On Fri, 2024-03-29 at 15:01 -0500, Michael Catanzaro wrote:
On Fri, Mar 29 2024 at 07:56:49 PM +00:00:00, Richard W.M. Jones rjones@redhat.com wrote:
secalert are already well aware and have approved the update. Kevin Fenzi, myself and others were working on it late last night :-(
Sorry, I linked to the wrong article. I meant to link to [1] which says that "At this time the Fedora Linux 40 builds have not been shown to be compromised. We believe the malicious code injection did not take effect in these builds." But this statement contradicts my findings above, and you just replied "yes" to those, implying that my understanding is correct. So I guess either this blog post is wrong and needs to be updated, or you're wrong about me being right. Er, correct? :)
FWIW, I wrote that text, modified from a slightly different version in the earlier draft that was briefly published, and based on my best understanding at the time (which was that *no* build that reached F40 actually had a working version of the exploit).
If Richard says the exploit potentially worked in 5.6.0-2, then F40 potentially *was* vulnerable for some time, because 5.6.0-2 reached updates-testing. You can use `dnf history info xz` to check if you ever had the vulnerable version installed. I'll see if we can get the post tweaked again; it will be hard to word it with the appropriate level of accuracy and urgency and still be readable, but I'll try...
Oh, and we can't easily fix the URL of the blog post, apparently, because CMSes suck. It seems we're more less stuck with the "41" in that.