Real time changelog for Porteus Kiosk clients
Each new system version (like e.g. 20140605) triggers an action on the client side to pull updated component from our update servers. After short downtime the system is ready to use with all security fixes, updates and new features merged into the ISO. Everthing is done automatically without any user action.
vmlinuz and 000-kernel.xzm:
- upgraded to sof-firmware-2025.01
001-core:
- upgraded to expat-2.7.1, ncurses-6.5_p20250125, libpng-1.6.46, libpcre2-10.45, sqlite-3.49.1, libSM-1.2.6, nss-3.101.3, alsa-lib-1.2.13-r3, userspace-rcu-0.15.1, libX11-1.8.12, xinit-1.4.4, e2fsprogs-1.47.2-r3, xfsprogs-6.12.0, libxml2-2.13.7, dhcpcd-10.2.2, libxslt-1.1.43, nghttp2-1.65.0-r1, curl-8.12.1, libjpeg-turbo-3.1.0, xkeyboard-config-2.44, libtasn1-4.20.0, libxkbcommon-1.8.0, gnutls-3.8.9-r1, cairo-1.18.4, harfbuzz-10.4.0-r1, imlib2-1.12.3-r1, tigervnc-1.15.0, gtk+-3.24.48
002-firefox:
- upgraded to mozilla-firefox-128.9.0
003-settings.xzm:
- kiosk fix set the primary/secondary keyboard layout again when the USB keyboard is plugged in
- new feature added support for most popular languages and webpage localizations to the Firefox and Chrome browsers: Czech (cs), Danish (da), German (de), Spanish (es), Finnish (fi), French (fr), Italian (it), Norwegian Bokmal (nb), Dutch (nl), Polish (pl), Portuguese (pt-pt), Swedish (sv), preference link.
004-wifi.xzm:
- upgraded to usb_modeswitch-2.6.1-r1
08-ssh.xzm:
- upgraded to openssh-9.9_p2-r3
10-printing.xzm:
- upgraded to qpdf-12.0.0, sane-backends-1.3.1-r1, ghostscript-gpl-10.04.0, poppler-25.03.0, cups-filters-2.0.1
- added hplip-plugin-3.24.4
vmlinuz and 000-kernel.xzm:
- major kernel upgrade upgraded to linux-6.12.20
- upgraded kernel firmware to latest version from git
001-core:
- upgraded to glib-2.82.5, libdrm-2.4.124, libva-2.22.0, libva-utils-2.22.0, libva-intel-driver-2.4.1-r6, gmmlib-22.5.5, libva-intel-media-driver-24.4.4-r1, llvm-15.0.7-r7, llvm-19.1.7, mesa-24.3.4-r1
- added spirv-tools-1.4.304.0
002-firefox:
- upgraded to mozilla-firefox-128.8.1
003-settings.xzm:
- new feature added support for accepting media devices (webcam, microphone) without displaying a prompt in the browser: link
- new feature added 'onscreen_buttons=' support for the Chrome browser
vmlinuz and 000-kernel.xzm:
- upgraded to linux-6.6.80, intel-microcode-20250211_p20250211
001-core:
- upgraded to libffi-3.4.6-r3, alsa-ucm-conf-1.2.13, hwdata-0.391, timezone-data-2025a-r1, nettle-3.10.1, tiff-4.7.0-r1, openssl-3.3.3, libgcrypt-1.11.0-r2, alsa-lib-1.2.13-r2, gnutls-3.8.8, sqlite-3.47.2-r1, alsa-utils-1.2.13-r2, libXt-1.3.1-r1, xinit-1.4.3, util-linux-2.40.4, systemd-utils-255.15-r1, e2fsprogs-1.47.2, rsyslog-8.2412.0, dhcpcd-10.1.0-r1, freetds-1.4.24, libwacom-2.14.0, libinput-1.27.1, nghttp2-1.64.0, curl-8.11.1-r2, xf86-input-synaptics-1.10.0, xf86-video-ast-1.2.0
002-chrome:
- major Chrome upgrade upgraded to google-chrome-133.0.6943.126
003-settings.xzm:
- new feature added support for skipping updates for certain day(s) in a week: link
004-wifi.xzm:
- upgraded to tcl-8.6.15, tk-8.6.15, ppp-2.5.2, wpa_supplicant-2.10-r6
08-ssh.xzm:
- upgraded to openssh-9.9_p2
001-core:
- security fix libxml2-2.12.9: Regression in consumer protection from CVE-2012-0037 (CVE-2024-40896) #943198
- security fix rsync-3.3.0-r2: Multiple vulnerabilities (CVE-2024-12084, CVE-2024-12085, CVE-2024-12086, CVE-2024-12087, CVE-2024-12088, CVE-2024-12747) #948106
- security fix openssl-3.3.2-r1: Low-level invalid GF(2^m) parameters lead to OOB memory access (CVE-2024-9143) #941643
- security fix expat-2.6.4: NULL pointer dereference through function XML_ResumeParser (CVE-2024-50602) #942969
