: link

- upgraded to libidn2-2.3.7, json-glib-1.8.0

- upgraded to libpaper-2.1.2, libidn-1.42, openjpeg-2.5.0-r6, qpdf-11.7.0, ghostscript-gpl-10.02.1, poppler-24.02.0, cups-2.4.7-r2

Porteus Kiosk version 20240211

- security fix curl-8.5.0: Multiple vulnerabilities (CVE-2023-42619, CVE-2023-46218) #919325

- upgraded to libffi-3.4.4-r3, baselayout-2.14-r2, timezone-data-2023d, traceroute-2.1.5, popt-1.19-r1, rsync-3.2.7-r3, zlib-1.3-r4, libxml2-2.12.5, systemd-utils-254.8, rsyslog-8.2312.0, ca-certificates-20230311.3.96.1, dhcpcd-10.0.6-r1, lsof-4.99.3, conky-1.19.6-r2, feh-3.10.2, libgcrypt-1.10.3-r1

- security fix mozilla-firefox-115.7 Changelog: link

- upgraded to libidn2-2.3.4-r2, shared-mime-info-2.4-r1, libvncserver-0.9.14-r2

- upgraded to libvncserver-0.9.14-r2

Porteus Kiosk version 20240121

- upgraded to linux-6.1.74, sof-firmware-2023.09.2

- upgraded to llvm-16.0.6, ethtool-6.6, sysvinit-3.08, coreutils-9.4, libXaw-1.0.15-r1, libxml2-2.11.5-r1, at-spi2-core-2.50.1, shadow-4.14.2, libglvnd-1.7.0, inih-57-r1, ca-certificates-20230311.3.95, ntp-4.2.8_p17-r1, usbutils-017, gmmlib-22.3.14, libdrm-2.4.118, libva-2.20.0, libva-intel-media-driver-23.4.3, libva-utils-2.20.0, mesa-23.2.1, libnotify-0.8.3, pango-1.51.0, gtk+-3.24.39, librsvg-2.57.0, libXfont2-2.0.6-r1, xorg-server-21.1.11

- added lsof-4.99

Porteus Kiosk version 20240107

- security fix cairo-1.18.0: Multiple vulnerabilities (CVE-2019-6461, CVE-2019-6462) #717778

- security fix traceroute-2.1.3: improper command line parsing (CVE-2023-46316) #917769

- upgraded to glib-2.78.3, libffi-3.4.4-r2, timezone-data-2023c-r1, alsa-ucm-conf-1.2.10-r1, hwdata-0.376, gmp-6.3.0-r1, zlib-1.3-r2, openssl-3.0.12, util-linux-2.38.1-r3, sqlite-3.44.2-r1, kmod-31, libxslt-1.1.39, systemd-utils-254.7, elfutils-0.190, tiff-4.6.0, alsa-lib-1.2.10-r2, libgpg-error-1.47-r1, xkeyboard-config-2.40-r1, ca-certificates-20230311.3.93, dhcpcd-10.0.5-r1, alsa-utils-1.2.10-r1, stunnel-5.71, libwacom-2.8.0, harfbuzz-8.3.0, openbox-3.6.1-r8, feh-3.10.1

- upgraded to google-chrome-120.0.6099.199

- security fix libssh-0.10.6 : terrapin vulnerability #920291

- upgraded to freerdp-2.11.1, remmina-1.4.31-r1

- security fix openssh-9.6_p1: ProxyCommand Unexpected Code Execution Vulnerability (CVE-2023-51385) #920722

Porteus Kiosk version 20231217

- major Chrome upgrade upgraded to google-chrome-120.0.6099.109

- kiosk fix disabled 'Featured experiments' button in the Chrome's UI (navigation bar)

- kiosk fix disabled 'In Product Help' popups in Chrome which appears when you perform certain actions for the first time with private mode disabled: open new tab, play video file, download file

- kiosk fix disabled 'NEW' flag on Google Password Manager in the 3-dot Chrome settings menu

- new feature updated Chrome flags for the 'hardware_video_decode=' parameter. Google switched to a new "Vaapi Video Decoder" which supports additional codecs: h265 and AV1. Right now it works only for Intel Broadwell GPUs and newer. If you use another GPU (e.g. AMD or older Intel) and need hardware video decode feature then you should switch to a Firefox browser as it supports all GPUs which are capable of accelerated video playback.

