On 30-03-2024 13:26, Christopher Klooz wrote:
I don't know how the assumption came up that F40 is only affected if users opted in for testing, but that interpretation already ended up in the Fedora Magazine and in the official linkedin post of Fedora (I already asked to correct it).
I believe that statement is correct, since none of the xz-5.6.x packages ever made it to F40 stable. The furthest they've got was updates-testing, which is not enabled in the official Beta releases. However, if you installed F40 before Beta was released, then updates-testing is enabled and users may have installed the vulnerable package with a simple `sudo dnf upgrade`.
I admit the wording could be clearer in that opting in to updates-testing might have been done on your behalf simply by installing F40 sometime between branching and the Beta release. Some users might not be aware of that.
It may also help providing some simple instructions on how users can check if they have any of the vulnerable versions installed in the article itself. I see a comment to that extent.
So, the situation around F40 is somewhat murky since a lot of factors come into play, but the statement that 5.6.x never made to F40 stable is correct[1] and therefore users not having updates-testing enabled could not have installed 5.6.x without expressly enabling it.
[1] https://bodhi.fedoraproject.org/updates/?search=xz-5.6
-- Sandro