Tux Machines

Do you waddle the waddle?

Other Sites

LinuxGizmos.com

Pine64 Unveils PineCam with RISC-V SG2000 SoC and 2MP Camera

The Pine64 November update introduces the PineCam, a successor to the PineCube IP camera. With a redesigned structure and enhanced features, the PineCam is aimed at applications like monitoring, video streaming, and hardware experimentation.

RED-BEET 2.0: Advanced Powerline Communication for E-Mobility Applications

The RED-BEET 2.0 by 8Devices is a compact powerline communication module built on the Qualcomm QCA7006AQ PLC chip, supporting SPI, Ethernet, HomePlug GreenPHY, and HomePlug AV standards. Its small size, industrial temperature tolerance, and automotive-grade certification are designed for integration into e-mobility and automotive applications.

9to5Linux

Mesa 24.3 Open-Source Graphics Stack Adds Vulkan 1.3 Conformance for V3DV

Coming more than three months after Mesa 24.2, the Mesa 24.3 release is here to introduce Vulkan 1.3 conformance for the V3DV graphics driver for Raspberry Pi 4 and Raspberry Pi 5 devices, which should give the Raspberry Pi OS distribution a serious graphics boost the next time you update it. In addition, the V3DV driver received support for the VK_KHR_shader_relaxed_extended_instruction Vulkan extension.

OpenSSH 9.1 released (UPDATED)

posted by Roy Schestowitz on Oct 04, 2022,
updated Oct 05, 2022

OpenSSH 9.1 has just been released. It will be available from the
mirrors listed at https://www.openssh.com/ shortly.


OpenSSH is a 100% complete SSH protocol 2.0 implementation and
includes sftp client and server support.


Once again, we would like to thank the OpenSSH community for their
continued support of the project, especially those who contributed
code or patches, reported bugs, tested snapshots or donated to the
project. More information on donations may be found at:
https://www.openssh.com/donations.html


Changes since OpenSSH 9.0
=========================


This release is focused on bug fixing.


Security
========


This release contains fixes for three minor memory safety problems.
None are believed to be exploitable, but we report most memory safety
problems as potential security vulnerabilities out of caution.


 * ssh-keyscan(1): fix a one-byte overflow in SSH- banner processing.
   Reported by Qualys


 * ssh-keygen(1): double free() in error path of file hashing step in
   signing/verify code; GHPR333


 * ssh-keysign(8): double-free in error path introduced in openssh-8.9


Potentially-incompatible changes
--------------------------------


 * The portable OpenSSH project now signs commits and release tags
   using git's recent SSH signature support. The list of developer
   signing keys is included in the repository as .git_allowed_signers
   and is cross-signed using the PGP key that is still used to sign
   release artifacts:
   https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc


 * ssh(1), sshd(8): SetEnv directives in ssh_config and sshd_config
   are now first-match-wins to match other directives. Previously
   if an environment variable was multiply specified the last set
   value would have been used. bz3438


 * ssh-keygen(8): ssh-keygen -A (generate all default host key types)
   will no longer generate DSA keys, as these are insecure and have
   not been used by default for some years.


New features
------------


 * ssh(1), sshd(8): add a RequiredRSASize directive to set a minimum
   RSA key length. Keys below this length will be ignored for user
   authentication and for host authentication in sshd(8). 


   ssh(1) will terminate a connection if the server offers an RSA key
   that falls below this limit, as the SSH protocol does not include
   the ability to retry a failed key exchange.


 * sftp-server(8): add a "users-groups-by-id@openssh.com" extension
   request that allows the client to obtain user/group names that
   correspond to a set of uids/gids.


 * sftp(1): use "users-groups-by-id@openssh.com" sftp-server
   extension (when available) to fill in user/group names for
   directory listings.


 * sftp-server(8): support the "home-directory" extension request
   defined in draft-ietf-secsh-filexfer-extensions-00. This overlaps
   a bit with the existing "expand-path@openssh.com", but some other
   clients support it.


 * ssh-keygen(1), sshd(8): allow certificate validity intervals,
   sshsig verification times and authorized_keys expiry-time options
   to accept dates in the UTC time zone in addition to the default
   of interpreting them in the system time zone. YYYYMMDD and
   YYMMDDHHMM[SS] dates/times will be interpreted as UTC if suffixed
   with a 'Z' character.


   Also allow certificate validity intervals to be specified in raw
   seconds-since-epoch as hex value, e.g. -V 0x1234:0x4567890. This
   is intended for use by regress tests and other tools that call
   ssh-keygen as part of a CA workflow. bz3468


 * sftp(1): allow arguments to the sftp -D option, e.g. sftp -D
   "/usr/libexec/sftp-server -el debug3"


 * ssh-keygen(1): allow the existing -U (use agent) flag to work
   with "-Y sign" operations, where it will be interpreted to require
   that the private keys is hosted in an agent; bz3429


Bugfixes
--------


 * ssh-keygen(1): implement the "verify-required" certificate option.
   This was already documented when support for user-verified FIDO
   keys was added, but the ssh-keygen(1) code was missing.