- new feature added udev rule to allow user 'guest' using the Yubikey products

Porteus Kiosk version 20231125

- upgraded to linux-6.1.63, intel-microcode-20231114_p20231114, sof-firmware-2023.09.1

- upgraded to c-ares-1.21.0, hwdata-0.375, dmidecode-3.5-r3, zlib-1.3-r1, libXrandr-1.5.4, systemd-utils-254.5-r2, xkeyboard-config-2.40, rsyslog-8.2310.0, libxkbcommon-1.6.0, xf86-video-siliconmotion-1.7.10

- security fix mozilla-firefox-115.5 Changelog: link

Porteus Kiosk version 20231104

- upgraded to linux-6.1.61

- upgraded AMD microcode to the latest version

- security fix xorg-server-21.1.9 Multiple vulnerabilities (CVE-2023-5367, CVE-2023-5380) #916254

- security fix zlib-1.2.13-r2: Buffer overflow (CVE-2023-45853) #916484

- upgraded to hwdata-0.374, ethtool-6.5, acpid-2.0.34-r1, sqlite-3.43.2, harfbuzz-8.2.0

- security fix mozilla-firefox-115.4 Changelog: link

- kiosk fix when the address bar is disabled in the Firefox browser then do not allow opening a new tab by double clicking on the empty space in the tab bar area

- kiosk fix removed the 1 pixel white line at the top of the kiosk screen when Firefox works with the navigation bar disabled

- kiosk fix re-enabled 'hinting-slight' feature (previously it broke our gtkdialog apps and had to be disabled) so fonts in kiosk should look much better now

- upgraded to libidn2-2.3.4-r1, libsodium-1.0.19-r1, libvncserver-0.9.14-r1

Porteus Kiosk version 20231015

- security fix glibc-2.37-r7 Local Privilege Escalation in ld.so (CVE-2023-4911) #915127

- security fix libxml2-2.11.5-r1: Use-after-free if memory allocation fails (CVE-2023-45322) #915351

- security fix libX11-1.8.7: Multiple vulnerabilities (CVE-2023-43785, CVE-2023-43786, CVE-2023-43787) #915129

- security fix libXpm-3.5.17: Multiple vulnerabilities (CVE-2023-43788, CVE-2023-43789) #915130

- security fix lua-5.4.6: heap buffer overflow in recursive errors (CVE-2022-33099) #856463

- security fix nghttp2-1.57.0: HTTP/2 Rapid Reset vulnerability #915554

- security fix curl-8.4.0: security stabilisation #915569

- upgraded to gcc-13.2.1_p20230826, openssl-3.0.11, nss-3.91, elfutils-0.189-r4, systemd-utils-253.11-r1, libxcb-1.16, libgcrypt-1.10.2, dhcpcd-10.0.3, sshpass-1.09-r1, libinput-1.24.0, freetype-2.13.2, fontconfig-2.14.2-r3, xf86-input-libinput-1.4.0

- upgraded to libnl-3.8.0

- upgraded to openssh-9.4_p1-r1

- security fix cups-2.4.7: Buffer overflow when reading Postscript in PPD files (CVE-2023-4504) #914781

- security fix cups-filters-1.28.17-r2: RCE via beh filter (CVE-2023-24805, GHSA-gpxc-v2m8-fr3x) #906944

- upgraded to python-3.10.13, qpdf-11.5.0, ghostscript-gpl-10.02.0

Porteus Kiosk version 20230930

- security fix mozilla-firefox-115.3.1 Changelog: link

- upgraded to wpa_supplicant-2.10-r3, tcl-8.6.13-r1, ppp-2.5.0-r4, crda-4.15-r2

- security fix openssh-9.3_p2: Remote code execution in ssh-agent PKCS#11 support (CVE-2023-38408) #910553

Porteus Kiosk version 20230909

- security fix tiff-4.5.1: multiple vulnerabilities (CVE-2023-1916, CVE-2023-25434, CVE-2023-26965, CVE-2023-2731) #904424