- upgraded to glibc-2.40-r5, gcc-14.2.1_p20241116, glib-2.80.5-r1, alsa-plugins-1.2.12, hwdata-0.390, pacparser-1.4.5, ethtool-6.10, libgpg-error-1.51, libcap-2.7, libXau-1.0.12, libxshmfence-1.3.3, libICE-1.1.2, libSM-1.2.5, procps-4.0.4-r2, libgcrypt-1.11.0-r1, nspr-4.36, sshpass-1.10, libX11-1.8.10-r1, libXrender-0.9.12, libXt-1.3.1, libXcursor-1.2.3, libXxf86vm-1.1.6, libXv-1.0.13, xrandr-1.5.3, xcompmgr-1.1.10, lsof-4.99.4, rsyslog-8.2404.0-r3, xfsprogs-6.11.0, iptables-1.8.11-r1, pixman-0.44.2, libxcvt-0.1.3, usbutils-018, curl-8.10.1-r2, libltdl-2.5.4, libwacom-2.13.0, libinput-1.27.0, at-spi2-core-2.52.0, lm-sensors-3.6.2, freetype-2.13.3, harfbuzz-10.1.0, xorg-server-21.1.15-r99, tigervnc-1.14.1-r3, gdk-pixbuf-2.42.12, xf86-input-wacom-1.2.3, xf86-video-fbdev-0.5.1, xf86-video-nouveau-1.0.18, librsvg-2.58.5, gtk+-3.24.42-r1, adwaita-icon-theme-46.2
005-thinclient.xzm:
- upgraded to libssh-0.11.1-r1, xdg-utils-1.2.1-r8, json-glib-1.10.6
vmlinuz and 000-kernel.xzm:
- upgraded to linux-6.6.67, intel-microcode-20241112_p20241103, sof-firmware-2024.09.2
002-firefox:
- security fix mozilla-firefox-128.5.2 Changelog: link
001-core:
- security fix wget-1.25.0: Vulnerability with shorthand FTP URLs (CVE-2024-10524) #943275
- upgraded to baselayout-2.17, libpng-1.6.44, elfutils-0.191-r2, libXi-1.8.2, util-linux-2.40.2, xfsprogs-6.10.1, libxml2-2.12.8, dhcpcd-10.1.0, libxslt-1.1.39-r1, libevdev-1.13.3, xkeyboard-config-2.43, tigervnc-1.14.0-r2, curl-8.10.1-r1, abseil-cpp-20240722.0, libinput-1.26.2, wayland-1.23.1, cairo-1.18.2-r1, xorg-server-21.1.14-r99, librsvg-2.57.3-r2, xf86-input-evdev-2.11.0, xf86-input-libinput-1.5.0, xf86-video-mga-2.1.0, xf86-video-r128-6.13.0
10-printing.xzm:
- upgraded to net-snmp-5.9.4-r1, cups-2.4.11, hplip-3.24.4
vmlinuz and 000-kernel.xzm:
- upgraded to linux-6.6.57, intel-microcode-20240910_p20240915, sof-firmware-2024.06
001-core:
- security fix curl-8.9.1: ASN.1 date parser overread (CVE-2024-7264) #937125
- upgraded to alsa-ucm-conf-1.2.12, libgpg-error-1.50, openssl-3.3.2, kmod-33, alsa-lib-1.2.12, libgcrypt-1.11.0, gnutls-3.8.7.1-r1, userspace-rcu-0.14.1, sqlite-3.46.1, alsa-utils-1.2.12, nss-3.101.2, systemd-utils-254.17, dhcpcd-10.0.10, libjpeg-turbo-3.0.3-r1, fontconfig-2.15.0-r1, harfbuzz-9.0.0, imlib2-1.12.3, pango-1.52.2, feh-3.10.3
002-firefox:
- security fix mozilla-firefox-128.3.1 Changelog: link
002-chrome:
- major Chrome upgrade upgraded to google-chrome-130.0.6723.58
004-wifi.xzm:
- upgraded to wireless-regdb-20240508, tcl-8.6.14, libnl-3.10.0, wpa_supplicant-2.10-r5, iw-6.7
005-thinclient.xzm:
- upgraded to libsodium-1.0.20, libssh-0.10.6-r1
08-ssh.xzm:
- upgraded to openssh-9.8_p1-r2
10-printing.xzm:
- security fix openjpeg-2.5.2: Heap-buffer-overflow in color.c:379:42 in sycc420_to_rgb (CVE-2021-3575) #832007
- security fix cups-2.4.10-r1: Missing PPD attribute validation #940316
- upgraded to libpaper-2.1.3, jbig2dec-0.20, libjpeg-turbo-3.0.3-r1, qpdf-11.9.1, lcms-2.16-r1, poppler-24.08.0
vmlinuz and 000-kernel.xzm:
- upgraded to linux-6.6.51, intel-microcode-20240813_p20240815, sof-firmware-2024.03
- upgraded AMD CPU microcode to latest version from git
001-core:
- security fix openssl-3.0.14: Checking excessively long DSA keys or parameters may be very slow (CVE-2024-4603) #932317
- security fix expat-2.6.3: multiple vulnerabilities (CVE-2024-45490, CVE-2024-45491, CVE-2024-45492) #938894
- upgraded to libffi-3.4.6, nettle-3.10, libpcre2-10.44-r1, compose-tables-1.8.10, libX11-1.8.10, libXtst-1.2.5, logrotate-3.22.0, shadow-4.14.8, abseil-cpp-20240116.2-r4, libgudev-238-r2, libwacom-2.12.2, wayland-1.23.0-r1, libXfont2-2.0.7, speech-dispatcher-0.11.5, tigervnc-1.14.0-r1
10-printing.xzm:
- security fix ghostscript-gpl-10.03.1: Multiple vulnerabilities (CVE-2023-52722, CVE-2024-29510, CVE-2024-33869, CVE-2024-33870, CVE-2024-33871) #932125
- security fix net-snmp-5.9.4: multiple vulnerabilities (CVE-2022-44792, CVE-2022-44793) #880231
- upgraded to perl-5.40.0, libieee1284-0.2.11-r9, poppler-24.06.1
001-core:
- upgraded to hwdata-0.383, ethtool-6.9, sqlite-3.46.0, rsync-3.3.0-r1, elfutils-0.191-r1, util-linux-2.39.4-r1, e2fsprogs-1.47.1, rsyslog-8.2404.0-r1, pciutils-3.13.0, xfsprogs-6.8.0, libevdev-1.13.2, xkeyboard-config-2.42, libwacom-2.11.0, libinput-1.26.1, libxkbcommon-1.7.0-r1, nghttp2-1.62.1, curl-8.8.0-r1, gtk+-3.24.41-r1