 * ssh-agent(1): hook up the restrict_websafe command-line flag;
   previously the flag was accepted but never actually used.


 * sftp(1): improve filename tab completions: never try to complete
   names to non-existent commands, and better match the completion
   type (local or remote filename) against the argument position
   being completed.


 * ssh-keygen(1), ssh(1), ssh-agent(1): several fixes to FIDO key
   handling, especially relating to keys that request
   user-verification. These should reduce the number of unnecessary
   PIN prompts for keys that support intrinsic user verification.
   GHPR302, GHPR329


 * ssh-keygen(1): when enrolling a FIDO resident key, check if a
   credential with matching application and user ID strings already
   exists and, if so, prompt the user for confirmation before
   overwriting the credential. GHPR329


 * sshd(8): improve logging of errors when opening authorized_keys
   files. bz2042


 * ssh(1): avoid multiplexing operations that could cause SIGPIPE from
   causing the client to exit early. bz3454


 * ssh_config(5), sshd_config(5): clarify that the RekeyLimit
   directive applies to both transmitted and received data. GHPR328


 * ssh-keygen(1): avoid double fclose() in error path.


 * sshd(8): log an error if pipe() fails while accepting a
   connection. bz3447


 * ssh(1), ssh-keygen(1): fix possible NULL deref when built without
   FIDO support. bz3443


 * ssh-keyscan(1): add missing *-sk types to ssh-keyscan manpage.
   GHPR294.


 * sshd(8): ensure that authentication passwords are cleared from
   memory in error paths. GHPR286


 * ssh(1), ssh-agent(1): avoid possibility of notifier code executing
   kill(-1). GHPR286


 * ssh_config(5): note that the ProxyJump directive also accepts the
   same tokens as ProxyCommand. GHPR305.


 * scp(1): do not not ftruncate(3) files early when in sftp mode. The
   previous behaviour of unconditionally truncating the destination
   file would cause "scp ~/foo localhost:foo" and the reverse
   "scp localhost:foo ~/foo" to delete all the contents of their
   destination. bz3431


 * ssh-keygen(1): improve error message when 'ssh-keygen -Y sign' is
   unable to load a private key; bz3429


 * sftp(1), scp(1): when performing operations that glob(3) a remote
   path, ensure that the implicit working directory used to construct
   that path escapes glob(3) characters. This prevents glob characters
   from being processed in places they shouldn't, e.g. "cd /tmp/a*/",
   "get *.txt" should have the get operation treat the path "/tmp/a*"
   literally and not attempt to expand it.


 * ssh(1), sshd(8): be stricter in which characters will be accepted
   in specifying a mask length; allow only 0-9. GHPR278


 * ssh-keygen(1): avoid printing hash algorithm twice when dumping a
   KRL


 * ssh(1), sshd(8): continue running local I/O for open channels
   during SSH transport rekeying. This should make ~-escapes work in
   the client (e.g. to exit) if the connection happened to have
   stalled during a rekey event.


 * ssh(1), sshd(8): avoid potential poll() spin during rekeying


 * Further hardening for sshbuf internals: disallow "reparenting" a
   hierarchical sshbuf and zero the entire buffer if reallocation
   fails. GHPR287


Portability
-----------


 * ssh(1), ssh-keygen(1), sshd(8): automatically enable the built-in
   FIDO security key support if libfido2 is found and usable, unless
   --without-security-key-builtin was requested.


 * ssh(1), ssh-keygen(1), sshd(8): many fixes to make the WinHello
   FIDO device usable on Cygwin. The windows://hello FIDO device will
   be automatically used by default on this platform unless requested
   otherwise, or when probing resident FIDO credentials (an operation
   not currently supported by WinHello).


 * Portable OpenSSH: remove workarounds for obsolete and unsupported
   versions of OpenSSL libcrypto. In particular, this release removes
   fallback support for OpenSSL that lacks AES-CTR or AES-GCM.


   Those AES cipher modes were added to OpenSSL prior to the minimum
   version currently supported by OpenSSH, so this is not expected to
   impact any currently supported configurations.


 * sshd(8): fix SANDBOX_SECCOMP_FILTER_DEBUG on current Linux/glibc


 * All: resync and clean up internal CSPRNG code.


 * scp(1), sftp(1), sftp-server(8): avoid linking these programs with
   unnecessary libraries. They are no longer linked against libz and
   libcrypto. This may be of benefit to space constrained systems
   using any of those components in isolation.


