Welcome to mintCast

the Podcast by the Linux Mint Community for All Users of Linux

This is Episode 475!

Recorded on Sunday, December 21, 2025

Taking it easy im Joe; Had it with this machine, I’m Bill; It’s almost Christmas, I’m Charles; my intro has been redacted, I’m Jim; Driven crazy, I’m Dale;

— Play Standard Intro —

• First up in the news: Linux Mint 22.3 “Zena” – BETA Release, Mint Monthly News – December , and a variety of other items
• In security and privacy:
• In our Innards section: SyncThing
• And finally, the feedback and a couple of suggestions
• Please remember if you want to follow along with our discussions, the full show notes for this episode are linked in the show’s description at mintcast.org/show-notes

— Play News Transition Bumper —

The News

20 minutes

• Linux Mint 22.3 “Zena” – BETA Release
• From the Mint blog by Clem (via londoner)
• This new version of Linux Mint contains many improvements. For an overview of the new features please visit: “What’s new in Linux Mint 22.3“.
  To read the release notes, please visit: “Release Notes for Linux Mint 22.3”
  Upgrade instructions will be published after the stable release of Linux Mint 22.3.
  It will be possible to upgrade from this BETA to the stable release.
  It will also be possible to upgrade from Linux Mint 22.1 and 22.2.
• https://blog.linuxmint.com/?p=4973

— Play Security Transition Bumper —

Security and Privacy

10 minutes

(Charles)

React2Shell Vulnerability Actively Exploited to Deploy Linux Backdoors

React2Shell Vulnerability

Summary:

React2Shell Vulnerability Exploits

The React2Shell vulnerability, tracked as CVE-2025-55182, is being actively exploited by various threat actors, including at least five China-nexus groups. These groups have weaponized the flaw to distribute numerous malware payloads, demonstrating its severe impact on cybersecurity.

Malware Analysis: KSwapDoor and ZnDoor

Two notable malware families associated with the React2Shell vulnerability are KSwapDoor and ZnDoor. KSwapDoor, a sophisticated remote access tool, uses stealth techniques such as military-grade encryption and a sleeper mode, while ZnDoor functions as a remote access trojan to execute commands on compromised systems.

Credential Theft and Large-Scale Attacks

In addition to deploying malware, threat actors are engaging in extensive credential harvesting, targeting cloud service provider endpoints to obtain identity tokens. This operation, codenamed Operation PCPcat, has reportedly compromised over 59,128 servers and highlights the scale and sophistication of current cyberattack strategies.

Mitigation

Update affected packages such as react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack.

(Charles)

TARmageddon Flaw in Async-Tar Rust Library Could Enable Remote Code Execution

Tarmageddon-Flaw

Summary

It was learned that a critical vulnerability known as TARmageddon in the async-tar Rust library, which could lead to remote code execution under certain conditions. The flaw, recognized as CVE-2025-62518 with a CVSS score of 8.1, was discovered by Edera and affects several significant projects, including test containers and wasmCloud. Users of the abandoned tokio-tar library are urged to migrate to the updated astral-tokio-tar version 0.5.6 to avoid the risk, as earlier versions pose a boundary parsing vulnerability. This vulnerability arises from inconsistent handling of PAX extended headers and ustar headers, allowing attackers to smuggle

Mitigation

If using astral-tokio-tar: Upgrade to v0.5.6 or later.

• If using uv (Astral’s Python manager): Upgrade to v0.4.26 or later.
• If using krata-tokio-tar: This project is archived; you should migrate to astral-tokio-tar v0.5.6+.
• If using tokio-tar or async-tar: These original libraries are largely unmaintained (“abandonware”). You should switch your dependency to the patched fork: astral-tokio-tar (v0.5.6+).

— Play Wanderings Transition Bumper —

Bi-Weekly Wanderings

30 minutes (~5-8 mins each)

• Bill
• Joe
• Moss
• Charles
• Jim
  • Problem: The ephemeral nature of online content.
    