002-firefox:
- security fix mozilla-firefox-128.1.0 Changelog: link
11-citrix.xzm:
- upgraded to icaclient-24.5.0.76
001-core:
- upgraded to llvm-17.0.6, mesa-24.0.9, mesa-progs-9.0.0, gmmlib-22.3.19, libdrm-2.4.121, libva-2.21, libva-utils-2.21.0, libva-intel-media-driver-24.1.5
- added speech-dispatcher-0.11.4-r2
002-firefox:
- major Firefox ESR release mozilla-firefox-128.0 changelog: 116.0 117.0 118.0 119.0 120.0 121.0 122.0 123.0 124.0 125.0 126.0 127.0 128.0
003-settings.xzm:
- kiosk fix disabled webpage translation popup by default for the Firefox browser
- new feature sync the time automatically when making a connection to porteus-kiosk.org server during system installation. Display a message that time must be set manually in the wizard if it's not correct (case where the NTP protocol/server is blocked in the network).
vmlinuz and 000-kernel.xzm:
- upgraded to linux-6.6.37, intel-microcode-20240514_p20240514
- kernel config: added support for PCI based UFS host controllers which are used in some laptops and miniPCs
001-core:
- security fix libxml2-2.12.7: Buffer overread with xmllint --htmlout #931977
- security fix procps-4.0.4: ps buffer overflow (CVE-2023-4016) #931408
- security fix coreutils-9.5: chmod -R TOCTOU vulnerability #928062
- upgraded to hwdata-0.38, nettle-3.9.1-r1, libcap-2.70, kmod-32-r2, dhcpcd-10.0.8, harfbuzz-8.5.0
002-chrome:
- major Chrome upgrade upgraded to google-chrome-126.0.6478.126
003-settings.xzm:
- kiosk fix fixed screensaver slideshow/webpage/video incompatibility with 'onscreen buttons'
- kiosk fix disabled 'Reading mode' feature for the Chrome browser
- kiosk fix disabled 'In Product help' Chrome popup related to the settings menu
005-thinclient.xzm:
- upgraded to libsodium-1.0.19_p20240117, remmina-1.4.35-r2
08-ssh.xzm:
- security fix openssh-9.7_p1-r6: Remote code execution (CVE-2024-6387) #935271
001-core:
- security fix wget-1.24.5: cookie leakage with HSTS and subdomains #930041
- upgraded to libgpg-error-1.49, pacparser-1.4.3, dmidecode-3.6, rsync-3.3.0, systemd-utils-254.13, pciutils-3.12.0, xfsprogs-6.6.0-r1, iptables-1.8.10-r1, html-xml-utils-8.6, libcec-6.0.2-r2, fontconfig-2.15.0, harfbuzz-8.4.0, openbox-3.6.1-r9
- added abseil-cpp-20230125.3-r3
002-firefox:
- security fix mozilla-firefox-115.12.0 Changelog: link
004-wifi.xzm:
- upgraded to wvdial-1.61-r1, libnl-3.9.0
vmlinuz and 000-kernel.xzm:
- upgraded to linux-6.6.30, intel-microcode-20240312_p20240312, sof-firmware-2023.12.1
001-core:
- security fix glibc-2.38-r13: Multiple vulnerabilities in nscd (CVE-2024-33599, CVE-2024-33600, CVE-2024-33601, CVE-2024-33602, GLIBC-SA-2024-0005, GLIBC-SA-2024-0006, GLIBC-SA-2024-0007, GLIBC-SA-2024-0008) #930667
- security fix glib-2.78.6: Signal subscription vulnerabilities (CVE-2024-3439) #931507
- upgraded to gcc-13.2.1_p20240210, alsa-ucm-conf, alsa-lib-1.2.11, alsa-utils-1.2.11, ncurses-6.4_p20240414, sysvinit-3.09, zlib-1.3.1-r1, sqlite-3.45.3, libpcre2-10.43, zstd-1.5.6, kmod-32-r1, libxml2-2.12.6, libpciaccess-0.18.1, libgpg-error-1.48, libusb-1.0.27-r1, ca-certificates-20240203.3.98, libevdev-1.13.1-r1, libwacom-2.10.0, curl-8.7.1-r4, libxkbcommon-1.7.0, mtdev-1.1.7, libX11-1.8.9, libepoxy-1.5.10-r3, rsyslog-8.2404.0, librsvg-2.57.3, libxcb-1.17.0, libXmu-1.2.1, xf86-input-wacom-1.2.2
- added alsa-plugins-1.2.7.1-r1, libpulse-17.0, pulseaudio-daemon-17.0-r1, libltdl-2.4.7-r1, libsndfile-1.2.2-r2, speexdsp-1.2.1, webrtc-audio-processing-1.3-r3
003-settings.xzm:
- kiosk fix removed the 1 pixel white line at the top of the kiosk screen which was visible when Firefox displayed the screensaver webpage
- new feature switched the sound subsystem from ALSA to PulseAudio. 'default_sound_card=' and 'default_microphone=' parameters are now obsolete. If they are present in the kiosk config then system falls back to using ALSA.
