On Fri, 2024-03-29 at 15:01 -0500, Michael Catanzaro wrote:
On Fri, Mar 29 2024 at 07:56:49 PM +00:00:00, Richard W.M. Jones
<rjones(a)redhat.com> wrote:
> secalert are already well aware and have approved the update. Kevin
> Fenzi, myself and others were working on it late last night :-(
Sorry, I linked to the wrong article. I meant to link to [1] which says
that "At this time the Fedora Linux 40 builds have not been shown to be
compromised. We believe the malicious code injection did not take
effect in these builds." But this statement contradicts my findings
above, and you just replied "yes" to those, implying that my
understanding is correct. So I guess either this blog post is wrong and
needs to be updated, or you're wrong about me being right. Er, correct?
:)
FWIW, I wrote that text, modified from a slightly different version in
the earlier draft that was briefly published, and based on my best
understanding at the time (which was that *no* build that reached F40
actually had a working version of the exploit).
If Richard says the exploit potentially worked in 5.6.0-2, then F40
potentially *was* vulnerable for some time, because 5.6.0-2 reached
updates-testing. You can use `dnf history info xz` to check if you ever
had the vulnerable version installed. I'll see if we can get the post
tweaked again; it will be hard to word it with the appropriate level of
accuracy and urgency and still be readable, but I'll try...
Oh, and we can't easily fix the URL of the blog post, apparently,
because CMSes suck. It seems we're more less stuck with the "41" in
that.
--
Adam Williamson (he/him/his)
Fedora QA
Fedora Chat: @adamwill:fedora.im | Mastodon: @adamw(a)fosstodon.org
https://www.happyassassin.net