- upgraded to alsa-ucm-conf-1.2.9, hwdata-0.373, libmd-1.1.0, cronbase-0.3.7-r10, ethtool-6.4, gmp-6.3.0, libpcre-8.45-r2, libpng-1.6.40-r1, gnutls-3.8.0, iw-5.19, libxcrypt-4.4.36, coreutils-9.3-r3, alsa-lib-1.2.9, elfutils-0.189-r1, mtr-0.95-r1, alsa-utils-1.2.9, systemd-utils-253.6, xkeyboard-config-2.39, inih-57, curl-8.1.2, dhcpcd-10.0.2, xfsprogs-6.4.0, libjpeg-turbo-3.0.0, glib-2.76.4, libgudev-238-r1, libwacom-2.7.0, libepoxy-1.5.10-r2, harfbuzz-8.0.1, xorg-server-21.1.8-r2, conky-1.19.2-r1, librsvg-2.56.3, lua-5.4.4-r103

- upgraded to perl-5.38.0-r1, poppler-data-0.4.12, lcms-2.15, poppler-23.08.0, libpaper-2.1.0

Porteus Kiosk version 20230820

- upgraded to linux-6.1.46, intel-microcode-20230808_p20230804

- new kernel and microcode versions fixes important vulnerabilities: Intel Downfall, AMD Inception and AMD Zen 1 "Divide By Zero" bug

- upgraded VAAPI stack which is required by new Chrome: libva-2.19.0, libva-utils-2.19.0, gmmlib-22.3.7, libva-intel-media-driver-23.2.4

- major Chrome upgrade upgraded to google-chrome-115.0.5790.170

- kiosk fix disabled 'High Efficiency' mode for the Chrome browser to prevent discarding of tabs after a certain period of time

- kiosk fix disabled DRI3 support for VAAPI library when hardware video decode is enabled for the Chrome browser (otherwise hardware acceleration wont work)

Porteus Kiosk version 20230805

- kiosk fix fixed a bug where the watchdog daemon prevented kiosk reconfiguration on a fast booting systems

- upgraded to linux-6.1.42, intel-microcode-20230613_p20230520, sof-firmware-2.2.6

- upgraded AMD CPU firmware to latest version from git to fix 'Zenbleed' vulnerabilities

- major Firefox ESR release mozilla-firefox-115.1.0 changelog: 103.0 104.0 105.0 106.0 107.0 108.0 109.0 110.0 111.0 112.0 113.0 114.0 115.0

- kiosk fix removed extensions button from the Firefox UI as it allows to list installed extensions and report them to Mozilla

- kiosk fix removed 'Firefox view' button from the Firefox UI as its not needed for kiosk purposes

- kiosk fix removed 'minimize, restore down, close' buttons when Firefox works with 'autohide_navigation_bar=yes' parameter

- kiosk fix start Firefox in kiosk mode (instead of fullscreen) when displaying the screensaver video or screensaver URL

- new feature upgraded Firefox plugins to latest available versions

Porteus Kiosk version 20230715

- security fix libX11-1.8.6: Buffer overflows in InitExt.c (CVE-2023-3138) #908549

- security fix shadow-4.13-r4: possible password leak during passwd(1) change #908613

- upgraded to procps-3.3.17-r2, libunistring-1.1-r1, nettle-3.9.1, e2fsprogs-1.47.0-r2, ca-certificates-20230311.3.90, libxml2-2.11.4:2, ntp-4.2.8_p17, libxslt-1.1.38, fribidi-1.0.13, glib-2.76.3, at-spi2-core-2.48.3, librsvg-2.56.1, gtk+-3.24.38

- upgraded to remmina-1.4.31

- security fix cups-2.4.6: Use-after-free when logging warnings during cupsdAcceptClient failure (CVE-2023-34241) #909018

- security fix ghostscript-gpl-10.01.2: Code execution vulnerability (CVE-2023-36664) #910294

- upgraded to libpaper-2.0.12, perl-5.36.1-r3, net-snmp-5.9.3-r3, libusb-compat-0.1.8, openjpeg-2.5.0-r5, poppler-23.05.0, python-3.10.12, sane-backends-1.2.1

Porteus Kiosk version 20230625

- security fix c-ares-1.19.1: Multiple vulnerabilities (CVE-2023-31124, CVE-2023-31130, CVE-2023-31147, CVE-2023-32067) #906964

- upgraded to hwdata-0.371, dmidecode-3.5-r2, ethtool-6.3, sysvinit-3.07, coreutils-9.3-r2, wget-1.21.4, sqlite-3.42.0, nspr-4.35-r2, pciutils-3.10.0, xfsprogs-6.3.0, dhcpcd-9.5.1, libjpeg-turbo-2.1.5.1

