Each new system version (like e.g. 20151128) triggers an action to pull updated component from our update servers. After short downtime the system is ready to use with all security fixes, updates and new features merged into the ISO. Everthing is done automatically without any user action.
- synced with master: #260111
- upgraded to readline-8.3_p3, bash-5.3_p9, lxterminal-0.4.0_p20230917-r1
- upgraded to libtirpc-1.3.7-r2, libsigc++-2.12.1, glibmm-2.66.8, cairomm-1.14.5, atkmm-2.28.4, pangomm-2.46.4, gtkmm-3.24.10
- synced with master: #251123
- synced with master: #251019
- upgraded to readline-8.3_p1, bash-5.3_p3-r2
- synced with master: #250921
- synced with master: #250810
- synced with master: #250706
- synced with master: #250622
- synced with master: #250525
- upgraded to lxterminal-0.4.0_p20230917, tigervnc-1.15.0-r1
- upgraded to open-vm-tools-12.5.0-r1
- synced with master: #250420
- upgraded to sshfs-3.7.3-r2, tigervnc-1.15.0
- synced with master: #250330
- synced with master: #250302
- synced with master: #250119
- upgraded to fltk-1.3.8, readline-8.2_p13-r1
- upgraded to libtirpc-1.3.6, virtualbox-guest-additions-7.0.20
- synced with master: #241222
- synced with master: #241124
- synced with master: #241020
- upgraded to readline-8.2_p13, bash-5.2_p37, cifs-utils-7.0-r1
- upgraded to libtirpc-1.3.5
- synced with master: #240915
- synced with master: #240818
- synced with master: #240720
This release fixes the SSH vulnerability which allows the attacker to execute the code remotely: (CVE-2024-6387). You are required to upgrade, please do it immediately. Please reboot your servers in order to receive the latest patches.
- synced with master: #240707
- server fix fixed a bug where 'Wake on LAN' function did not work after a PK Server reboot
- upgraded to readline-8.2_p10, bash-5.2_p26-r6
- synced with master: #240616
- server fix updated description of 'Administration Panel -> Actions -> Update homepage' action to better explain that it should be used only for a temporary homepage change (emergency cases) and that remote config should be used for persistent kiosk configuration changes
- synced with master: #240519
- synced with master: #240421
- server fix do not send a notification email if recipient address is set to default 'someone@domain.com'
- upgraded to glibmm-2.66.7, gtkmm-3.24.9
- synced with master: #240328
- synced with master: #240317
This release hardens the security on the SSH jail container where clients upload their data. You are required to upgrade, please do it immediately. Please reboot your servers in order to receive the latest patches.
- synced with master: #240310
- server security fix persistent partition on the server is mounted with the 'noexec' flag by default, this way the files/binaries which are uploaded by the clients can not be executed in the jail. If you need to keep executables on the persistent partition then please contact with support@porteus-kiosk.org and we will guide you how to workaround this limitation (in short: executables must be copied from persistent partition to tmpfs during every server boot before they can be used).
- server security fix 'proc' filesystem is no longer mounted in jail. The lack of it breaks a proper 'client ID' calculation when registering new kiosk clients in version 4.3.0 - 5.1.0. If for some reason you still need to install such an old client version then please use the static 'client_id=' parameter for each kiosk instead of 'client_id=automatic'.
- server security fix removed 'ls' and 'netstat' utilities which are no longer needed for registration of new clients in version 5.2.0 and newer
- server security fix files uploaded by the clients must meet specific criteria before they are accepted on the server. The check is performed in regards to: file type, file size, file name, file content.
- server security fix for doubled security the client host files (information about system/browser/kernel version, IP/MAC address, etc) are stored outside of the jail container
- server security fix clients are not allowed to upload VNC passwords on the server, server will retrieve passwords directly from the client when initializing the VNC connection to it
- server security fix restricted port forwarding capabilities for the SSH service so PK Server can no longer be used as a SSH proxy
The work is not completed yet. In order to fully secure the connection between the clients and the server we need to generate a SSL certificate and a connection password individually for each customer. We plan to implement this in the coming weeks.
- synced with master: #240303
- synced with master: #240211
- upgraded to libcap-ng-0.8.4
- upgraded to libtirpc-1.3.4-r1
- synced with master: #240121
- synced with master: #240107
- upgraded to fuse-3.16.2
- security fix libtirpc-1.3.4: Multiple vulnerabilities #915404
- synced with master: #231217
- synced with master: #231125
- synced with master: #231104
- synced with master: #231015
- security fix open-vm-tools-12.2.5: Possible denial of service vulnerability (CVE-2023-20867) #908555
- synced with master: #230930
- upgraded to sshfs-3.7.3-r1, fuse-3.16.1
- upgraded to gtkmm-3.24.8
- synced with master: #230909
- upgraded to cifs-utils-7.0, tar-1.35, fuse-3.15.1
- synced with master: #230820
- synced with master: #230805
- synced with master: #230715
- synced with master: #230625
- synced with master: #230604
- synced with master: #230514
- upgraded to tar-1.34-r3
- server fix shorten the long Firefox version numbers (e.g. 102.11.1) so they are displayed properly in the Administration Panel
- upgraded to glibmm-2.66.6
- synced with master: #230423
- upgraded to tigervnc-1.13.1, fuse-3.14.1
- synced with master: #230408
- server fix delete VMware logs during every server boot to prevent filling persistent partition