001-core:
- upgraded to timezone-data-2024a-r1, ethtool-6.7, libunistring-1.2, attr-2.5.2-r1, libpng-1.6.43, openssl-3.0.13-r2, sqlite-3.45.1-r1, coreutils-9.4-r1, libxcrypt-4.4.36-r3, libXdmcp-1.1.5, util-linux-2.39.3-r7, systemd-utils-254.10-r1, libxcb-1.16.1, libXext-1.3.6, at-spi2-core-2.50.2, ca-certificates-20230311.3.97, libpciaccess-0.18, libxkbfile-1.1.3, pixman-0.43.4, xkeyboard-config-2.41, libfontenc-1.1.8, nss-3.99, rsyslog-8.2402.0, inih-58, libXcursor-1.2.2, dhcpcd-10.0.6-r2, startup-notification-0.12-r2, libXaw-1.0.16, xev-1.2.6, iptables-1.8.10, xkbcomp-1.4.7, libXaw3d-1.6.6, nghttp2-1.61.0, curl-8.7.1-r2, pango-1.52.1, gtk+-3.24.41, imlib2-1.11.0, xorg-server-21.1.13-r99, conky-1.19.8, xf86-input-elographics-1.4.4, xf86-input-wacom-1.2.1
002-chrome:
- major Chrome upgrade upgraded to google-chrome-124.0.6367.60
002-firefox:
- security fix mozilla-firefox-115.10.0 Changelog: link
003-settings.xzm:
- kiosk fix disabled "In Product Help" popup which appears when password is saved in Chrome for the first time in the password manager
- kiosk fix disabled "In Product Help" popup which appears when you select "Search this page with Google" option in the Chrome's 3 dot settings menu
004-wifi.xzm:
- upgraded to ppp-2.5.0-r7, wpa_supplicant-2.10-r4
005-thinclient.xzm:
- upgraded to libsodium-1.0.19-r2, freerdp-2.11.5-r10, remmina-1.4.35-r1
initrd:
- updated init script to use overlayfs instead of aufs
vmlinuz and 000-kernel.xzm:
- kernel config: enabled overlayfs support and removed aufs as it causes 'kernel panic' during boot on certain PC models and kernel 6.6.x
003-settings.xzm:
- kiosk fix temporary disable transparency when starting default (ripples) screensaver otherwise it cannot load a screenshot image
- kiosk fix removed 'print test page' function from the wizard as we cannot inject printing module on the fly to the virtual filesystem after switching to overlayfs
initrd:
- mount aufs with 'udba=none' flag by default as writable branch is not accessible anyway after switching to /union, that should also give some small boost in aufs performance
vmlinuz and 000-kernel.xzm:
- major kernel upgrade upgraded to linux-6.6.21
- upgraded to sof-firmware-2023.12, upgraded kernel firmware to latest version from git
001-core:
- upgraded to gmmlib-22.3.17, libva-intel-media-driver-24.1.3, xorg-server-21.1.11-r99
003-settings.xzm:
- new security feature added support for individual SSL certificates and passwords when connecting to PK Server
- new feature added a 3rd party patch to xorg-server to use the 'modesetting' driver by default on Intel GPUs gen 4 and newer
- new feature added a 3rd party patch to xorg-server to enable the 'TearFree' feature for the 'modesetting' GPU driver
- new feature added a wrapper which should automatically fix the video output names in the 'screen_settings=' parameter after switching to the modesetting driver (no need to manually update the kiosk configs)
- kiosk fix import certificates before 'run_command=' parameter so is possible to download files from webpages configured with self-signed certs if you add a private key to the imported CA cert. Remote config still must be protected by a valid SSL cert, hosted on a PK Server "Premium" or plain http/ftp server (without SSL).
vmlinuz and 000-kernel.xzm:
- upgraded to linux-6.1.78
002-chrome:
- major Chrome upgrade upgraded to google-chrome-122.0.6261.111
003-settings.xzm:
- kiosk security fix always verify SSL certificate on all connections. If you host remote config or kiosk files (e.g. wallpaper) on a web server then please ensure that SSL certificate is valid otherwise the 'remote management' function will not work. This rule applies also to the intranet deployments. Please ensure that the NTP protocol is not blocked in your network as the system time must be correct when validating the SSL certificate.