- security fix mozilla-firefox-102.12.0 Changelog: link

- upgraded to libgpg-error-1.47, freerdp-2.10.0-r3

Porteus Kiosk version 20230604

- security fix openssl-1.1.1u: Possible DoS translating ASN.1 object identifiers (CVE-2023-2650) #907413

- security fix libcap-2.69: Multiple vulnerabilities (CAP-CR-23-02, CVE-2023-2602, CVE-2023-2603, LCAP-CR-23-01) #906461

- security fix libXpm-3.5.16: multiple vulnerabilities (CVE-2022-44617, CVE-2022-46285, CVE-2022-4883) #891209

- upgraded to ncurses-6.4_p20230401, hwdata-0.369, tiff-4.5.0-r2, libfastjson-1.2304.0, libXi-1.8.1, setxkbmap-1.3.4, xinput-1.6.4, coreutils-9.3-r1, rsyslog-8.2304.0, ca-certificates-20230311.3.89.1, gmmlib-22.3.5, libpciaccess-0.17-r1, libevdev-1.13.1, libXaw3d-1.6.5, libva-intel-media-driver-23.1.6, mesa-amber-21.3.9-r1, fontconfig-2.14.2-r2, harfbuzz-7.3.0, libXft-2.3.8, conky-1.17.0-r1, feh-3.10, xf86-video-ati-22.0.0, gtk+-2.24.33-r3

- security fix ppp-2.5.0: out-of-bounds read (CVE-2022-4603) #887017

- security fix libssh-0.10.5: Multiple vulnerabilities (CVE-2023-1667, CVE-2023-2283, GHSL-2023-085) #905746

- upgraded to freerdp-2.10.0-r2, remmina-1.4.30

Porteus Kiosk version 20230514

- security fix freetype-2.13.0: integer overflow vulnerability (CVE-2023-2004) #881443

- security fix libxml2-2.10.4: Multiple vulnerabilities (CVE-2023-28484, CVE-2023-29469) #904202

- security fix dmidecode-3.5: root privilege escalation via file overwrite (CVE-2023-30630) #905093

- security fix curl-8.0.1: Multiple vulnerabilities (CVE-2023-27533, CVE-2023-27534, CVE-2023-27535, CVE-2023-27536, CVE-2023-27537, CVE-2023-27538) #902801

- upgraded to libffi-3.4.4-r1, timezone-data-2023c, ethtool-6.2, rsync-3.2.7-r2, libcap-2.68, libfastjson-0.99.9.1, userspace-rcu-0.14.0, libXfixes-6.0.1, libXt-1.3.0, systemd-utils-252.9, zstd-1.5.5, rsyslog-8.2302.0, libcec-6.0.2-r1, iptables-1.8.9, libinput-1.23.0, at-spi2-core-2.48.0, wayland-1.22.0, pango-1.50.14, conky-1.17.0, feh-3.9.1-r1, librsvg-2.56.0, xf86-input-libinput-1.3.0, xf86-input-wacom-1.2.0, openbox-3.6.1-r5

- security fix mozilla-firefox-102.11.0 Changelog: link

- upgraded to ppp-2.4.9-r9

Porteus Kiosk version 20230423

- security fix xorg-server-21.1.8 Privilege escalation via use-after-free (CVE-2023-1393) #903547

- security fix shadow-4.13-r3 shadow file manipulation via chfn (CVE-2023-29383) #904518

- upgraded to hwdata-0.367, dmidecode-3.4-r1, libxcrypt-4.4.33, sqlite-3.41.2-r1, libX11-1.8.4-r1, nss-3.79.4, openssl-1.1.1t-r3, util-linux-2.38.1-r2, e2fsprogs-1.47.0-r1, ca-certificates-20211016.3.88.1, stunnel-5.68, curl-7.88.1-r2, xkeyboard-config-2.38, zstd-1.5.4-r3, glib-2.74.6, libnotify-0.8.2, cairo-1.17.8, pango-1.50.13, xf86-video-intel-2.99.917_p20230201, tigervnc-1.13.1, gtk+-3.24.37

- upgraded to google-chrome-112.0.5615.121

Porteus Kiosk version 20230408

- upgraded to intel-microcode-20230214_p20230212

- kernel config: compiled DAX driver directly to the vmlinuz image as it's required by PCs which initialize device mapper early during boot

- major Chrome upgrade upgraded to google-chrome-112.0.5615.49