Tux Machines

Do you waddle the waddle?

Other Sites

Tor Project blog

New Release: Tails 6.18

WebTunnel is a bridge technology that is particularly good at circumventing censorship and might work from places where obfs4 bridges are blocked. WebTunnel disguises your connection as ordinary web traffic.

LinuxGizmos.com

Radxa Launches M.2 AI Accelerator with Axera AX8850 and 24 TOPS NPU

The Radxa AICore AX-M1 is an M.2 M Key AI acceleration module designed for edge computing systems that require high-throughput neural processing. Built around the Axera AX8850 system-on-chip, the module combines an octa-core Cortex-A55 processor with a 24 TOPS INT8-capable NPU and an 8K-capable video processing unit, delivering AI processing capabilities in a compact footprint.

MS-C926: Ultra-Slim Fanless Embedded System with Dual 2.5 GbE and M.2 Expansion

LILYGO Launches Four New ESP32-S3 Boards for LoRa, Display, Motion, and CAN Applications

LILYGO has announced four new ESP32-S3-based development boards targeting a diverse range of embedded and IoT applications. These boards combine wireless connectivity with specialized hardware such as e-paper displays, CAN interfaces, motion sensors, and GPS modules, and are designed for rapid prototyping and deployment using familiar platforms like Arduino IDE, PlatformIO, and ESP-IDF.

Zephyr RTOS 4.2 Released with Renesas RX Support, USB Video Class, MQTT 5.0, and Nearly 100 New Boards

Zephyr RTOS 4.2 introduces major updates in hardware support, networking, tooling, and power monitoring. With contributions from 810 developers, this non-LTS release brings key enhancements aimed at improving performance, flexibility, and overall developer experience.

Internet Society

A UK Government Order Threatens the Privacy and Security of All Internet Users

Earlier this year, the United Kingdom government ordered Apple to provide access to encrypted data in the company’s cloud storage service, iCloud. In response, Apple removed its Advanced Data Protection (ADP) system for users in the country, removing the option to store data using end-to-end encryption, and setting a dangerous precedent of privacy violation. 

Encryption Makes Us Powerful: Internet Society Hosts Encryption Advocacy Workshop for European Civil Society

In early February of this year, the Internet Society hosted an Encryption Advocacy Workshop in Brussels for European civil society organizations. We created this workshop alongside steering members of the Global Encryption Coalition to equip potential encryption advocates with:

OpenSSH 9.1 released (UPDATED)

posted by Roy Schestowitz on Oct 04, 2022,
updated Oct 05, 2022

OpenSSH 9.1 has just been released. It will be available from the
mirrors listed at https://www.openssh.com/ shortly.

