On Fri, Mar 29, 2024 at 03:01:34PM -0500, Michael Catanzaro wrote:
On Fri, Mar 29 2024 at 07:56:49 PM +00:00:00, Richard W.M. Jones rjones@redhat.com wrote:
secalert are already well aware and have approved the update. Kevin Fenzi, myself and others were working on it late last night :-(
Sorry, I linked to the wrong article. I meant to link to [1] which says that "At this time the Fedora Linux 40 builds have not been shown to be compromised. We believe the malicious code injection did not take effect in these builds." But this statement contradicts my findings above, and you just replied "yes" to those, implying that my understanding is correct. So I guess either this blog post is wrong and needs to be updated, or you're wrong about me being right. Er, correct? :)
[1] https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-u...
These are the exact builds which were vulnerable. Note the tags are all empty because Kevin untagged them last night, so you'll probably need to cross-reference these with bodhi updates.
xz-5.6.0-1.fc41 https://koji.fedoraproject.org/koji/buildinfo?buildID=2411083
xz-5.6.0-1.fc40 https://koji.fedoraproject.org/koji/buildinfo?buildID=2411092
xz-5.6.0-2.fc41 https://koji.fedoraproject.org/koji/buildinfo?buildID=2412686
xz-5.6.0-2.fc40 https://koji.fedoraproject.org/koji/buildinfo?buildID=2412698
xz-5.6.0-2.eln136 https://koji.fedoraproject.org/koji/buildinfo?buildID=2412908
xz-5.6.1-1.fc41 https://koji.fedoraproject.org/koji/buildinfo?buildID=2417414
xz-5.6.1-1.eln136 https://koji.fedoraproject.org/koji/buildinfo?buildID=2417425
NOT known to be vulnerable:
* xz-5.6.0-3.fc41 (because --disable-ifunc) * xz-5.6.0-3.fc40 (because --disable-ifunc) * anything < 5.6.0
You can also use the detection script "detect.sh" written by Vegard Nossum (https://www.openwall.com/lists/oss-security/2024/03/29/4)
Rich.