    Case study: Entire web sites, forums, subreddits, social media sites as well as the individual posts, Tweets and replies that comprise such forums are all subject to deletion individually or en masse.
    
    Solution: Make local copies in near real time of selected content by various methods, especially screencaps.
    
    Method: My near real time method is to make individual screencaps or otherwise save pages for content on an ongoing basis that one wants to archive that may be deleted immediately or sometime later on. This, as opposed to capturing or downloading a whole web site or forum at one moment in time which requires different tools and be a whole different topic of discussion.
    
    Project: Make my large collection of saved screencaps text searchable and thereby turn Dead Data into Live Data via OCR.
    • Install latest Tesseract-ocr via PPA to extract text from images, and more specifically make a pdf as my preferred format
    • Test PNG to PDF conversion in command line following examples online was successful
      • Single PNG to PDF: tesseract filename.png filename pdf
    • Downloaded ~2800 screencaps from Google Photos
    • Batch Process all 2800 PNG to PDF in command line successfully following examples online
      • Batch PNG to PDF (from directory): for i in *png; do b=`basename “$i” .png`; tesseract “$i” “$b” pdf; done
    • Next problem: How to quickly browse PDFs like a collection of images. No obvious solution. So must find & install a PDF browsing app for Linux Mint on laptop
      • mupdf command line app, but PDFs not in order, so not desirable :
        • find “/path” -iname ‘*\.pdf’ | xargs -n1 mupdf -r 25
      • Impressive command line app, correct order and also needs no path defined. Works nicely.
        • impressive -T0 -w *.pdf
    • Find/install document search app for Linux Mint that can search text inside the PDF documents, not in the filenames
      • grep doesn’t work with PDF, fwiw
      • Installed Searchmonkey, which requires no index but it crashes, maybe too many items
      • Installed Recoll, but it was over-complicated in my opinion
      • Installed DocFetch portable as a binary to /opt folder (simple)
      • Installed pdfgrep for command line search. Works nicely in the terminal to search all pdf files in the directory.
        • pdfgrep ‘pattern’ *.pdf
    • Find & install PDF browsing app Android unsuccessful so far.
      • mupdf doesn’t work in Termux according to reports online
      • So I end up simply browsing the PNGs on the phone instead of the PDFs.

• Find & install search app for Android to search text inside the PDFs.
  • DocSearch+ Search File Content at the Play store
    • Limit of 5 search previews in free tier. Shows all results, but only 5 previews. Can still double click to open all results even with no preview.

• Termux + pdfgrep, Couldn’t figure out how to get that to work.
• Use directories in /opt for Linux binary downloads (java), Windows software for WINE, and Appimages
• Website favicon downloader: https://onlineminitools.com/website-favicon-downloader
• TV Time app for Android to track TV series episodes watched incl. international series (no ads)
• Letterboxd web site on laptop to track movies watched. (Android app has ads.)
• Media I enjoyed in the last month:
  • Killers of the Flower Moon non-fiction book NYT Bestseller from 2017 (Martin Scorcese movie)
  • Ballerina is the second or third best John Wick movie. Ana de Armas is great as a female assassin. The grenade fight and the flamethrower fight were both novel. The deleted and extended scenes on disc were a nice bonus.
  • Bring Her Back, Australian horror movie is a decent watch
  • Family Guy holiday special, “Disney’s Hulu’s Family Guy’s Hallmark Channel’s Lifetime’s Familiar Holiday Movie” exclusive was funny. Also the Halloween special. New season premieres on Fox February 15th, 2026.
  • “What Would You Do” holiday special on ABC and Hulu with John Quinones was very entertaining. Subscribe to their YouTube for more.
  • Tulsa King season 3 on Paramount+ was okay. Robert Patrick (T2 liquid metal terminator) as Sly’s antagonist was great. Backdoor pilot in the season finale for NOLA King with Samuel A. Jackson as an assassin is a possible jump the shark moment.