OpenSSH is a 100% complete SSH protocol 2.0 implementation and includes sftp client and server support.
Once again, we would like to thank the OpenSSH community for their continued support of the project, especially those who contributed code or patches, reported bugs, tested snapshots or donated to the project. More information on donations may be found at: https://www.openssh.com/donations.html
Changes since OpenSSH 9.0 =========================
This release is focused on bug fixing.
Security ========
This release contains fixes for three minor memory safety problems. None are believed to be exploitable, but we report most memory safety problems as potential security vulnerabilities out of caution.
* ssh-keyscan(1): fix a one-byte overflow in SSH- banner processing. Reported by Qualys
* ssh-keygen(1): double free() in error path of file hashing step in signing/verify code; GHPR333
* ssh-keysign(8): double-free in error path introduced in openssh-8.9
Potentially-incompatible changes --------------------------------
* The portable OpenSSH project now signs commits and release tags using git's recent SSH signature support. The list of developer signing keys is included in the repository as .git_allowed_signers and is cross-signed using the PGP key that is still used to sign release artifacts: https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc
* ssh(1), sshd(8): SetEnv directives in ssh_config and sshd_config are now first-match-wins to match other directives. Previously if an environment variable was multiply specified the last set value would have been used. bz3438
* ssh-keygen(8): ssh-keygen -A (generate all default host key types) will no longer generate DSA keys, as these are insecure and have not been used by default for some years.
New features ------------
* ssh(1), sshd(8): add a RequiredRSASize directive to set a minimum RSA key length. Keys below this length will be ignored for user authentication and for host authentication in sshd(8).
ssh(1) will terminate a connection if the server offers an RSA key that falls below this limit, as the SSH protocol does not include the ability to retry a failed key exchange.
* sftp-server(8): add a "users-groups-by-id@openssh.com" extension request that allows the client to obtain user/group names that correspond to a set of uids/gids.
* sftp(1): use "users-groups-by-id@openssh.com" sftp-server extension (when available) to fill in user/group names for directory listings.
* sftp-server(8): support the "home-directory" extension request defined in draft-ietf-secsh-filexfer-extensions-00. This overlaps a bit with the existing "expand-path@openssh.com", but some other clients support it.
* ssh-keygen(1), sshd(8): allow certificate validity intervals, sshsig verification times and authorized_keys expiry-time options to accept dates in the UTC time zone in addition to the default of interpreting them in the system time zone. YYYYMMDD and YYMMDDHHMM[SS] dates/times will be interpreted as UTC if suffixed with a 'Z' character.
Also allow certificate validity intervals to be specified in raw seconds-since-epoch as hex value, e.g. -V 0x1234:0x4567890. This is intended for use by regress tests and other tools that call ssh-keygen as part of a CA workflow. bz3468
* sftp(1): allow arguments to the sftp -D option, e.g. sftp -D "/usr/libexec/sftp-server -el debug3"
* ssh-keygen(1): allow the existing -U (use agent) flag to work with "-Y sign" operations, where it will be interpreted to require that the private keys is hosted in an agent; bz3429
Bugfixes --------
* ssh-keygen(1): implement the "verify-required" certificate option. This was already documented when support for user-verified FIDO keys was added, but the ssh-keygen(1) code was missing.
* ssh-agent(1): hook up the restrict_websafe command-line flag; previously the flag was accepted but never actually used.
* sftp(1): improve filename tab completions: never try to complete names to non-existent commands, and better match the completion type (local or remote filename) against the argument position being completed.
* ssh-keygen(1), ssh(1), ssh-agent(1): several fixes to FIDO key handling, especially relating to keys that request user-verification. These should reduce the number of unnecessary PIN prompts for keys that support intrinsic user verification. GHPR302, GHPR329
* ssh-keygen(1): when enrolling a FIDO resident key, check if a credential with matching application and user ID strings already exists and, if so, prompt the user for confirmation before overwriting the credential. GHPR329
* sshd(8): improve logging of errors when opening authorized_keys files. bz2042
* ssh(1): avoid multiplexing operations that could cause SIGPIPE from causing the client to exit early. bz3454
