Friday, January 31, 2014

OpenSSH 6.5 Included

There is only a single package on today's update and that is OpenSSH which is bumped to 6.5, another major release for OpenSSH. This version brings quite a lot of changes as mentioned on the release notes:

New features:

 * ssh(1), sshd(8): Add support for key exchange using elliptic-curve
   Diffie Hellman in Daniel Bernstein's Curve25519. This key exchange
   method is the default when both the client and server support it.

 * ssh(1), sshd(8): Add support for Ed25519 as a public key type.
   Ed25519 is a elliptic curve signature scheme that offers
   better security than ECDSA and DSA and good performance. It may be
   used for both user and host keys.

 * Add a new private key format that uses a bcrypt KDF to better
   protect keys at rest. This format is used unconditionally for
   Ed25519 keys, but may be requested when generating or saving
   existing keys of other types via the -o ssh-keygen(1) option.
   We intend to make the new format the default in the near future.
   Details of the new format are in the PROTOCOL.key file.

 * ssh(1), sshd(8): Add a new transport cipher
   "chacha20-poly1305@openssh.com" that combines Daniel Bernstein's
   ChaCha20 stream cipher and Poly1305 MAC to build an authenticated
   encryption mode. Details are in the PROTOCOL.chacha20poly1305 file.

 * ssh(1), sshd(8): Refuse RSA keys from old proprietary clients and
   servers that use the obsolete RSA+MD5 signature scheme. It will
   still be possible to connect with these clients/servers but only
   DSA keys will be accepted, and OpenSSH will refuse connection
   entirely in a future release.

 * ssh(1), sshd(8): Refuse old proprietary clients and servers that
   use a weaker key exchange hash calculation.

 * ssh(1): Increase the size of the Diffie-Hellman groups requested
   for each symmetric key size. New values from NIST Special
   Publication 800-57 with the upper limit specified by RFC4419.

 * ssh(1), ssh-agent(1): Support PKCS#11 tokens that only provide
   X.509 certs instead of raw public keys (requested as bz#1908).

 * ssh(1): Add a ssh_config(5) "Match" keyword that allows
   conditional configuration to be applied by matching on hostname,
   user and result of arbitrary commands.

 * ssh(1): Add support for client-side hostname canonicalisation
   using a set of DNS suffixes and rules in ssh_config(5). This
   allows unqualified names to be canonicalised to fully-qualified
   domain names to eliminate ambiguity when looking up keys in
   known_hosts or checking host certificate names.

 * sftp-server(8): Add the ability to whitelist and/or blacklist sftp
   protocol requests by name.

 * sftp-server(8): Add a sftp "fsync@openssh.com" to support calling
   fsync(2) on an open file handle.

 * sshd(8): Add a ssh_config(5) PermitTTY to disallow TTY allocation,
   mirroring the longstanding no-pty authorized_keys option.

 * ssh(1): Add a ssh_config ProxyUseFDPass option that supports the
   use of ProxyCommands that establish a connection and then pass a
   connected file descriptor back to ssh(1). This allows the
   ProxyCommand to exit rather than staying around to transfer data.

Bugfixes:

 * ssh(1), sshd(8): Fix potential stack exhaustion caused by nested
   certificates.

 * ssh(1): bz#1211: make BindAddress work with UsePrivilegedPort.

 * sftp(1): bz#2137: fix the progress meter for resumed transfer.

 * ssh-add(1): bz#2187: do not request smartcard PIN when removing
   keys from ssh-agent.

 * sshd(8): bz#2139: fix re-exec fallback when original sshd binary
   cannot be executed.

 * ssh-keygen(1): Make relative-specified certificate expiry times
   relative to current time and not the validity start time.

 * sshd(8): bz#2161: fix AuthorizedKeysCommand inside a Match block.

 * sftp(1): bz#2129: symlinking a file would incorrectly canonicalise
   the target path.

