coreos-status October 2021

coreos-status@lists.fedoraproject.org

2 participants
2 discussions

coreos-installer improper signature verification (CVE-2021-20319)
by Benjamin Gilbert 19 Oct '21

19 Oct '21

Hi all, coreos-installer before 0.10.1 has a flaw allowing bypass of signature verification when decompressing a downloaded OS image. An attacker who can modify the downloaded OS image, by compromising either the hosting site or the HTTP connection, can compromise the installed system. The problem is fixed in coreos-installer 0.10.1, which will be included in this week's Fedora CoreOS releases on all streams. Default Fedora CoreOS installations from ISO or PXE media are *not* affected, as coreos-installer installs from an OS image shipped as part of the install media. These flows are affected: - Installing with `--image-file`, `--image-url`, or `coreos.inst.image_url`. - Installing with default parameters when *not* booted from live ISO or PXE media. - `coreos-installer download --decompress`. For more information, including example output and workarounds for affected versions, see the full advisory [1]. For technical details on the bug and fix, see the coreos-installer PR [2]. If you have any questions or comments, please contact us via the Fedora CoreOS development list [3] or in #fedora-coreos on Libera.Chat. --Benjamin Gilbert [1]: https://github.com/coreos/coreos-installer/security/advisories/GHSA-3r3g-g7… [2]: https://github.com/coreos/coreos-installer/pull/655 [3]: https://lists.fedoraproject.org/archives/list/coreos@lists.fedoraproject.or…

1 0

Fedora CoreOS 64 bit ARM artifacts
by Dusty Mabe 01 Oct '21

01 Oct '21

Hi all, A few weeks ago we started shipping 64 bit ARM (aarch64) artifacts for our Fedora CoreOS streams. The download page [1] has been updated to show the new artifact downloads and you should be able to retrieve aarch64 information from all relevant stream and release metadata. Please report any issues upstream in our issue tracker [2]! The Fedora CoreOS Team [1] https://getfedora.org/en/coreos/download?tab=metal_virtualized&stream=stabl… [2] https://github.com/coreos/fedora-coreos-tracker/issues

1 0

2025

2024

2023

2022

2021

2020

2019

coreos-status October 2021