coreos-status April 2024

coreos-status@lists.fedoraproject.org

2 participants
2 discussions

Fedora CoreOS rebasing to Fedora Linux 40

by Jonathan Lebon

Fedora Linux 40 was released today[1]. The Fedora CoreOS `testing` stream has been rebased and is currently rolling out. In two weeks, it will be promoted to the `stable` stream. For more information about Fedora 40, see the Fedora Project’s list of official Changes[2] and the Fedora CoreOS analysis of each Change[3]. The following changes require special attention: - Podman v5.0[4]: This release contains breaking changes. See the Podman website[5] and the tracker issue[6] for details. - Assign individual, stable MAC addresses for Wi-Fi connections[7]: If you are using Wi-Fi, then your system's MAC address will likely change after the update. Please test out the `testing` stream and report any issues in our issue tracker[8]. Thank you to everyone helping find issues by running the `next` and `testing` streams! The Fedora CoreOS Team [1]: https://fedoramagazine.org/announcing-fedora-linux-40/ [2]: https://fedoraproject.org/wiki/Releases/40/ChangeSet [3]: https://github.com/coreos/fedora-coreos-tracker/issues/1626 [4]: https://fedoraproject.org/wiki/Changes/Podman5 [5]: https://blog.podman.io/2024/03/podman-5-0-breaking-changes-in-detail/ [6]: https://github.com/coreos/fedora-coreos-tracker/issues/1629 [7]: https://fedoraproject.org/wiki/Changes/StableSSIDMACAddress [8]: https://github.com/coreos/fedora-coreos-tracker

1 week

1
0
0 / 0

CVE-2024-2905: World-readable /etc/shadow & /etc/gshadow on Fedora CoreOS

by Timothée Ravier

Due to a bug in rpm-ostree, the /etc/shadow, /etc/shadow-, /etc/gshadow and /etc/gshadow- files in Fedora CoreOS have the world-readable bit set. == Affected versions == All Fedora CoreOS nodes installed starting from the following versions are impacted: - stable: 38.20230902.3.0 - testing: 38.20230902.2.1 - next: 38.20230902.1.1 This only impacts new installations and not updated systems thus systems installed from versions before those releases are not impacted. This only impacts systems where a password is set (notably for the 'core' and 'root' users). Systems where only SSH keys were used are not impacted by this vulnerability even though it is present on the node. On systems with SELinux enabled and in enforcing mode, access to those files is limited to unconfined (usually interactive) users, unconfined systemd services and privileged containers. Confined daemons, users and containers are not able to access them. == Fix == The following Fedora CoreOS versions fix the issue and include a systemd unit to fix existing systems on update: - stable: 39.20240322.3.1 - testing: 39.20240407.2.0 - next: 40.20240408.1.0 Systems with automatic updates enabled will automatically get the update starting on 2024-04-10 14:00 UTC. To immediately fix existing systems, you can run the following command as root: chmod --verbose 0000 /etc/shadow /etc/gshadow /etc/shadow- /etc/gshadow- As a precaution, we recommend rotating all user credentials stored in those files. == References == GitHub Security Advisory: https://github.com/coreos/rpm-ostree/security/advisories/GHSA-2m76-cwhg-7wv6 Red Hat Security Advisory: https://access.redhat.com/security/cve/CVE-2024-2905 Fedora CoreOS issue: https://github.com/coreos/fedora-coreos-tracker/issues/1705

2 weeks, 6 days

1
0
0 / 0

← Newer
1
Older →

2024

2023

2022

2021

2020

2019

coreos-status April 2024