— Play Innards Transition Bumper —

Linux Innards

30 minutes (~5-8 minutes each)

Syncthing is a decentralized file local synchronization service. It synchronizes in real-time between two or more computers using TLS (Transport Layer Security). It is open source which is available on GitHub and is licensed under the MPL 2 (Mozilla Public License Version 2.0).

Syncthing is available on Linux, Windows, macOS, FreeBSD, OpenBSD, Illumos, and you can compile from source. It is available in many distros software centers and Docker. Though to get the most current version, you can download it from their website or use their Apt repository for Ubuntu and Debian based distros. For iOS/iPadOS you can use Möbius Sync. It is a 3^rd party app. For Android there is Syncthing-Fork which is available in the Google Play or F-Droid. It is also a 3^rd party app.

Each device uses a unique id and paired using a code string that looks similar to a Windows license key. By default each device accepts or rejects each pairing request manually. There is an auto accept pairing request option. Though, I wouldn’t suggest using that IMO. If your id was to get publicly know, anyone could pair with your device.

You don’t need to open any ports on your router/firewall. It uses many different connection methods to reach each device. It doesn’t matter if you are using NAT, CGNAT, traditional firewall, etc. It will find a way to connect. If it doesn’t, the documentation has a good trouble shooting guide There is no need to remember or concern yourself with IP addresses. All of the connection work is done automatically. There are Global Discovery Servers but they are only there to help broker a connection. Since the pairing and connections are handled by TLS, these servers receive no personal information.

It can be used on memory and/or cpu constrained devices. I am using it on my Netgear ReadyNAS which only has 2 GB of memory with an Intel Atom 1.7 GHz cpu from 2013.

The preferred method of configuration is via a web browser GUI. Though there is a command line syntax. It uses port 8384 on local host by default. So it would be 127.0.0.1:8384, if you were to access it from your device.

There are two methods for headless server access. One is via SSH port forwarding and the other is to edit the config file to allow a remote connection. The SSH option is beyond the scope of this discussion. To edit the config, you change the GUI Listen Address from 127.0.0.1:8384 to 0.0.0.0:8384. You can also change the port number.

It is strongly advised to create a username and password if you have enabled remote access. I personally would only allow this on a local network or VPN.

The typical use is to run it as a service on your computer. Their documentation has instructions for the most common init services. Be aware that Syncthing will run as the user defined in the init service. For example, Systemd can run as root or an unprivileged user. Keep this in mind in regards to file permissions.

On my Netgear ReadyNAS, I have Syncthing running as a Systemd user service as dale using the linger option. The linger option allows the service to run even if dale is not logged in. Otherwise, Systemd would wait until dale logs in to start the service. I would only use the linger option for headless operation. For regular desktop use, I would let Systemd start Syncthing when you login.

For your first pairing you would first need to create some folder pairs on the first device. You would select a folder like your Documents folder in your Home folder. Syncthing will scan through the files. Next you would take note of the id this device is using. On your next device, you will select Add Remote Device. It will prompt you for the device id. You type or paste that in. Now back on your initial device. Here you need to accept the device connection request. After it as paired with the new device, you return to the new device. Now you select which folders you want to sync from the remote device. Then select where on the local file system you want these files to be stored. After that is completed, you will see the sync process begin with a percentage of completion.

If you are syncing a lot of files and/or large files. You can pre-seed the sync by having identical copies on each device. Syncthing will initiate a scans on each side. Once it has compared it hashes, it will report “Up to Date” in the sync status.

I will use my configuration as an example. I have two desktops, laptop, phone, storage server, and my nas.

My two desktops and laptop are paired with my nas. They include the following folders. Documents, Pictures, Music, and videos.

My nas is paired with my storage server with the same folders.

When I create/delete/modify a file on my laptop. That file is synced with the nas. My two desktops are automatically synced from the nas. At the same time, my nas is syncing the changes to the storage server.

