NixSanctuary Bulletin: Issue 1

Debian finally fixed a 22-year-old bug related to Debian Pure Blend, released as Debian Med
This interesting news comes straight from Debian Micronews.
On July 29, 2025, Carlos Henrique Lima Melara posted about a Debian bug that was opened in 2003, closed in 2004, and finally fixed in 2025.
According to the original bug report filed on March 24, 2003, a request was made to add Debian-Med to the Tasksel list of tasks.
Tasksel is a tool in Debian and other Debian-based Linux distributions that simplifies installing multiple related packages as a unit, called a "task." It allows users to select and install predefined sets of packages, or meta-packages, that are commonly used together for specific purposes.
One of the released Debian Pure Blends is Debian Med, which supports all tasks in medical care and research.
The bug was related to the lack of support for this specific Debian Pure Blend, i.e., Debian Med, in the Debian installer. Debian users could not easily select and install Debian Med during installation because there was no tree-structured task layout to facilitate it.
Though it was marked as fixed back in 2004, the actual changes were never implemented. The functional fix was recently deployed, finally enabling proper Blend support in the installer/tasksel UI.
Tor Project released a new alpha for Tor Browser version 15.0a1
The new Alpha version, 15.0a1, of the Tor Browser is now available for download. It provides an early look at the upcoming security fixes and software upgrades that will be included in the next stable version, 15.
Below are some of the significant updates:
- Tor Browser and Tor Browser for Android are now based on Firefox ESR 140.1.0, which was released on July 22, 2025.
- NoScript and OpenSSL have been upgraded. The versions are now 13.0.8 for NoScript and 3.5.1 LTS for OpenSSL. These upgrades were made on all platforms.
- The Go language has been updated to version 1.23.11 for Windows, Linux, and Android.
The first alpha release includes numerous bug fixes and optimizations that you can test and preview.
Latest version of the FSF-certified Linux kernel 'GNU Linux-libre 6.16' is available now!
On 27th July 2025, Free Software Foundation Latin America or FSFLA released the latest version of GNU Linux-libre version 6.16.
The people who work hard to provide us with a 100% libre Linux kernel for use on a GNU/Linux-libre distribution.
Here is the verbatim news update as released:
Cleaned up new drivers for Intel qat 6xxx crypto, ST vd55g1 sensor, ath12k AHB wifi, Aeonsemi AS21xxx and MediaTek 25Gb ethernet PHY, as well as new Qualcomm and MediaTek ARM64 devicetree files. Adjusted cleaning up of Intel microcode loader docs, Nova Core and Nouveau drivers for Nvidia GPUs, Realtek r8169 ethernet, Qualcomm Iris and Venus video decoders, Mediatek mt7996 wifi, Qualcomm ath11k and ath12k wifi, Texas Instruments tas2781 codec and speaker amplifier, Renesas R-Car gen4 PCIe controller doc. Integrated build fix for Rust firmware loader (thanks!), and Intel VPU, AMD GPU, and btusb blob names already backported into stable 6.15.*-gnu releases during the 6.16-gnu development cycle.
Wayback version 0.2 released!
On 31st July 2025, Wayback announced the second preview release version 0.2.
According to the release page, it is a small bugfix release, so do not expect any major changes.
- Wayback is now on Gentoo GURU (gui-wm/wayback) and Nixpkgs (wayback-x11 in unstable)
- wayback-session now uses &argv[1] instead of &argv[optind], this fixes it looping when running wayback-session sesscmd
- Wayback commands now show the version in the command output
- Handle child processes without SIGTERM
Active Google URL Shortener or goo.gl links are no longer discontinued
In a blog post dated August 1, 2025, Google announced a change in plans regarding its previous decision to discontinue support for all goo.gl URLs after August 25, 2025. This decision was made after receiving a substantial amount of input from publishers and users.
We understand these links are embedded in countless documents, videos, posts and more, and we appreciate the input received.
Basically, all goo.gl links will be preserved and continue to function as usual, except for those that showed no activity by late 2024. These inactive links will still be deactivated in August, so you are advised to switch to a different URL shortener service immediately.
A simple test is to check if your shortened goo.gl URL says it might not work in the near future. It is set to be deactivated after August 25th.
If your URL redirects you to the original link without displaying the aforementioned warning or message, it will continue to work for now.
Pi-hole posted about a data leak from a vulnerable WP plugin called GiveWP
Pi-hole, the infamous network-wide ad-blocking open-source software, reported a data breach caused by the use of a popular yet vulnerable version of the WordPress plugin GiveWP.
In a July 30, 2025 blog post, Pi-hole shared details about what happened and which specific information was leaked.