* ssh_config(5), sshd_config(5): clarify that the RekeyLimit directive applies to both transmitted and received data. GHPR328
* ssh-keygen(1): avoid double fclose() in error path.
* sshd(8): log an error if pipe() fails while accepting a connection. bz3447
* ssh(1), ssh-keygen(1): fix possible NULL deref when built without FIDO support. bz3443
* ssh-keyscan(1): add missing *-sk types to ssh-keyscan manpage. GHPR294.
* sshd(8): ensure that authentication passwords are cleared from memory in error paths. GHPR286
* ssh(1), ssh-agent(1): avoid possibility of notifier code executing kill(-1). GHPR286
* ssh_config(5): note that the ProxyJump directive also accepts the same tokens as ProxyCommand. GHPR305.
* scp(1): do not not ftruncate(3) files early when in sftp mode. The previous behaviour of unconditionally truncating the destination file would cause "scp ~/foo localhost:foo" and the reverse "scp localhost:foo ~/foo" to delete all the contents of their destination. bz3431
* ssh-keygen(1): improve error message when 'ssh-keygen -Y sign' is unable to load a private key; bz3429
* sftp(1), scp(1): when performing operations that glob(3) a remote path, ensure that the implicit working directory used to construct that path escapes glob(3) characters. This prevents glob characters from being processed in places they shouldn't, e.g. "cd /tmp/a*/", "get *.txt" should have the get operation treat the path "/tmp/a*" literally and not attempt to expand it.
* ssh(1), sshd(8): be stricter in which characters will be accepted in specifying a mask length; allow only 0-9. GHPR278
* ssh-keygen(1): avoid printing hash algorithm twice when dumping a KRL
* ssh(1), sshd(8): continue running local I/O for open channels during SSH transport rekeying. This should make ~-escapes work in the client (e.g. to exit) if the connection happened to have stalled during a rekey event.
* ssh(1), sshd(8): avoid potential poll() spin during rekeying
* Further hardening for sshbuf internals: disallow "reparenting" a hierarchical sshbuf and zero the entire buffer if reallocation fails. GHPR287
Portability -----------
* ssh(1), ssh-keygen(1), sshd(8): automatically enable the built-in FIDO security key support if libfido2 is found and usable, unless --without-security-key-builtin was requested.
* ssh(1), ssh-keygen(1), sshd(8): many fixes to make the WinHello FIDO device usable on Cygwin. The windows://hello FIDO device will be automatically used by default on this platform unless requested otherwise, or when probing resident FIDO credentials (an operation not currently supported by WinHello).
* Portable OpenSSH: remove workarounds for obsolete and unsupported versions of OpenSSL libcrypto. In particular, this release removes fallback support for OpenSSL that lacks AES-CTR or AES-GCM.
Those AES cipher modes were added to OpenSSL prior to the minimum version currently supported by OpenSSH, so this is not expected to impact any currently supported configurations.
* sshd(8): fix SANDBOX_SECCOMP_FILTER_DEBUG on current Linux/glibc
* All: resync and clean up internal CSPRNG code.
* scp(1), sftp(1), sftp-server(8): avoid linking these programs with unnecessary libraries. They are no longer linked against libz and libcrypto. This may be of benefit to space constrained systems using any of those components in isolation.
* sshd(8): add AUDIT_ARCH_PPC to supported seccomp sandbox architectures.
* configure: remove special casing of crypt(). configure will no longer search for crypt() in libcrypto, as it was removed from there years ago. configure will now only search libc and libcrypt.
* configure: refuse to use OpenSSL 3.0.4 due to potential RCE in its RSA implementation (CVE-2022-2274) on x86_64.
* All: request 1.1x API compatibility for OpenSSL >=3.x; GHPR#322
* ssh(1), ssh-keygen(1), sshd(8): fix a number of missing includes required by the XMSS code on some platforms.
* sshd(8): cache timezone data in capsicum sandbox.
Checksums: ==========
- SHA1 (openssh-9.1.tar.gz) = 3ae2d6a3a695d92778c4c4567dcd6ad481092f6c - SHA256 (openssh-9.1.tar.gz) = QKfVArlcItV+e8V1Th85TL5//5d/AvOUhYOeHMDEGuE=
- SHA1 (openssh-9.1p1.tar.gz) = 15545440268967511d3194ebf20bcd0c7ff3fcc9 - SHA256 (openssh-9.1p1.tar.gz) = GfhQCcfj4jeH8CNvuxV4OSq01L+fjsX+a8HNfov90og=
Please note that the SHA256 signatures are base64 encoded and not hexadecimal (which is the default for most checksum tools). The PGP key used to sign the releases is available from the mirror sites: https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc
Reporting Bugs: ===============
- Please read https://www.openssh.com/report.html Security bugs should be reported directly to openssh@openssh.com

