On Sun, Mar 31, 2024 at 08:55:37PM +0000, Christopher Klooz wrote:
The repo files should be the same on Fedora containers, so if the
container is F40 and the testing repo is enabled, it might have installed the malicious
build.
Right, if it was dnf updated during the time that the bad update was in
updates-testing.
Folks should pull the latest and restart.
Preemptively, I added yesterday to the Fedora Discussion topic that
people shall also update their toolbox containers. I am not sure if a container can end up
in a condition that is vulnerable (especially since it has no dedicated systemd), but I
assume we do not know for sure at this time, and the package was available to toolbox if
the testing was enabled on a F40 container (I assume there are already F40 containers
available? Didn't verify).
Yeah, best to be safe and pull the latest that doesn't have the affected
build and rerun.
Yes, there are f40 containers available.
kevin