 * sshd(8): add AUDIT_ARCH_PPC to supported seccomp sandbox
   architectures.


 * configure: remove special casing of crypt(). configure will no
   longer search for crypt() in libcrypto, as it was removed from
   there years ago. configure will now only search libc and libcrypt.


 * configure: refuse to use OpenSSL 3.0.4 due to potential RCE in its
   RSA implementation (CVE-2022-2274) on x86_64.


 * All: request 1.1x API compatibility for OpenSSL >=3.x; GHPR#322


 * ssh(1), ssh-keygen(1), sshd(8): fix a number of missing includes
   required by the XMSS code on some platforms.


 * sshd(8): cache timezone data in capsicum sandbox.


Checksums:
==========


- SHA1 (openssh-9.1.tar.gz) = 3ae2d6a3a695d92778c4c4567dcd6ad481092f6c
- SHA256 (openssh-9.1.tar.gz) = QKfVArlcItV+e8V1Th85TL5//5d/AvOUhYOeHMDEGuE=


- SHA1 (openssh-9.1p1.tar.gz) = 15545440268967511d3194ebf20bcd0c7ff3fcc9
- SHA256 (openssh-9.1p1.tar.gz) = GfhQCcfj4jeH8CNvuxV4OSq01L+fjsX+a8HNfov90og=


Please note that the SHA256 signatures are base64 encoded and not
hexadecimal (which is the default for most checksum tools). The PGP
key used to sign the releases is available from the mirror sites:
https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc


Reporting Bugs:
===============


- Please read https://www.openssh.com/report.html
  Security bugs should be reported directly to openssh@openssh.com

UPDATE

A couple of reference pages:

Other Recent Tux Machines' Posts

Canonical/Ubuntu Leftovers
security and commercial bits
Blender 4.3 Open-Source 3D Graphics App Introduces Experimental Vulkan Backend
The Blender Foundation announced today the release and general availability of Blender 4.3 as a major update to this powerful, free, cross-platform, and open-source 3D graphics and modeling software.
PINE64’s New Smart Camera Runs Linux
Pine64 shared some information about new products and updates in its latest community announcement
Media Unable to Tell the Difference Between Proprietary VMware and "Linux"
FUD tactics
FreeCAD 1.0 Open-Source 3D Parametric Modeler Released, Here’s What’s New
FreeCAD 1.0 has been released today as a major milestone for this open-source, free, and cross-platform parametric 3D computer-aided design (CAD) modeler software for GNU/Linux, macOS, and Windows systems.
 