My phone shares one folder with my computers, which is my music folder. So any changes to the music folder is replicated between the phone, the two desktops, the laptop, storage server, and nas. I also have a documents folder and a few pictures folders on my phone that are only synced to my nas. The nas then syncs those to my storage server.

You could have each device pair with each device. I’m and just used to a hub and spoke configuration. It makes sense to me because the nas is always on.

Here is a caveat. Do not nest sync folders. There is a way to do it, but I didn’t try it. An example would be syncing the Documents folder and then syncing a folder inside the Documents folder that goes to a different device. I created quite a messy sync loop that took quite a bit to clean up.

This just touches the tip of what Syncthing is capable of doing. There are options for file and folder exclusions, one way sync, file versioning, and so much more.

–Play Bodhi Corner Transition Bumper*–

Bodhi Corner

3-5 minutes

— Play Vibrations Transition Bumper —

Vibrations from the Ether

20 minutes (~5 minutes each)

— Play Check This Transition Bumper —

Check This Out

10 minutes

• (Charles) AI AI headphones automatically learn who you’re talking to-and let you hear them better AI Headphones- Univ Of Wash Summary

Holding a conversations in crowded places challenging due to the cocktail party problem, which can be even more frustrating for those with hearing impairments. Researchers at the University of Washington have created smart headphones that automatically isolate conversation partners by using AI to track speech patterns, allowing for clearer audio amidst background noise. The headphones activate when the wearer speaks and utilize two AI models to analyze and filter out unwanted sounds, resulting in significantly improved audio quality according to user tests. This proactive technology is designed to enhance the listening experience without requiring users to manually adjust settings, making it a significant advancement over previous methods. Future developments aim to miniaturize the technology for use in more compact devices like earbuds and hearing aids, while further refinements are needed to handle dynamic conversations and diverse languages.

HPR New Years show

on mumble at lugmcast.minnix.dev

https://hackerpublicradio.org/new_year.html

Housekeeping & Announcements

• Thank you for listening to this episode of mintCast!
• If you see something that you think we should be talking about, tell us!

Send us email at [email protected]

Join us live on Youtube

Post at the mintCast subreddit

Chat with us on Discord and Telegram

Or post directly at https://mintcast.org

• Next Episode – 2 pm US Central time on Sunday, January 4, 2026.
• Get mintCast converted to your time zone
• Next Saturday we will host a Roundtable Live Stream. Please come and join us using the Discord voice channel at 2 pm US Central time on Saturday, December 27, 2025.
• Get mintCast converted to your time zone
• Livestream information is at mintcast.org/livestream

Wrap-up

• Joe – Tllts.org,  linuxlugcast.com, [email protected], Buy Joe a coffee
• Moss – Full Circle Weekly News, [email protected], Mastodon @[email protected], occasionally on HPR
• Bill – [email protected], Bill_H on Discord, @[email protected] on Mastodon, also checkout the other podcast I am on, Linux OTC (with Eric & Majid).
• Majid – [email protected] @[email protected], Atypical.doctor on Instagram and Threads and The Atypical Doctor Podcast and also Linux OTC.
• Eric – I can be reached by email at [email protected].
• Charles – [email protected], Mr PDX on Discord
• Jim– [email protected], GNU2Linux on Discord, The Linux Shortcut on YouTube
• Dale – Dale_CDL on Telegram and Discord. My email is [email protected] distrohoppersdigest.org

Before we leave, we want to make sure to acknowledge some of the people who make mintCast possible:

• Bill for our audio editing and for hosting the server which runs our website, website maintenance, and the NextCloud server on which we host our show notes and raw audio
• Archive.org for hosting our audio files
• Hobstar for our logo, initrd for the animated Discord logo
• Londoner for our time syncs and various other contributions
• The Linux Mint development team for the fine distro we love to talk about <Thanks, Clem … and co!>

— Play Closing Music and Standard Outro —