 * ssh-agent(1): bz#2175: fix a use-after-free in the PKCS#11 agent
   helper executable.

 * sshd(8): Improve logging of sessions to include the user name,
   remote host and port, the session type (shell, command, etc.) and
   allocated TTY (if any).

 * sshd(8): bz#1297: tell the client (via a debug message) when
   their preferred listen address has been overridden by the
   server's GatewayPorts setting.

 * sshd(8): bz#2162: include report port in bad protocol banner
   message.

 * sftp(1): bz#2163: fix memory leak in error path in do_readdir().

 * sftp(1): bz#2171: don't leak file descriptor on error.

 * sshd(8): Include the local address and port in "Connection from
   ..." message (only shown at loglevel>=verbose).

Portable OpenSSH:

 * Please note that this is the last version of Portable OpenSSH that
   will support versions of OpenSSL prior to 0.9.6. Support (i.e.
   SSH_OLD_EVP) will be removed following the 6.5p1 release.

 * Portable OpenSSH will attempt compile and link as a Position
   Independent Executable on Linux, OS X and OpenBSD on recent gcc-
   like compilers. Other platforms and older/other compilers may
   request this using the --with-pie configure flag.

 * A number of other toolchain-related hardening options are used
   automatically if available, including -ftrapv to abort on signed
   integer overflow and options to write-protect dynamic linking
   information.  The use of these options may be disabled using the
   --without-hardening configure flag.

 * If the toolchain supports it, one of the -fstack-protector-strong,
   -fstack-protector-all or -fstack-protector compilation flag are
   used to add guards to mitigate attacks based on stack overflows.
   The use of these options may be disabled using the
   --without-stackprotect configure option.

 * sshd(8): Add support for pre-authentication sandboxing using the
   Capsicum API introduced in FreeBSD 10.

 * Switch to a ChaCha20-based arc4random() PRNG for platforms that do
   not provide their own.

 * sshd(8): bz#2156: restore Linux oom_adj setting when handling
   SIGHUP to maintain behaviour over retart.

 * sshd(8): bz#2032: use local username in krb5_kuserok check rather
   than full client name which may be of form user@REALM.

 * ssh(1), sshd(8): Test for both the presence of ECC NID numbers in
   OpenSSL and that they actually work. Fedora (at least) has
   NID_secp521r1 that doesn't work.

 * bz#2173: use pkg-config --libs to include correct -L location for
   libedit.

Thursday, January 30, 2014

Progress Toward MATE 1.8

For those using MATE Desktop, you should be pleased with this news as MATE 1.8 is now under active development lead by Stefano Karapetsas and progressing on daily basis. Some highlights that will be part of future MATE 1.8 has been posted on their roadmap wiki.

Some of those highlight that i would like to stress out are:
  • merged several extensions for caja into a single caja-extensions
  • Added support for GTK+3 and Bluez 5
  • Added support for gstreamer-1.x
  • Windows snapping
  • migration to lcms2
I have been running MATE 1.7 development version on my main desktop at home and so far, it's running smoothly here without any problem. The final release of MATE 1.8 should be more fun and it will be available for Slackware 14.1 and future release of Slackware if MATE 2.0 hasn't been released yet :)

Wednesday, January 29, 2014

Two Security Updates

Two security updates are released this morning for various Slackware version, ranging from 13.0 up to current. They are :
  • mozilla-nss: Upgraded to 3.15.4 and applied to Slackware 14.0 and newer
  • bind: Upgraded to 9.9.9_P2 and applied to Slackware 13.0 and newer
There are no other packages coming on current with this update

Monday, January 27, 2014

Managing SBo Dependencies Easily

For those who uses SlackBuild scripts from SBo project might be pleased with this news. It's not a new thing for me since i have known about this tool for few months, but never tested in real (in fact forgotten about this) until few weeks ago when Ponce (Matteo Bernadini) wrote it on LQ.

