Posts for: #release

XCP-ng Unveils Version 8.3 Beta 2 of Virtualization Platform

XCP-ng Unveils Version 8.3 Beta 2 of Virtualization Platform

XCP-ng has announced the launch of the 8.3 Beta 2, marking the culmination of seven months of work on XCP-ng 8.3. This pre-release version is not recommended for production environments but is intended for users interested in testing and providing feedback on the new features. The release faced challenges with UEFI firmware emulation, but with community support, issues were resolved.

Changes in XCP-ng 8.3 Beta 2

Changes from XenServer

  • Completion of vTPM support for Windows 11 compatibility.
  • Various improvements in XAPI, Xen, and Linux kernel.

Changes from XCP-ng

  • Rebased packages on XenServer 8 preview.
  • Various installer enhancements.
  • IPv6 support updates.
  • Addition of XOSTOR and Debian 12 template.
  • Security fixes and new tests.
  • Removal of old experimental EXT4 driver.

Updates Since Beta 2

  • Integration of XenServer 8 advancements.
  • Various updates and fixes for enhanced stability.
  • Known issue with Xen Orchestra statistics, being addressed.

Xen 4.17

  • Opportunity to upgrade from Xen 4.13 to Xen 4.17 for testing.
  • Instructions provided for installation and feedback submission.

Download

Embedfire LubanCat 4 Card Computer: Rockchip RK3588S Dev Board with Mini PCIe Socket

Embedfire LubanCat 4 Card Computer: Rockchip RK3588S Dev Board with Mini PCIe Socket

EmbedFire LubanCat 4 card computer, also known as LubanCat 4, is a feature-packed Rockchip RK3588S Single Board Computer (SBC) launched by Yehuo Electronic. This compact board measuring 85x56mm offers a wide range of functionalities, including Ethernet, USB, mini PCIe, HDMI 2.1, SIM card slot, microSD card holder, and more.

EmbedFire LubanCat 4 Specifications:

  • SoC: Rockchip RK3588S
    • CPU: Octa-core processor with 4x Cortex-A76 cores up to 2.2-2.4 GHz and 4x Cortex-A55 cores up to 1.8 GHz
    • GPU: Arm Mali-G610 GPU with support for OpenGL ES 3.2, OpenCL 2.2, and Vulkan 1.2
    • VPU: 8Kp60 video decoder and 8Kp30 video encoder
    • AI Accelerator: 6 TOPS NPU
  • System Memory: 4/8/16GB LPDDR4X
  • Storage: Options include no eMMC/32/64/128GB, microSD card socket
  • Video Output: Mini HDMI 2.1, 2x MIPI DSI connectors, USB Type-C interface supporting DP protocol
  • Networking: Gigabit Ethernet RJ45 port, optional WiFi or cellular mini PCIe module
  • USB Ports: 3x USB 2.0 Type-A interfaces, 1x USB 3.0 Type-A interface, 1x USB 3.0 Type-C interface
  • Expansion: Mini PCIe interface, 40-pin Raspberry Pi-compatible GPIO header
  • Misc: RTC battery connection socket, 5V fan header for cooling
  • Power Supply: 5V/4A DC input via USB Type-C
  • Dimensions: 85 x 56 mm

The board supports various operating systems including Android 13, Debian, Ubuntu, and ROS, all available on their GitHub repository. However, there is limited documentation available for the board at the moment.

The EmbedFire LubanCat 4 SBC is available for purchase on AliExpress with prices starting at around $110 for the 4GB RAM version without eMMC. This board offers a Raspberry Pi-sized solution powered by the robust Rockchip RK3588S SoC, making it a compelling choice for developers and enthusiasts looking to explore various projects in the server, Linux, DevOps, and home lab environments.

Source: CNX Software – Embedded Systems News.