- kiosk security fix skip proxy when making connections to updates server, Porteus Kiosk Server and remote config server (relevant IPs are added to proxy exceptions by default) as we dont want the sensitive traffic to be intercepted or manipulated by anybody
- kiosk security fix never upload VNC passwords on PK server by default, server will download them from the client when initializing the VNC connection
- new security feature if 'root_password=' is not set in the kiosk config then generate a random one during each kiosk boot. Clients can still be accessed over SSH protocol using PK Server "Premium" which uses SSH keys and not passwords when communicating with the clients. Do not remove 'root_password=' parameter from your kiosk config if you plan to connect to your kiosk directly using e.g. Putty app. If you use PK Server "Premium" then its recommended to remove the root password from the kiosk configs in order to enchance the security on the clients.
- new security feature if 'vnc_password=' is not set in the kiosk config then generate a random one during each kiosk boot. Clients can still be accessed over VNC protocol using PK Server "Premium" which copies VNC password over SSH when initializing the VNC connection to the client. Do not remove 'vnc_password=' parameter from your kiosk config if you plan to connect to your kiosk directly using any VNC client e.g. TigerVNC. If you use PK Server "Premium" then its recommended to remove the VNC password from the kiosk configs in order to enchance the security on the clients.
- kiosk fix ignore "default_sound_card=0.0" parameter as it breaks the sound output in Chrome
- kiosk fix show up to 20 messages on the screen so its possible to see them all during system update
001-core:
- security fix glibc-2.38-r10: Multiple vulnerabilities (CVE-2023-6246, CVE-2023-6779, CVE-2023-6780, GLIBC-SA-2024-0001, GLIBC-SA-2024-0002, GLIBC-SA-2024-0003) #923352
- security fix openssl-3.0.13: multiple vulnerabilities (CVE-2023-5678, CVE-2023-6129, CVE-2023-6237) #921684
- upgraded to libffi-3.4.4-r4, libcap-2.69-r1, libbsd-0.11.8, bzip2-1.0.8-r5, libpcre2-10.42-r2, sqlite-3.44.2-r2, libxcb-1.16-r1, rsync-3.2.7-r4, e2fsprogs-1.47.0-r3, pixman-0.43.2, zstd-1.5.5-r1, libinput-1.25.0, curl-8.5.0-r3, libdrm-2.4.120, libva-utils-2.20.1, libXaw3d-1.6.5-r1
002-firefox:
- security fix mozilla-firefox-115.8 Changelog: link
005-thinclient.xzm:
- upgraded to libidn2-2.3.7, json-glib-1.8.0
10-printing.xzm:
- upgraded to libpaper-2.1.2, libidn-1.42, openjpeg-2.5.0-r6, qpdf-11.7.0, ghostscript-gpl-10.02.1, poppler-24.02.0, cups-2.4.7-r2
001-core:
- security fix curl-8.5.0: Multiple vulnerabilities (CVE-2023-42619, CVE-2023-46218) #919325
- upgraded to libffi-3.4.4-r3, baselayout-2.14-r2, timezone-data-2023d, traceroute-2.1.5, popt-1.19-r1, rsync-3.2.7-r3, zlib-1.3-r4, libxml2-2.12.5, systemd-utils-254.8, rsyslog-8.2312.0, ca-certificates-20230311.3.96.1, dhcpcd-10.0.6-r1, lsof-4.99.3, conky-1.19.6-r2, feh-3.10.2, libgcrypt-1.10.3-r1
002-firefox:
- security fix mozilla-firefox-115.7 Changelog: link
005-thinclient.xzm:
- upgraded to libidn2-2.3.4-r2, shared-mime-info-2.4-r1, libvncserver-0.9.14-r2
09-x11vnc.xzm:
- upgraded to libvncserver-0.9.14-r2
vmlinuz and 000-kernel.xzm:
- upgraded to linux-6.1.74, sof-firmware-2023.09.2
001-core:
- upgraded to llvm-16.0.6, ethtool-6.6, sysvinit-3.08, coreutils-9.4, libXaw-1.0.15-r1, libxml2-2.11.5-r1, at-spi2-core-2.50.1, shadow-4.14.2, libglvnd-1.7.0, inih-57-r1, ca-certificates-20230311.3.95, ntp-4.2.8_p17-r1, usbutils-017, gmmlib-22.3.14, libdrm-2.4.118, libva-2.20.0, libva-intel-media-driver-23.4.3, libva-utils-2.20.0, mesa-23.2.1, libnotify-0.8.3, pango-1.51.0, gtk+-3.24.39, librsvg-2.57.0, libXfont2-2.0.6-r1, xorg-server-21.1.11
- added lsof-4.99
001-core:
- security fix cairo-1.18.0: Multiple vulnerabilities (CVE-2019-6461, CVE-2019-6462) #717778
