pnutzh4x0r

Welcome to the Ubuntu Weekly Newsletter, Issue 859 for the week of September 22 - 28, 2024.

• Ubuntu Stats
• Hot in Support
• Ubuntu Meeting Activity Reports
• Rocks Public Journal
• LXD: Weekly news #364
• LoCo Events
• Oracular Oriole (24.10) Release Status Tracking
• CUPS Remote Code Execution Vulnerability Fix Available
• ...
• And much more!

Here’s what Hoosiers need to know ahead of the voter registration deadline, which is the end of the day on Oct. 7.

The easiest way to register or ensure your registration is still active is online at IndianaVoters.com. There, you can also request an absentee ballot, find your polling place and see who’s on your ballot.

You can also register by mail or in person at your local election administrator’s office.

If you need to register or update your registration, you have to provide some proof of residence. The quickest way to do that is by submitting your driver’s license or state ID number, or the last four digits of your Social Security number.

You can also provide proof of residence via a current utility bill, bank statement, government check, paycheck or government document that shows your name and address.

The Linux Mint 22.1 distribution was slated for release in December 2024 with a revamped Cinnamon theme and better package management.

Slated for release in December 2024, near the Christmas holidays, Linux Mint 22.1 will ship with the soon-to-be-released Cinnamon 6.4 desktop environment featuring a revamped theme that’s much darker and contrasted than before, rounded elements, redesigned dialogs, and a gap between the applets and the panel.

More from the Mint Monthly News: September 2024

The transition towards Aptkit and Captain is now finished. Starting with Linux Mint 22.1, set to be released this December, none of our projects will depend on aptdaemon, synaptic, gdebi or apturl anymore.

Exploit of a combination of several bugs - Overhyped but not that severe - Fixes already available

...

Canonical’s security team has acted immediately to quickly apply the patches which Michael Sweet (author and maintainer of CUPS) had already prepared for CUPS, cups-browsed, libcups-filters, libppd, and cups-filters (in the time from the first report until then I was some days off and I was also on the Open Source Summit Europe, thanks, Michael Sweet, for stepping in, also thanks to Zdenek Dohnal from Red Hat) to the appropriate in all supported Ubuntu versions, so that at the time of disclosure most fixes were already in place. They also reported in an Ubuntu blog. They tell users what to do, from turning off cups-browsed or at least its legacy CUPS browsing support to updating their systems as the fixes were already available. Thanks a lot to Seth Arnold, Marc Deslauriers, Diogo Sousa, Mark Esler, Luci Stanescu, and more.

...

The X post really overhyped the vulnerability. Attacks from the internet are not very probable due to the fact that servers on the internet do not have cups-browsed and CUPS installed and CUPS/cups-browsed setups are there usually only in NAT-protected local networks with desktop machines and print servers. And the remote code execution is also rather restricted, as CUPS filters are not running as root, but as the system user “lp” which cannot even read user’s home directories. In addition, the remote code execution only happens when a user actually prints a job on the fake printer. Actually assigned scores ended up between 8.4 and 9.1.

Canonical’s security team has released updates for the cups-browsed, cups-filters, libcupsfilters and libppd packages for all Ubuntu LTS releases under standard support. The updates remediate CVE-2024-47076, CVE-2024-47175, CVE-2024-47176, while CVE-2024-47177 is addressed by the other 3 vulnerabilities being patched. Information on the affected versions can be found in the CVE pages linked above. If you have any of these installed, our recommendation is to update as soon as possible. Read on to learn more about the details. Security updates for ESM releases will be released shortly.

There's been talk of this unauthenticated RCE vulnerability coming with a CVSS 9.9 rating but none of the technical details were publicly known until it was made public just now at the top of the hour. Simone Margaritelli discovered this vulnerability and has shared a write-up around this potentially very impactful Linux vulnerability.

This vulnerability, fortunately, doesn't affect the Linux kernel but rather CUPS... The print server commonly used on Linux systems and other platforms.

...

From Attacking UNIX Systems via CUPS, Part I:

"A remote unauthenticated attacker can silently replace existing printers’ (or install new ones) IPP urls with a malicious one, resulting in arbitrary command execution (on the computer) when a print job is started (from that computer)."

...

This remote code execution issue can be exploited across the public Internet via a UDP packet to port 631 without needing any authentication, assuming the CUPS port is open through your router/firewall. LAN attacks are also possible via spoofing zeroconf / mDNS / DNS-SD advertisements.

Besides CUPS being used on Linux distributions, it also affects some BSDs, Oracle Solaris, Google Chrome OS, and others.

As of writing there is no Linux fix available for this high profile security issue. In the meantime it's recommended to disable and remove the "cups-browsed" service, updating CUPS, or at least blocking all traffic to UDP port 631.

cross-posted from: https://lemmy.ndlug.org/post/1167059

COSMIC’s Alpha 2 release builds upon that work with functionality built out for Files, additional Settings pages, considerable infrastructure work for screen reader support+, and some highly requested window management features. System76 is ecstatic at the level of excitement and collaboration so far with alpha testers and early app & applet developers, and we look forward to seeing what comes from these new additions.

...

The second COSMIC alpha will be released on September 26th. Those participating in Alpha 1 on Pop!_OS can simply update through the COSMIC App Store to transition. This alpha will be followed by monthly alpha releases until all core features have been built out.

More coverage:

• COSMIC DE Alpha 2 Released, This is What’s New

• COSMIC Alpha 2 Released with Bluetooth Settings, Much-Improved File Manager

• Cosmic Desktop Alpha 2: BIG PROGRESS for a month of work!

