Stay Informed
This week, read about:
- CISA Adds Recently Disclosed Zimbra Bug to its Exploited Vulnerabilities Catalog.
- The Open Source Security Foundation Gains Support From Huawei, Spotify, and 23 New Organizations.
- VMware : A Beginner's Guide for Contributing to an Open Source Project…Code and Non-Code Contributors Alike!
Key Security, Maintenance, and Features Releases
Security Updates
OpenSSH 8.9
A near-future release of OpenSSH will switch scp(1) from using the
legacy scp/rcp protocol to using SFTP by default.
Legacy scp/rcp performs wildcard expansion of remote filenames (e.g. "scp host:* .") through the remote shell. This has the side effect of requiring double quoting of shell meta-characters in file names included on scp(1) command-lines, otherwise they could be interpreted as shell commands on the remote side.
This creates one area of potential incompatibility: scp(1) when using the SFTP protocol no longer requires this finicky and brittle quoting, and attempts to use it may cause transfers to fail. We consider the removal of the need for double-quoting shell characters in file names to be a benefit and do not intend to introduce bug-compatibility for legacy scp/rcp in scp(1) when using the SFTP protocol.
Another area of potential incompatibility relates to the use of remote paths relative to other user's home directories, for example - "scp host:~user/file /tmp". The SFTP protocol has no native way to expand a ~user path. However, sftp-server(8) in OpenSSH 8.7 and later support a protocol extension "expand-path@openssh.com" to support this.
Non-Security Updates
Firefox 97.0.1
Fixed an issue where TikTok videos would fail to load when selected from a user's profile page (bug 1750973)
Fixed an issue which led to Picture-in-Picture mode being unable to be toggled on Hulu (bug 1753401)
Works around problems with WebRoot SecureAnywhere antivirus rendering Firefox unusable in some situations (bug 1752466)
Fixed an issue causing users to see the Restore Session screen unexpectedly when starting Firefox (bug 1749996)
Jenkins 2.337
Remove the 'cloud configuration has moved to a separate configuration page' notice. (pull 6298)
Update the appearance of the button bar at the bottom of forms. (pull 6295)
Persist changes made to boolean radio controls (regression in 2.336). (pull 6311)
Update bundled Display URL API plugin to prevent issues starting the mailer plugin for offline installations. (issue 67885)