On 31/03/2024 23.11, Kevin Fenzi wrote:
On Sun, Mar 31, 2024 at 08:55:37PM +0000, Christopher Klooz wrote:
> The repo files should be the same on Fedora containers, so if the container is F40
and the testing repo is enabled, it might have installed the malicious build.
Right, if it was dnf updated during the time that the bad update was in
updates-testing.
Folks should pull the latest and restart.
> Preemptively, I added yesterday to the Fedora Discussion topic that people shall also
update their toolbox containers. I am not sure if a container can end up in a condition
that is vulnerable (especially since it has no dedicated systemd), but I assume we do not
know for sure at this time, and the package was available to toolbox if the testing was
enabled on a F40 container (I assume there are already F40 containers available?
Didn't verify).
Yeah, best to be safe and pull the latest that doesn't have the affected
build and rerun.
Yes, there are f40 containers available.
kevin
Great point. I adjusted the Fedora Discussion topic.