UPDATE

A couple of reference pages:

Other Recent Tux Machines' Posts

Three Years [original]
Running a site is harder now than it was one or two decades ago
This Laptop Has a Raspberry Pi inside
Accessing the CM5 and the M.2 storage slot is straightforward—all you need to do is remove a few screws on the bottom panel
This Week in Plasma: Printer Ink Level Monitoring
Every week we cover the highlights of what’s happening in the world of KDE Plasma and its associated apps like Discover, System Monitor, and more
This Week in GNOME and More GNOME Development News
GNOME updates
Debian: Tails 6.18, Br OS 12.11, and 64-bit Time
Debian related news
DragonFly 6.4.2 released
6.4.1 brings a number of bug fixes and driver additions. 6.4.2 adds fixes for the installer, ipv6, and for userland programs that create many subprocesses.
 
GNOME Calendar: A New Era of Accessibility Achieved in 90 Days
There is no calendaring app that I love more than GNOME Calendar
SparkyLinux & MidoriVPN & Astian Cloud
We are pleased to announce that SparkyLinux and Astian Inc
Free and Open Source Software
This is free and open source software
5 Open Source Apps You Can use for Seamless File Transfer Between Linux and Android
Want to share selected files between your Android smartphone and Linux computer
Radxa Launches M.2 AI Accelerator with Axera AX8850 and 24 TOPS NPU
It is supported on Linux distributions such as Ubuntu, Debian, and CentOS, and has a typical power draw of less than 8 W
Slackel 8.0 "Openbox"
This release is available for both 32-bit and 64-bit systems
Games: Super Meat Boy 3D, Steam Changes, and Proton Experimental
gaming picks
Today in Techrights
Some of the latest articles
GNU/Linux and BSD Leftovers
mostly GNU/Linux, as usual
Free, Libre, and Open Source Software Leftovers
FOSS picks for today
Security Leftovers
Security picks for today
Firefox and Thunderbird Commentary/Videos
some Mozilla stuff
Programming Leftovers
Development picks
Rust Hype
2 picks
Fedora, Red Hat, and CentOS Leftovers
From the IBM corners
Open Hardware/Modding: Arduino, Raspberry Pi, and More
Projects and hacking
today's howtos
a handful of howtos
Games: Steam Deck, Fight or Kite, Benchmarks, and DOOM
4 gaming stories
Upgrading or Moving From Vista 10 to GNU/Linux
2 new articles
FUD Attack Portraying Misconfigured Application and Social Engineering as "Linux" Issue (Leveraging "Panda")
FUD in the news
Liya Linux v2.4 "Shravya"
Liya has always aimed to be a clean, modern Linux distribution that respects your hardware and your time
today's howotos
mostly idroot
today's leftovers
4 picks for now
Open Hardware/Modding: One Hertz Challenge, ESP32, and More
some hardware picks
Security Leftovers
and Windows TCO
Games: Heroic Games Launcher 2.18, GOG Preservation Program, and More
9 stories from GamingOnLinux
'Wayback' Keeps Old Linux Desktop Environments Alive on Wayland
The desktop Linux ecosystem has been slowly migrating from X11 to Wayland
Android's Linux Terminal Is Getting a New Feature
The addition of a Linux terminal to Android was long overdue
FreeBSD 15 installer to offer minimal KDE desktop
The mid-2025 report mentions several specific areas where the operating system's tech is receiving upgrades
Why I'm Hopping Linux Distros to openSUSE This Weekend
In my never-ending quest to find the perfect Linux distribution
FreeBSD 15 installer to offer minimal KDE desktop
The FreeBSD Laptop project continues – and plans to offer a very visible change
Mirroring Protesilaos' videos to Internet Archive
I enjoy reading and watching the writings and videos that Protesilaos publishes on his website
Understanding ODF File Types: .odt, .ods, .odp, and Beyond
It’s the default file format for LibreOffice Writer
Microsoft, anybody home?
You know what: Microsoft became miserably incompetent in IT
Free and Open Source Software
This is free and open source software
Thunderbird 141 Arrives with Archive Button, OpenPGP Expiry Warnings
Mozilla Thunderbird 141 open-source email client is out now with a new Archive button
Today in Techrights
Some of the latest articles
GNU/Linux, BSD, and More
today's (or recent) leftovers
Open Hardware/Modding Leftovers
RISC-V and more
Recent GNU/Linux Videos (via Invidious)
a large collection of recent videos
GNU/Linux, BSD, and More
today's leftovers
Audiocasts/Shows: David Heinemeier Hansson on Lex Fridman’s Podcast, BSD Now, and More
some new episodes
today's howtos
half a dozen howtos
Programming Leftovers
Development with Python, Ruby, and more
Security and Windows TCO
4 links for now
today's howtos
10 howtos and similar
Games: Oceaneers, Nintendo Switch 2, and More
a handful of gaming picks
Red Hat Leftovers
mostly from the official site
Open Hardware/Modding: Raspberry Pi, Arduino, and More
hardware picks
Android Leftovers
ArtPad Pro: Teclast launches new 12.7-inch tablet running Android 15
Clear Linux - In Memoriam
the Clear Linux team is probably part of these layoffs
Free and Open Source Software
This is free and open source software
Operating Systems: A Look at Non-GNU/Linux 'Distributions' and BeOS
two recent articles
10 Advanced Kubuntu Linux Keyboard Shortcuts to Master Your Desktop
If you press Meta+V on Kubuntu, it'll open a history of everything you've recently copied
Today in Techrights
Some of the latest articles
VS Achuthanandan’s vision powered Kerala’s free and open software revolution
Article updated this week