- security fix traceroute-2.1.3: improper command line parsing (CVE-2023-46316) #917769
- upgraded to glib-2.78.3, libffi-3.4.4-r2, timezone-data-2023c-r1, alsa-ucm-conf-1.2.10-r1, hwdata-0.376, gmp-6.3.0-r1, zlib-1.3-r2, openssl-3.0.12, util-linux-2.38.1-r3, sqlite-3.44.2-r1, kmod-31, libxslt-1.1.39, systemd-utils-254.7, elfutils-0.190, tiff-4.6.0, alsa-lib-1.2.10-r2, libgpg-error-1.47-r1, xkeyboard-config-2.40-r1, ca-certificates-20230311.3.93, dhcpcd-10.0.5-r1, alsa-utils-1.2.10-r1, stunnel-5.71, libwacom-2.8.0, harfbuzz-8.3.0, openbox-3.6.1-r8, feh-3.10.1
002-chrome:
- upgraded to google-chrome-120.0.6099.199
005-thinclient.xzm:
- security fix libssh-0.10.6 : terrapin vulnerability #920291
- upgraded to freerdp-2.11.1, remmina-1.4.31-r1
08-ssh.xzm:
- security fix openssh-9.6_p1: ProxyCommand Unexpected Code Execution Vulnerability (CVE-2023-51385) #920722
002-chrome:
- major Chrome upgrade upgraded to google-chrome-120.0.6099.109
003-settings.xzm:
- kiosk fix disabled 'Featured experiments' button in the Chrome's UI (navigation bar)
- kiosk fix disabled 'In Product Help' popups in Chrome which appears when you perform certain actions for the first time with private mode disabled: open new tab, play video file, download file
- kiosk fix disabled 'NEW' flag on Google Password Manager in the 3-dot Chrome settings menu
- new feature updated Chrome flags for the 'hardware_video_decode=' parameter. Google switched to a new "Vaapi Video Decoder" which supports additional codecs: h265 and AV1. Right now it works only for Intel Broadwell GPUs and newer. If you use another GPU (e.g. AMD or older Intel) and need hardware video decode feature then you should switch to a Firefox browser as it supports all GPUs which are capable of accelerated video playback.
- new feature added udev rule to allow user 'guest' using the Yubikey products
vmlinuz and 000-kernel.xzm:
- upgraded to linux-6.1.63, intel-microcode-20231114_p20231114, sof-firmware-2023.09.1
001-core:
- upgraded to c-ares-1.21.0, hwdata-0.375, dmidecode-3.5-r3, zlib-1.3-r1, libXrandr-1.5.4, systemd-utils-254.5-r2, xkeyboard-config-2.40, rsyslog-8.2310.0, libxkbcommon-1.6.0, xf86-video-siliconmotion-1.7.10
002-firefox:
- security fix mozilla-firefox-115.5 Changelog: link
vmlinuz and 000-kernel.xzm:
- upgraded to linux-6.1.61
- upgraded AMD microcode to the latest version
001-core:
- security fix xorg-server-21.1.9 Multiple vulnerabilities (CVE-2023-5367, CVE-2023-5380) #916254
- security fix zlib-1.2.13-r2: Buffer overflow (CVE-2023-45853) #916484
- upgraded to hwdata-0.374, ethtool-6.5, acpid-2.0.34-r1, sqlite-3.43.2, harfbuzz-8.2.0
002-firefox:
- security fix mozilla-firefox-115.4 Changelog: link
003-settings.xzm:
- kiosk fix when the address bar is disabled in the Firefox browser then do not allow opening a new tab by double clicking on the empty space in the tab bar area
- kiosk fix removed the 1 pixel white line at the top of the kiosk screen when Firefox works with the navigation bar disabled
- kiosk fix re-enabled 'hinting-slight' feature (previously it broke our gtkdialog apps and had to be disabled) so fonts in kiosk should look much better now
005-thinclient.xzm:
- upgraded to libidn2-2.3.4-r1, libsodium-1.0.19-r1, libvncserver-0.9.14-r1
001-core:
- security fix glibc-2.37-r7 Local Privilege Escalation in ld.so (CVE-2023-4911) #915127
- security fix libxml2-2.11.5-r1: Use-after-free if memory allocation fails (CVE-2023-45322) #915351
- security fix libX11-1.8.7: Multiple vulnerabilities (CVE-2023-43785, CVE-2023-43786, CVE-2023-43787) #915129
- security fix libXpm-3.5.17: Multiple vulnerabilities (CVE-2023-43788, CVE-2023-43789) #915130
- security fix lua-5.4.6: heap buffer overflow in recursive errors (CVE-2022-33099) #856463
- security fix nghttp2-1.57.0: HTTP/2 Rapid Reset vulnerability #915554
- security fix curl-8.4.0: security stabilisation #915569
