Manjaro Linux 17.0.2 is released, and it's time to update your passwords
A new release of Manjaro Linux (17.0.2) has been announced. Of course, because Manjaro is a "rolling release" distribution model, this is actually just a roll-up of the updates since the last Manjaro release.
So if you are already running Manjaro you don't need to reinstall, you just have to make sure that you have all the latest updates installed.
There is an important difference this time, though. A weakness has been discovered in the way passwords were set during the installation of Manjaro Linux, for all releases prior to this one.
The details are explained in this Manjaro Forum post, but in a nutshell what happened was that passwords set during system installation, both for the user account and for root, were done in a way that could make them easier for an attacker to break. The solution for this problem is simply to set a new password, using the CLI passwd command. Don't forget to do both root and whatever ordinary user account(s) were created during installation. Any accounts that you may have created after installation, using ordinary Linux GUI or CLI tools, are not subject to this weakness, and do not need to be changed (but changing your password occasionally really is a good idea anyway...).
Now, back to this new release. In addition to the usual KDE and Xfce desktops, Manjaro added an official Gnome 3 version starting with their 17.0 release - thus the (G, K, X) notation in the release announcement. As I am partial to KDE and Xfce, and don't really care much for Gnome any more, I had not tried it before this release. But I have now installed it (on my Acer Aspire V), and I didn't have any problems.
As with the other Manjaro distributions, the Gnome 3 version is not just a "plain vanilla" Gnome version, it includes various additional packages, customization and configuration which make it easier to use.
Manjaro 17.0.2 Gnome 3
It also includes a Tweak Tool, so you can adjust the desktop to suit your needs and preferences, and the Manjaro Settings Manager so you can select the kernel and other parts of the installation.
The fact that the password-setting weakness is actually in the installers that the Manjaro distribution uses (Thus and Calamares) means that the Community Editions will almost certainly be making new releases quite soon as well. In fact, when I went to check on this I was pleased to see that the first of those to make a release was the i3 edition, which is my personal favorite. That new release went up less than 30 minutes ago as I write this!
So, a quick overview of what is included in this new release (or the latest update):
- Linux kernel 4.9.34 LTS (recommended and installed by default)
- Latest point releases of Linux kernels 3.10.106, 3.12.74, 3.16.44, 3.18.57, 4.1.41, 4.4.73, 4.8.17, 4.10.17 and 4.11.7.
- X.org 1.19
- KDE Plasma 5.10.2 and Framework 5.35.0
- Xfce 4.12
- Gnome 3.24.2
- Updated and Improved Manjaro Tools and Installers
By the way, just in case this affects anyone other than me... on the ASUS X540S, Linux kernel 4.9.34 still does not recognize the ASUS touchpad properly, so I still have to run 4.10.x (currently 4.10.17) to get that to work properly. I find this to be particularly strange considering that on the ASUS R414S what appears to be a very similar touchpad is recognized by the 4.9.x kernel and works just fine.
The bottom line here is, if you are already running Manjaro, please install the latest updates and reset the password on the root and original user accounts; if you keep a copy of the Manjaro installation medium, either DVD or USB stick, be sure to update it with the latest 17.0.2 images, so that you don't continue to stumble over this password weakness.