Traefik Announces First Release Candidate for Version 3.0.0

Traefik Announces First Release Candidate for Version 3.0.0

Cloud Native Application Proxy Traefik has released the first release candidate for version 3.0.0. This major release includes support for emerging technologies such as WebAssembly (Wasm), OpenTelemetry, and Kubernetes Gateway API. In addition, the routing rules and security of Traefik have been improved with support for HTTP/3, SPIFFE, and Tailscale.

To ensure a smooth user experience during the migration from the previous version, Traefik provides a complete migration guide and offers backward compatibility with v2 syntax while introducing a progressive path for adopting the v3 syntax.

The enhancements in this release candidate include:

  • Addition of weight on ServersLoadBalancer for Docker and service configurations
  • Reloading of provider file configuration on SIGHUP
  • Upgrade of gateway API to v1.0.0 for Kubernetes
  • Support for cross-namespace references and GatewayAPI ReferenceGrants in Kubernetes Gateway API
  • Introduction of static config hints for logs
  • Removal of observability for internal resources in metrics, tracing, and access logs
  • Support for sending DogStatsD metrics over Unix Socket in metrics
  • Addition of forwardAuth.addAuthCookiesToResponse in middleware and authentication
  • Implementation of the includedContentTypes option for the compress middleware
  • Reintroduction of the deprecated IpWhitelist middleware
  • Addition of ResponseCode to CircuitBreaker middleware
  • Addition of the rejectStatusCode option to IPAllowList middleware
  • Support for http-wasm plugin in Traefik
  • Reintroduction of v2 rule matchers in rules
  • Support for SO_REUSEPORT in EntryPoints for servers
  • Support for setting sticky cookie max age in sticky-session
  • Migration to OpenTelemetry in tracing and otel
  • Reintroduction of dropped v2 dynamic config

The bug fixes in this release candidate include:

  • Removal of warning in Kubernetes CRD provider about the supported version
  • Fixing of OpenTelemetry unit tests in metrics
  • Alignment of OpenTelemetry tracing and metrics configurations in middleware, authentication, metrics, and tracing
  • Fixing of brotli response status code when compression is disabled in middleware
  • Computing priority for HTTPS forwarder TLS routes in TLS and server configurations

Other changes in this release candidate include documentation updates, support for file path as input parameter for Kubernetes token value, disabling of br compression when no Accept-Encoding header is present in middleware, and merging of v2.11 into v3.0.

Pi-Hole Mitigates Two Newly Discovered DNSSEC Vulnerabilities

Pi-Hole has announced that they are addressing two new DNSSEC vulnerabilities in their upcoming versions. The vulnerabilities are found in dnsmasq, the DNS resolver that Pi-hole FTL is forked from. These vulnerabilities can be exploited through specially crafted DNSSEC answers, leading to degraded performance and denial of service attacks. It is important to note that the vulnerabilities are not limited to Pi-hole and can affect other DNSSEC validating DNS resolvers as well.

The author of dnsmasq, Simon Kelley, explains that the vulnerabilities are due to a failure in the DNSSEC specification. The solution for dnsmasq is to impose hard limits on the amount of “work” a DNSSEC validation can take. These limits have been set with significant headroom and can be overridden if necessary. The vulnerabilities have been assigned the CVE numbers CVE-2023-50387 and CVE-2023-50868 and are rated as “high” severity.

Pi-Hole has already released fixes for these vulnerabilities in their beta version of Pi-hole v6.0 and is preparing to release them in the stable version as well. Disabling DNSSEC validation entirely can remove the vulnerability, but Pi-Hole strongly advises upgrading to the fixed version instead. Upgrading to the fixed version will ensure that DNSSEC validation does not impede other server workloads.

For users still using the stable versions of Pi-hole (v5.x), it is recommended to either manually check out the development branch or disable DNSSEC for the time being and rely on the upstream server for DNSSEC validation. However, it is important to ensure that the upstream server is on a sufficiently recent version, such as unbound version 1.19.1, which has been fixed.