This new tool is called sqg, made by Chess Griffin, one of the co-author of sbopkg, a great tool to manage package installation from SBo repository. This tool was released along with sbopkg 0.37.0, but it was released under contrib directory, so not so many people noticed it.

I believe you have heard about sbopkg which can help user to download, build, and install packages from SBo repository. This tool (sbopkg) still don't handle dependencies using SBo's metadata script (REQUIRES line), so users must handle the order of the package installation by themselves. Some people already started to use queue files to help them creating list of package installation order, but they must make it manually or use the queue files hosted in the repository made by Mauro Giachero.

All those things is now solved by the new tool called sqg. Basically it's a sbopkg queue generator which can help you to build queue file for a single package or to all packages in SBo repository using the metadata in every SBo package (*.info file).

Here's how to make use of sqg:
  • install sbopkg and configure it to point to the correct SBo repository 
  • run initial checkout: sbopkg -r (you can skip this step if you already have the latest update from SBo)
  • move sqg from /usr/doc/sbopkg-0.37.0/contrib/sqg to /usr/bin (or make a symlink)
  • edit line 48. Change the REPO_BRANCH to 14.1 (i assume you are using Slackware 14.1)
  • start creating queue files for all packages: sqg -a (this could take some time)
By the time it finished creating the queue files, all of them will be placed under /var/lib/sbopkg/queues/. If you have made your own queue files, please make a backup of it first, since it will overwrite everything on that directory.

Now, everytime you install a new package using sbopkg, it will find the queue first and if it found, it will offer you to use the queue or use an individual package. If you already have all the dependencies installed, then you can pick the individual to save time by installing the package you need. If you are building a new system, then you can pick the queue to download all the requirements along with the package you need and build them in order. Very nice :)

Kudos to Chess Griffin for this wonderful tool.

Wednesday, January 15, 2014

KDE 4.12.1 for Slackware-Current

Last week, KDE 4.11.5 were released and this week, another KDE monthly update has been published, but this time, it's KDE 4.12.1. This is the first monthly series for 4.12.x branch and it will be maintained until 4.12.5 (April 2014) alongside with 4.11.9.

As you know, KDE has frozen the kdeworkspace since 4.11, so that means no more updates on that package since the developers are focusing on porting to newer technology, aiming for KDE 5. Starting with KDE SC 4.12.2, the KDE Workspaces 4.11.x releases will be synchronized with those of KDE Applications and Development Platform 4.12.x.

Eric Hameleers has published his KDE 4.12.1 packages through his KTown mirror and you can grab it via mirror sites below:
Don't forget to read the README just to make sure you got a pleasant upgrade experience.

Tuesday, January 14, 2014

Multiple Security Updates

Patrick has released multiple security advisories today, which are accumulating from several upstream project. They vary from Slackware 13.0 and goes forward to Slackware-Current.

Here they are:
  • libXfont: Upgraded to 1.4.7 on Slackware 13.0 and newer
  • php: Upgraded to 5.4.24 on Slackware 14.0 and newer
  • openssl: Upgraded to 1.0.1f on Slackware 14.0 and newer
  • samba: Upgraded to 4.1.4 on Slackware 14.1 and newer
Besides above security vulnerabilities, one package gets through on -Current: llvm which is upgraded to 3.4

Wednesday, January 8, 2014

KDE 4.11.5 for Slackware 14.1

For those who still prefer to use a stable KDE 4.11.x releases, well, Eric has a good news that he intended to keep providing KDE 4.11.x releases, at least until 4.11.9, which will be on April 2014. In fact, he already published his KDE 4.11.5 packages on KTown which is already mirrored to several mirror sites below:
KDE 4.11.5 as usual, only contains bug fixes and translations updates, so it's safe to upgrade to this version when you have been running previous version of KDE 4.11.x series. Here's what has been integrated on this release:
Several recorded bugfixes include improvements to the personal information management suite Kontact, the UML tool Umbrello, the document viewer Okular, the web browser Konqueror, the file manager Dolphin, and others. The Plasma calculator can handle greek letters now and Okular can print pages with long titles. And Konqueror got better web fonts support through fixing a bug. A complete list of changes can be seen on KDE Issue Tracker.
For those running KDE 4.12.0, Eric will update KDE 4.12 packages with newer kde-workspace-4.11.5 to sync with this release.