COSMIC’s Alpha 2 release builds upon that work with functionality built out for Files, additional Settings pages, considerable infrastructure work for screen reader support+, and some highly requested window management features. System76 is ecstatic at the level of excitement and collaboration so far with alpha testers and early app & applet developers, and we look forward to seeing what comes from these new additions.

...

The second COSMIC alpha will be released on September 26th. Those participating in Alpha 1 on Pop!_OS can simply update through the COSMIC App Store to transition. This alpha will be followed by monthly alpha releases until all core features have been built out.

More coverage:

• COSMIC DE Alpha 2 Released, This is What’s New

• COSMIC Alpha 2 Released with Bluetooth Settings, Much-Improved File Manager

• Cosmic Desktop Alpha 2: BIG PROGRESS for a month of work!

Mozilla has overhauled its branding to pay homage to its Netscape roots and better distinguish the wider organization from its Firefox web browser. The most notable change is to the company’s logo: what was previously a sans-serif wordmark styled as “Moz://a” has been updated to correctly spell out the Mozilla name, featuring a new customized typeface and an M-shaped flag.

According to Mozilla, the flag symbolizes the brand’s “activist spirit.” That fits with the image that the Mozilla Foundation, which is leading the company, is attempting to build: describing itself as “a non-profit organization that promotes openness, innovation, and participation on the Internet” and regularly releasing privacy reports that investigate tech companies’ policy and security practices.

Welcome to the Ubuntu Weekly Newsletter, Issue 858 for the week of September 15 - 21, 2024.

• Ubuntu 24.10 (Oracular Oriole) Beta released
• Welcome New Members and Developers
• Ubuntu Stats
• Hot in Support
• Ubuntu Meeting Activity Reports
• Ubuntu Flavor sync meeting notes: 9 September 2024
• UbuCon Asia 2024 Team meeting 2024-09-15 12:00 UTC
• Ubuntu Home Server Workshop 2024 @Busan
• Ubucon Portugal 2024 needs you!
• LoCo Events
• Mir release 2.18.0
• Call for testing: ubuntu-frame, mir-test-tools on the 22 track (Mir 2.17.2 update)
• Ubuntu Desktop’s 24.10 Dev Cycle - Part 6: September Update
• ...
• And much more!

cross-posted from: https://lemmy.ndlug.org/post/1153465

In the second finding of the 2024 Tidelift state of the open source maintainer survey, we found that the more maintainers are paid, the more improvements they make to their projects.

...

In the previous finding, we reported that 60% of maintainers describe themselves as unpaid hobbyists, and 36% of maintainers describe themselves as paid (professional or semi-professional) maintainers, earning some or all of their income from their open source work.

...

When you break down the paid maintainers into professional (earning most or all of their income from their maintenance work) and semi-professional (earning some of their income from maintaining projects), it becomes clear that the amount of money a maintainer is making for their work has a large impact on the types of improvements they are able to make. Across nearly all major categories, professional maintainers are on average over 20 percentage points more likely to make key improvements to their projects than semi-professional maintainers.

...

In the previous study, 81% percent of professional maintainers earning most or all of their income from maintaining projects spend more than 20 hours a week maintaining their projects. This year, the percentage was nearly identical (82%).

Conversely, in last year’s survey, we found that the vast majority of unpaid hobbyists spend ten hours or less per week on their maintenance work (81%). This percentage also stayed consistent in this year’s survey, with 78% of unpaid hobbyist maintainers working ten hours or less per week.

...

We’ve heard from many maintainers that how they are paid for their work also matters. For many maintainers there is a huge difference between getting a one-time “airdrop” of money, perhaps right after a high profile incident where people are paying attention to their projects, compared to ongoing recurring income that they can count on. So this year for the first time we asked maintainers to tell us whether they would prefer to get predictable monthly income or a one-time lump payment.

An overwhelming majority of maintainers prefer to receive predictable monthly income, with 81% choosing that option.

In the second finding of the 2024 Tidelift state of the open source maintainer survey, we found that the more maintainers are paid, the more improvements they make to their projects.

...

In the previous finding, we reported that 60% of maintainers describe themselves as unpaid hobbyists, and 36% of maintainers describe themselves as paid (professional or semi-professional) maintainers, earning some or all of their income from their open source work.

...

When you break down the paid maintainers into professional (earning most or all of their income from their maintenance work) and semi-professional (earning some of their income from maintaining projects), it becomes clear that the amount of money a maintainer is making for their work has a large impact on the types of improvements they are able to make. Across nearly all major categories, professional maintainers are on average over 20 percentage points more likely to make key improvements to their projects than semi-professional maintainers.

...

In the previous study, 81% percent of professional maintainers earning most or all of their income from maintaining projects spend more than 20 hours a week maintaining their projects. This year, the percentage was nearly identical (82%).

Conversely, in last year’s survey, we found that the vast majority of unpaid hobbyists spend ten hours or less per week on their maintenance work (81%). This percentage also stayed consistent in this year’s survey, with 78% of unpaid hobbyist maintainers working ten hours or less per week.

...

We’ve heard from many maintainers that how they are paid for their work also matters. For many maintainers there is a huge difference between getting a one-time “airdrop” of money, perhaps right after a high profile incident where people are paying attention to their projects, compared to ongoing recurring income that they can count on. So this year for the first time we asked maintainers to tell us whether they would prefer to get predictable monthly income or a one-time lump payment.

An overwhelming majority of maintainers prefer to receive predictable monthly income, with 81% choosing that option.