- upgraded to gcc-13.2.1_p20230826, openssl-3.0.11, nss-3.91, elfutils-0.189-r4, systemd-utils-253.11-r1, libxcb-1.16, libgcrypt-1.10.2, dhcpcd-10.0.3, sshpass-1.09-r1, libinput-1.24.0, freetype-2.13.2, fontconfig-2.14.2-r3, xf86-input-libinput-1.4.0
004-wifi.xzm:
- upgraded to libnl-3.8.0
08-ssh.xzm:
- upgraded to openssh-9.4_p1-r1
10-printing.xzm:
- security fix cups-2.4.7: Buffer overflow when reading Postscript in PPD files (CVE-2023-4504) #914781
- security fix cups-filters-1.28.17-r2: RCE via beh filter (CVE-2023-24805, GHSA-gpxc-v2m8-fr3x) #906944
- upgraded to python-3.10.13, qpdf-11.5.0, ghostscript-gpl-10.02.0
002-firefox:
- security fix mozilla-firefox-115.3.1 Changelog: link
004-wifi.xzm:
- upgraded to wpa_supplicant-2.10-r3, tcl-8.6.13-r1, ppp-2.5.0-r4, crda-4.15-r2
08-ssh.xzm:
- security fix openssh-9.3_p2: Remote code execution in ssh-agent PKCS#11 support (CVE-2023-38408) #910553
001-core:
- security fix tiff-4.5.1: multiple vulnerabilities (CVE-2023-1916, CVE-2023-25434, CVE-2023-26965, CVE-2023-2731) #904424
- upgraded to alsa-ucm-conf-1.2.9, hwdata-0.373, libmd-1.1.0, cronbase-0.3.7-r10, ethtool-6.4, gmp-6.3.0, libpcre-8.45-r2, libpng-1.6.40-r1, gnutls-3.8.0, iw-5.19, libxcrypt-4.4.36, coreutils-9.3-r3, alsa-lib-1.2.9, elfutils-0.189-r1, mtr-0.95-r1, alsa-utils-1.2.9, systemd-utils-253.6, xkeyboard-config-2.39, inih-57, curl-8.1.2, dhcpcd-10.0.2, xfsprogs-6.4.0, libjpeg-turbo-3.0.0, glib-2.76.4, libgudev-238-r1, libwacom-2.7.0, libepoxy-1.5.10-r2, harfbuzz-8.0.1, xorg-server-21.1.8-r2, conky-1.19.2-r1, librsvg-2.56.3, lua-5.4.4-r103
10-printing.xzm:
- upgraded to perl-5.38.0-r1, poppler-data-0.4.12, lcms-2.15, poppler-23.08.0, libpaper-2.1.0
vmlinuz and 000-kernel.xzm:
- upgraded to linux-6.1.46, intel-microcode-20230808_p20230804
- new kernel and microcode versions fixes important vulnerabilities: Intel Downfall, AMD Inception and AMD Zen 1 "Divide By Zero" bug
001-core:
- upgraded VAAPI stack which is required by new Chrome: libva-2.19.0, libva-utils-2.19.0, gmmlib-22.3.7, libva-intel-media-driver-23.2.4
002-chrome:
- major Chrome upgrade upgraded to google-chrome-115.0.5790.170
003-settings.xzm:
- kiosk fix disabled 'High Efficiency' mode for the Chrome browser to prevent discarding of tabs after a certain period of time
- kiosk fix disabled DRI3 support for VAAPI library when hardware video decode is enabled for the Chrome browser (otherwise hardware acceleration wont work)
initrd:
- kiosk fix fixed a bug where the watchdog daemon prevented kiosk reconfiguration on a fast booting systems
vmlinuz and 000-kernel.xzm:
- upgraded to linux-6.1.42, intel-microcode-20230613_p20230520, sof-firmware-2.2.6
- upgraded AMD CPU firmware to latest version from git to fix 'Zenbleed' vulnerabilities
002-firefox:
- major Firefox ESR release mozilla-firefox-115.1.0 changelog: 103.0 104.0 105.0 106.0 107.0 108.0 109.0 110.0 111.0 112.0 113.0 114.0 115.0
003-settings.xzm:
- kiosk fix removed extensions button from the Firefox UI as it allows to list installed extensions and report them to Mozilla
- kiosk fix removed 'Firefox view' button from the Firefox UI as its not needed for kiosk purposes
- kiosk fix removed 'minimize, restore down, close' buttons when Firefox works with 'autohide_navigation_bar=yes' parameter
- kiosk fix start Firefox in kiosk mode (instead of fullscreen) when displaying the screensaver video or screensaver URL
- new feature upgraded Firefox plugins to latest available versions
001-core:
- security fix libX11-1.8.6: Buffer overflows in InitExt.c (CVE-2023-3138) #908549
- security fix shadow-4.13-r4: possible password leak during passwd(1) change #908613
- upgraded to procps-3.3.17-r2, libunistring-1.1-r1, nettle-3.9.1, e2fsprogs-1.47.0-r2, ca-certificates-20230311.3.90, libxml2-2.11.4:2, ntp-4.2.8_p17, libxslt-1.1.38, fribidi-1.0.13, glib-2.76.3, at-spi2-core-2.48.3, librsvg-2.56.1, gtk+-3.24.38
005-thinclient.xzm:
