On Sun, Mar 31, 2024 at 08:55:37PM +0000, Christopher Klooz wrote:
The repo files should be the same on Fedora containers, so if the container is F40 and the testing repo is enabled, it might have installed the malicious build.
Right, if it was dnf updated during the time that the bad update was in updates-testing.
Folks should pull the latest and restart.
Preemptively, I added yesterday to the Fedora Discussion topic that people shall also update their toolbox containers. I am not sure if a container can end up in a condition that is vulnerable (especially since it has no dedicated systemd), but I assume we do not know for sure at this time, and the package was available to toolbox if the testing was enabled on a F40 container (I assume there are already F40 containers available? Didn't verify).
Yeah, best to be safe and pull the latest that doesn't have the affected build and rerun.
Yes, there are f40 containers available.
kevin