Thursday, January 2, 2014

MSB Updates in 2014

MATE developer Stefano Karapetsas has released MATE Desktop 1.6.2 along with many sub components of MATE Desktop Projects which can be obtained through their release page. This is a minor update for MATE 1.6.x series, so it's safe to upgrade to this version if you have been using MATE 1.6.

I have built the new packages for Slackware 14.1, pushed them to the MSB Git Repository and also uploaded it to MSB Mirror sites. There are two batches of update since they were released in two different dates (and probably more will come tomorrow).

Here are the full changelog:

Thu Jan  2 04:28:23 UTC 2014
14.1/1.6/x86:
base/libmatekbd-1.6.2-i486-1_msb.txz: Upgraded.
base/mate-desktop-1.6.2-i486-1_msb.txz: Upgraded.
base/mate-control-center-1.6.2-i486-1_msb.txz: Upgraded.
base/mate-icon-theme-1.6.3-noarch-1_msb.txz: Upgraded.
extra/mate-keyring-1.6.1-i486-1_msb.txz: Upgraded.
extra/mate-media-1.6.1-i486-1_msb.txz: Upgraded.
extra/mate-sensors-applet-1.6.1-i486-1_msb.txz: Upgraded.

14.1/1.6/x86_64:
base/libmatekbd-1.6.2-x86_64-1_msb.txz: Upgraded.
base/mate-desktop-1.6.2-x86_64-1_msb.txz: Upgraded.
base/mate-control-center-1.6.2-x86_64-1_msb.txz: Upgraded.
base/mate-icon-theme-1.6.3-noarch-1_msb.txz: Upgraded.
extra/mate-keyring-1.6.1-x86_64-1_msb.txz: Upgraded.
extra/mate-media-1.6.1-x86_64-1_msb.txz: Upgraded.
extra/mate-sensors-applet-1.6.1-x86_64-1_msb.txz: Upgraded.
+--------------------------+
Wed Jan  1 02:13:01 UTC 2014
Happy New Year 2014!!

Best wishes from Chess Griffin and Willy Sudiarto Raharjo

14.1/1.6/x86:
base/mate-backgrounds-1.6.1-noarch-1_msb.txz: Upgraded.
base/mate-polkit-1.6.1-i486-1_msb.txz: Upgraded.
base/mate-themes-1.6.3-noarch-1_msb.txz: Upgraded.
extra/libmatekeyring-1.6.1-i486-1_msb.txz: Upgraded.
extra/mate-applets-1.6.2-i486-1_msb.txz: Upgraded.
extra/mate-image-viewer-1.6.2-i486-1_msb.txz: Upgraded.
extra/mate-netspeed-1.6.1-i486-1_msb.txz: Upgraded.
extra/mate-text-editor-1.6.1-i486-1_msb.txz: Upgraded.

14.1/1.6/x86_64:
base/mate-backgrounds-1.6.1-noarch-1_msb.txz: Upgraded.
base/mate-polkit-1.6.1-x86_64-1_msb.txz: Upgraded.
base/mate-themes-1.6.3-noarch-1_msb.txz: Upgraded.
extra/libmatekeyring-1.6.1-x86_64-1_msb.txz: Upgraded.
extra/mate-applets-1.6.2-x86_64-1_msb.txz: Upgraded.
extra/mate-image-viewer-1.6.2-x86_64-1_msb.txz: Upgraded.
extra/mate-netspeed-1.6.1-x86_64-1_msb.txz: Upgraded.
extra/mate-text-editor-1.6.1-x86_64-1_msb.txz: Upgraded.