- upgraded to remmina-1.4.31
10-printing.xzm:
- security fix cups-2.4.6: Use-after-free when logging warnings during cupsdAcceptClient failure (CVE-2023-34241) #909018
- security fix ghostscript-gpl-10.01.2: Code execution vulnerability (CVE-2023-36664) #910294
- upgraded to libpaper-2.0.12, perl-5.36.1-r3, net-snmp-5.9.3-r3, libusb-compat-0.1.8, openjpeg-2.5.0-r5, poppler-23.05.0, python-3.10.12, sane-backends-1.2.1
001-core:
- security fix c-ares-1.19.1: Multiple vulnerabilities (CVE-2023-31124, CVE-2023-31130, CVE-2023-31147, CVE-2023-32067) #906964
- upgraded to hwdata-0.371, dmidecode-3.5-r2, ethtool-6.3, sysvinit-3.07, coreutils-9.3-r2, wget-1.21.4, sqlite-3.42.0, nspr-4.35-r2, pciutils-3.10.0, xfsprogs-6.3.0, dhcpcd-9.5.1, libjpeg-turbo-2.1.5.1
002-firefox:
- security fix mozilla-firefox-102.12.0 Changelog: link
005-thinclient.xzm:
- upgraded to libgpg-error-1.47, freerdp-2.10.0-r3
001-core:
- security fix openssl-1.1.1u: Possible DoS translating ASN.1 object identifiers (CVE-2023-2650) #907413
- security fix libcap-2.69: Multiple vulnerabilities (CAP-CR-23-02, CVE-2023-2602, CVE-2023-2603, LCAP-CR-23-01) #906461
- security fix libXpm-3.5.16: multiple vulnerabilities (CVE-2022-44617, CVE-2022-46285, CVE-2022-4883) #891209
- upgraded to ncurses-6.4_p20230401, hwdata-0.369, tiff-4.5.0-r2, libfastjson-1.2304.0, libXi-1.8.1, setxkbmap-1.3.4, xinput-1.6.4, coreutils-9.3-r1, rsyslog-8.2304.0, ca-certificates-20230311.3.89.1, gmmlib-22.3.5, libpciaccess-0.17-r1, libevdev-1.13.1, libXaw3d-1.6.5, libva-intel-media-driver-23.1.6, mesa-amber-21.3.9-r1, fontconfig-2.14.2-r2, harfbuzz-7.3.0, libXft-2.3.8, conky-1.17.0-r1, feh-3.10, xf86-video-ati-22.0.0, gtk+-2.24.33-r3
004-wifi.xzm:
- security fix ppp-2.5.0: out-of-bounds read (CVE-2022-4603) #887017
005-thinclient.xzm:
- security fix libssh-0.10.5: Multiple vulnerabilities (CVE-2023-1667, CVE-2023-2283, GHSL-2023-085) #905746
- upgraded to freerdp-2.10.0-r2, remmina-1.4.30
001-core:
- security fix freetype-2.13.0: integer overflow vulnerability (CVE-2023-2004) #881443
- security fix libxml2-2.10.4: Multiple vulnerabilities (CVE-2023-28484, CVE-2023-29469) #904202
- security fix dmidecode-3.5: root privilege escalation via file overwrite (CVE-2023-30630) #905093
- security fix curl-8.0.1: Multiple vulnerabilities (CVE-2023-27533, CVE-2023-27534, CVE-2023-27535, CVE-2023-27536, CVE-2023-27537, CVE-2023-27538) #902801
- upgraded to libffi-3.4.4-r1, timezone-data-2023c, ethtool-6.2, rsync-3.2.7-r2, libcap-2.68, libfastjson-0.99.9.1, userspace-rcu-0.14.0, libXfixes-6.0.1, libXt-1.3.0, systemd-utils-252.9, zstd-1.5.5, rsyslog-8.2302.0, libcec-6.0.2-r1, iptables-1.8.9, libinput-1.23.0, at-spi2-core-2.48.0, wayland-1.22.0, pango-1.50.14, conky-1.17.0, feh-3.9.1-r1, librsvg-2.56.0, xf86-input-libinput-1.3.0, xf86-input-wacom-1.2.0, openbox-3.6.1-r5
002-firefox:
- security fix mozilla-firefox-102.11.0 Changelog: link
004-wifi.xzm:
- upgraded to ppp-2.4.9-r9
001-core:
- security fix xorg-server-21.1.8 Privilege escalation via use-after-free (CVE-2023-1393) #903547
- security fix shadow-4.13-r3 shadow file manipulation via chfn (CVE-2023-29383) #904518
- upgraded to hwdata-0.367, dmidecode-3.4-r1, libxcrypt-4.4.33, sqlite-3.41.2-r1, libX11-1.8.4-r1, nss-3.79.4, openssl-1.1.1t-r3, util-linux-2.38.1-r2, e2fsprogs-1.47.0-r1, ca-certificates-20211016.3.88.1, stunnel-5.68, curl-7.88.1-r2, xkeyboard-config-2.38, zstd-1.5.4-r3, glib-2.74.6, libnotify-0.8.2, cairo-1.17.8, pango-1.50.13, xf86-video-intel-2.99.917_p20230201, tigervnc-1.13.1, gtk+-3.24.37
002-chrome:
- upgraded to google-chrome-112.0.5615.121
vmlinuz and 000-kernel.xzm:
- upgraded to intel-microcode-20230214_p20230212
- kernel config: compiled DAX driver directly to the vmlinuz image as it's required by PCs which initialize device mapper early during boot
002-chrome:
- major Chrome upgrade upgraded to google-chrome-112.0.5615.49