The data leak is limited to donor IDs, names, and email addresses. Donors voluntarily provided this data when using the donation form. For clarification, Pi-hole does not require a valid name or email address to make a donation.
Pi-hole first became aware of this issue on July 28, 2025, via emails, Reddit posts, and a post on their forum.
After investigating, they identified a GiveWP plugin used for the donations page as the source of the data breach.
Initially, the GiveWP Support team did not acknowledge the issue. However, the following day, July 29, 2025, they released a plugin update, version 4.6.1. The changelog for this update included a security update that addressed an issue with donor information visibility. This is exactly the issue that various donors have reported to Pi-hole.
A GitHub user named kxkv filed an issue on July 29, 2025, describing the vulnerability. According to kxkv, this is a massive security and privacy issue. The problem lasted almost an entire week, from July 23 (version 4.6.0) until the fix was released on July 29 (version 4.6.1).
GiveWP posted about this as a privacy incident on August 1, 2025. You can read more about it on their website.
Encrypted Client Hello (ECH) has now been approved by the TLS working group
TLS 1.3 is faster and more secure. It also offers server admins less complex configuration options.
Although TLS 1.3 allows for the encryption of parts of the TLS handshake, important parameters such as the destination server's identity still remain in plaintext.
A new TLS extension called Encrypted Client Hello (ECH) addresses this issue by allowing clients to encrypt their ClientHello messages to the TLS server.
This protects the plaintext Server Name Indication (SNI) extension, which contains the target domain for a TLS connection. This information is undoubtedly the most sensitive that is not encrypted in TLS 1.3.
ECH is supported in TLS 1.3, DTLS 1.3, and newer versions of these protocols.
It is in the process of being published as an RFC. It has already been submitted to the Internet Engineering Steering Group (IESG) for publication.
When properly implemented, ECH can prevent your ISP from seeing the websites you are navigating to. However, the target domain is still visible in plaintext, even with TLS 1.3, as mentioned above.
This also creates further issues, such as with Tor, unless it is widely adopted. You are the odd one out. If you are the only person in your town using it, most browsers support it out of the box on the client side. ISPs would know who is using ECH.
This could be a great addition to TLS 1.3, improving the encryption of traffic and privacy for traffic served over TLS worldwide.
Opossum attack (Application Layer Desynchronization using Opportunistic TLS)
Cryptology ePrint Archive published a Paper 2025/1260 on 11th July 2025.
The published paper discusses attacks on TLS targets or applications that support both implicit and opportunistic TLS. The proof of concept for the Opossum Attack has also been published on GitHub.
The published paper is findings of Robert Merget (Technology Innovation Institute), Nurullah Erinola, Marcel Maehren, Lukas Knittel, Marcus Brinkmann, Jörg Schwenk (All five from Ruhr University Bochum), Sven Hebrok and Juraj Somorovsky (both from Paderborn University).
This affects all versions of TLS, including TLS 1.3. This is because of a weakness in the way TLS is integrated into popular application layer protocols through implicit and opportunistic TLS. Only one of the peers needs to support opportunistic TLS.
HTTP, FTP, POP3, IMAP, SMTP, LMTP, and NNTP are affected.
According to their findings, support for opportunistic TLS remains widespread among application protocols, with over three million servers supporting both implicit and opportunistic TLS simultaneously.
Infamous vendors like the Apache Foundation and Cyrus IMAPD have already addressed the issue by disabling STARTTLS by default.
Until a patch is released, the easiest mitigation is to disable opportunistic TLS support and use only implicit TLS.
A Open-source, Free, secure and offline Authenticator for 2FA by Proton is here!
On July 31, 2025, Proton announced the release of Proton Authenticator. It is completely free and open-source software. It is currently available on iOS, Android, macOS, Windows, and Linux.
Besides the reliability of a software publisher like Proton, the Proton Authenticator has many features that might attract you. Although it is branded "Authenticator," you do not need to use it with a Proton account. It works just like the other free, open, standalone Authenticators you have used on your desktop or smartphone.
Some of the features worth mentioning are listed below:
- Access your 2FA codes on mobile and desktop apps, even when you're offline.
- Sync your 2FA codes to all your devices with end-to-end encryption with your Proton account
- Enable automatic backups for peace of mind with Multiple backup options
- Easily import from other 2FA apps or export to Proton Authenticator.
- Protect your account with biometrics or a PIN code.
- Zero data collection
Given Proton's commitment to protecting your privacy with open-source, verifiable software and end-to-end encryption technology, Proton Authenticator is surely a heavyweight alternative from a reputable publisher.