Today in Techrights
Some of the latest articles
mesa 24.3.0
This release has seen the continuing trend of OpenGL work slowing down
Linux Code of Conduct Board and CoC Supremacy Over Code/Function
CoC strikes
Android Leftovers
Android finally getting ability to restore credentials in phone move
ReiserFS Reaches Its Final Chapter
Linux kernel 6.13 says goodbye to ReiserFS
Stable kernels: Linux 6.12.1, Linux 6.11.10, Linux 6.6.63, and Linux 6.1.119
All users of the 6.12 kernel series must upgrade
Cybershow News Autumn 2024
The sad reality is that beyond SE-Linux and Apparmor Free and Open Source offerings for effective application whitelisting is still quite thin on the ground and difficult to use. We need some better UX around that.
Khronos Group takes over cross-platform Slang shading language from NVIDIA
Interesting industry news here for you, especially for developers
Programming Leftovers
Development picks
Security and Windows TCO Leftovers
news about patches and incidents
today's howtos
many howtos for now
IBM and Red Hat Leftovers
IBM stuff and mostly RedHat.com
Android Leftovers
Android will soon instantly log you in to your apps on new devices
Proxmox VE 8.3 Released with Enhanced Features
Proxmox Virtual Environment 8.3 is here with faster backups, SDN-firewall integration, webhook notifications, and improved hypervisor migration
Anti-Cheat: A Thorny Problem For Linux Gamers
The anti-cheat situation on Linux is getting worse. Let's see what you can do about it
Rhino Linux: The Unique Distro That Combines Ubuntu and Rolling Releases Needs Your Support!
The ambitious project is now asking for help. Let's try helping them
Huion Kamvas Pro 19 - review on GNU/Linux
This blog post here is a list of my installation method, scripts and tweaks to install the device under a GNU/Linux operating system
Free and Open Source Software, howtos and Installations
This is free and open source software
How RHEL and Fedora Shape Red Hat’s Linux Offerings
Not all Linux distributions provide platforms for enterprise and non-business adopters
Games: Dungeon Clawler, Steam Deck, and More
Latest from GamingOnLinux
Security Leftovers
Security related picks
Distributions and Operating Systems: Kali Linux, BSD, SUSE, and More
BSD and GNU/Linux leftovers
OSI Openwashing (Funded by Microsoft) and Free, Libre, and Open Source Software Leftovers
Some FOSS and fake FOSS picks
POSETTE and PGConf.dev 2025 Preparations (Postgres Events)
Postgres news
Programming Leftovers
Development related news picks
Open Hardware/Modding: Arduino, Raspberry Pi, ESP32, and More
some devices and more
Red Hat / CentOS / IBM / Oracle Linux / Alma Leftovers
RHEL camp and IBM
Games: Proton Experimental and Bug in CS2
a pair of gaming picks
today's howtos
long batch for Friday
Today in Techrights
Some of the latest articles
Rocky Linux 9.5 Released, Here’s What’s New
Rocky Linux 9.5 is now available for download, packed with updates like Podman 5.0, GCC 11.5, Node.js 22, and more
11 Reasons Why You Should Switch from Windows to Linux
Here are a number of reasons why you should consider GNU/Linux as your next operating system
libtool-2.5.4 released
The Libtool Team is pleased to announce the release of libtool 2.5.4
Mesa 24.3 Open-Source Graphics Stack Adds Vulkan 1.3 Conformance for V3DV
The Mesa 24.3 open-source graphics stack for Linux-based operating systems has been officially released as the third major update in the Mesa 24.x series.
Why I Ditched Linux for Samsung DeX
Canonical pursued convergence with the Ubuntu Phone, an effort to make a phone that was also a PC
MYiR Tech MYC-LR3576 Rockchip RK3576 LGA SoM offers 6 TOPS NPU and 8K video support for AIoT applications
MYiR Tech’s Rockchip RK3576 SoM also supports Linux 6.1 and Debian 12 along with software resources like kernel and driver source code
SolidRun unveils HummingBoard i.MX8M IIOT SBC and the IIOT-200-8M Gateway for Edge AI and industrial IoT applications
In terms of software support the company mentions that the SBC supports Yocto and Debian BSPs, with drivers for peripherals like TPM 2.0, RTC, Wi-Fi, Bluetooth, and various I/O interfaces
Android Leftovers
10 Features You No Longer Need to Root Your Android Phone For
Linux, HowTos, Fedora, and Debian 13
today's leftovers
Ubuntu? That’s a Bullfinch, Not an Oriole
Here’s something lighthearted for you—unless you’re pedantic about ornithology
Ubuntu 25.04 (Plucky Puffin) Daily Build ISOs Are Now Available for Download
Now that Canonical officially opened the development of Ubuntu 25.04 (Plucky Puffin), it has published the first daily build ISO images for early adopters, application developers, and general public testing.
Windows TCO and Microsoft Imprisonment of Developers
Microsoft as a risk
Tools and Emulators
Linux is an excellent platform for retro gaming
Best Free and Open Source Software, howtos and Installations
Many of these desktop clients are a complete solution as they include a server
Slimbook Executive, long-term report 6
Let me define deja-vu for you. In my fourth Slimbook Titan article
Thelio Astra Native ARM64 Platform with 128 Core Ampere Altra CPU 512GB ECC RAM and 40TB Storage
System76 indicates that the Thelio Astra runs Ubuntu 22.04 LTS and 24.04 LTS
Upgrade to Freedom! The Switch from Windows 10
This looming transition sets the stage for Linux communities to embrace the Upgrade to Freedom
Leap Micro 6.1 Alpha is now available. Get ready for Leap Micro 5.5 End of Life
Leap Micro 6.1 Alpha images can be found at get.opensuse.org
Games: GamingOnLinux's Latest 10
articles from GamingOnLinux
today's leftovers
with GNU/Linux focus
Programming Leftovers
Programming stuff, some Python
Security Leftovers
Security related stories and some FUD, too
today's howtos
first batch of today
AlmaLinux OS 9.5 Is Here as a Free Alternative to Red Hat Enterprise Linux 9.5
The AlmaLinux OS Foundation announced today the release and general availability of AlmaLinux OS 9.5 (codename Teal Serval), as the latest stable version of this free Red Hat Enterprise Linux (RHEL) fork.
Red Hat Helping Microsoft's Attack on Linux and Privacy
among other things
Linux Foundation Openwashing Foundations
Fake openness as a product
EasyOS Scarthgap and Daedalus 6.4.4 releases
Bringing both of these to the same version number
Announcing Incus 6.7
The Incus team is pleased to announce the release of Incus 6.7
Back In Time back from the dead
Back In Time is a GPL-2.0-licensed backup tool based on rsync and written in Python
Today in Techrights
Some of the latest articles