Update: Pi-Hole has now released the update. Run pihole -up to apply.

GLAuth: Lightweight LDAP Server for Development, Home Use, or CI Releases v2.3.1

GLAuth (Go-lang LDAP Authentication) has released version 2.3.1. GLAuth is a secure and easy-to-use LDAP server with configurable backends. This release includes several new features, bug fixes, and miscellaneous chores.

Features

  • Tracing configuration can now be allowed via the main config.
  • Context for OpenTelemetry Protocol (OTLP) spans has been introduced into the handler package.
  • Context for OTLP spans has been introduced into the plugins package.
  • OTLSql has been introduced.
  • OTLP tracer has been introduced.
  • Basic tracer has been wired up.

Bug Fixes

  • Vendored TOML has been dropped.
  • Formatting has been improved.
  • The go test command now properly checks OTP within the allowed base DN.
  • All TOML parsing has been moved into a new internal package, and the mappings have been dropped in favor of toml.Primitive decoding.
  • Configuration setup has been removed from the main function, and log configuration has been reshored.
  • Tracing code has been updated to work with breaking changes in OTLP 1.20.
  • The server now uses BurntSushi/toml.

For more information, visit the glauth v2.3.1 release page.

Debian 12.5: The Latest Update

Debian 12.5: The Latest Update

The Debian project has announced the release of the fifth update for its stable distribution, Debian 12 (codename bookworm). This point release includes important security corrections and fixes for various issues. Security advisories have already been published separately and are available for reference.

This stable update includes important bug fixes for various packages. Here are some notable corrections:

  • apktool: Prevents arbitrary file writes with malicious resource names [CVE-2024-21633]
  • atril: Fixes crash when opening some epub files, index loading for certain epub documents, and adds fallback for malformed epub files in check_mime_type; uses libarchive for extracting documents instead of an external command [CVE-2023-51698]
  • base-files: Updated for the 12.5 point release
  • caja: Fixes desktop rendering artifacts after resolution changes and use of informal date format
  • calibre: Fixes HTML Input to not add resources that exist outside the folder hierarchy rooted at the parent folder of the input HTML file by default [CVE-2023-46303]
  • compton: Removes recommendation of picom
  • cryptsetup: Adds support for compressed kernel modules, handles missing /lib/systemd/system-sleep directory, and changes suffix drop logic to match initramfs-tools
  • debian-edu-artwork: Provides an Emerald theme based artwork for Debian Edu 12
  • debian-edu-config: New upstream release
  • debian-edu-doc: Updates included documentation and translations
  • debian-edu-fai: New upstream release
  • debian-edu-install: New upstream release; fixes security sources.list
  • debian-installer: Increases Linux kernel ABI to 6.1.0-18; rebuilds against proposed-updates
  • debian-installer-netboot-images: Rebuilds against proposed-updates
  • debian-ports-archive-keyring: Adds Debian Ports Archive Automatic Signing Key (2025)
  • dpdk: New upstream stable release
  • dropbear: Fixes terrapin attack [CVE-2023-48795]
  • engrampa: Fixes several memory leaks and archive save as functionality
  • espeak-ng: Fixes buffer overflow and underflow issues, as well as a floating point exception issue [CVE-2023-49990 CVE-2023-49992 CVE-2023-49993 CVE-2023-49991 CVE-2023-49994]
  • filezilla: Prevents Terrapin exploit [CVE-2023-48795]
  • fish: Safely handles Unicode non-printing characters when given as command substitution [CVE-2023-49284]
  • fssync: Disables flaky tests
  • gnutls28: Fixes assertion failure when verifying a certificate chain with a cycle of cross signatures [CVE-2024-0567] and timing side-channel issue [CVE-2024-0553]
  • indent: Fixes buffer under read issue [CVE-2024-0911]
  • isl: Fixes use on older CPUs
  • jtreg7: New source package to support builds of openjdk-17
  • libdatetime-timezone-perl: Updates included timezone data
  • libde265: Fixes buffer overflow issues [CVE-2023-49465 CVE-2023-49467 CVE-2023-49468]
  • libfirefox-marionette-perl: Fixes compatibility with newer firefox-esr versions
  • libmateweather: Fixes URL for aviationweather.gov
  • libspreadsheet-parsexlsx-perl: Fixes possible memory bomb [CVE-2024-22368] and XML External Entity issue [CVE-2024-23525]
  • linux: New upstream stable release; bumps ABI to 18
  • linux-signed-amd64: New upstream stable release; bumps ABI to 18
  • linux-signed-arm64: New upstream stable release; bumps ABI to 18
  • linux-signed-i386: New upstream stable release; bumps ABI to 18
  • localslackirc: Sends authorization and cookie headers to the websocket
  • mariadb: New upstream stable release; fixes denial of service issue [CVE-2023-22084]
  • mate-screensaver: Fixes memory leaks
  • mate-settings-daemon: Fixes memory leaks, relaxes High DPI limits, and fixes handling of multiple rfkill events
  • mate-utils: Fixes various memory leaks
  • monitoring-plugins: Fixes check_http plugin when –no-body is used and the upstream response is chunked
  • needrestart: Fixes microcode check regression on AMD CPUs
  • netplan.io: Fixes autopkgtests with newer systemd versions
  • nextcloud-desktop: Fixes syncing files with special characters like ‘:’ and two-factor authentication notifications
  • node-yarnpkg: Fixes use with Commander 8
  • onionprobe: Fixes initialization of Tor if using hashed passwords
  • pipewire: Uses malloc_trim() to release memory when available
  • pluma: Fixes memory leak issues and double activation of extensions
  • postfix: New upstream stable release; addresses SMTP smuggling issue [CVE-2023-51764]
  • proftpd-dfsg: Implements fix for the Terrapin attack [CVE-2023-48795] and fixes out-of-bounds read issue [CVE-2023-51713]
  • proftpd-mod-proxy: Implements fix for the Terrapin attack [CVE-2023-48795]
  • pypdf: Fixes infinite loop issue [CVE-2023-36464]
  • pypdf2: Fixes infinite loop issue [CVE-2023-36464]
  • pypy3: Avoids an rpython assertion error in the JIT if integer ranges don’t overlap in a loop
  • qemu: New upstream stable release; fixes virtio-net, null pointer dereference, and suspend/resume functionality issues [CVE-2023-6693 CVE-2023-6683]
  • rpm: Enables the read-only BerkeleyDB backend
  • rss-glx: Installs screensavers into /usr/libexec/xscreensaver and calls GLFinish() prior to glXSwapBuffers()
  • spip: Fixes two cross-site scripting issues
  • swupdate: Prevents acquiring root privileges through inappropriate socket mode
  • systemd: New upstream stable release; fixes missing verification issue in systemd-resolved [CVE-2023-7008]
  • tar: Fixes boundary checking in base-256 decoder [CVE-2022-48303] and handling of extended header prefixes [CVE-2023-39804]
  • tinyxml: Fixes assertion issue [CVE-2023-34194]
  • tzdata: New upstream stable release
  • usb.ids: Updates included data list
  • usbutils: Fixes usb-devices not printing all devices
  • usrmerge: Cleans up biarch directories when not needed, avoids running convert-etc-shells again on converted systems, handles mounted /lib/modules on Xen systems, improves error reporting, and adds versioned conflicts with libc-bin, dhcpcd, libparted1.8-10, and lustre-utils
  • wolfssl: Fixes security issue when client sends neither PSK nor KSE extensions [CVE-2023-3724]
  • xen: New upstream stable release; includes security fixes [CVE-2023-46837 CVE-2023-46839 CVE-2023-46840]

For a complete list of package changes in this revision, you can visit https://deb.debian.org/debian/dists/bookworm/ChangeLog.