On 31/03/2024 22.30, Leon Fauster via devel wrote:
Am 31.03.24 um 21:33 schrieb Sandro:
On 31-03-2024 20:54, Christopher Klooz wrote:
On 31/03/2024 20.52, Christopher Klooz wrote:
On 31/03/2024 20.21, Michael Catanzaro wrote:
On Sun, Mar 31 2024 at 09:56:04 AM -05:00:00, Michael Catanzaro mcatanzaro@redhat.com wrote:
I'm really frustrated with our communication regarding this issue. Does anybody know who can fix this?
The Fedora Magazine article has been fixed (thanks!).
"*Fedora Linux 40 branched users (i.e. pre-Beta) likely received the potentially vulnerable /5.6.0-2.fc40/ build https://bodhi.fedoraproject.org/updates/FEDORA-2024-4417db3376 if the system updated between March 2nd and March 6th*. Fedora Linux 40 Beta users only using stable repositories are NOT impacted. Fedora Linux 39 and 38 users are also NOT impacted."
-> only pre-beta, not beta, affected -> F40 beta using stable NOT impacted (without challenging the previously distributed assumption that testing is disabled by default)
That's still the same false information, isn't it?
Justin just has shown up in discourse. I suggested to get in touch with you, Adam or Kevin since he seemed to be convinced the article is fine as it is. When I refresh the article, it still seems to be unchanged. Is the update you mean already online Michael?
I clarified what's wrong with Justin in a DM on Matrix. He was on the same garden path as I was regarding "Beta release" vs. "Final release".
There will be another update to the article.
Not sure, if it was already mentioned -> containers. I had here a toolbox environment with F40. That I had not in my first actions on the screen. The last state had 5.6.0-3 installed but not sure if the previous release was also installed ...
The repo files should be the same on Fedora containers, so if the container is F40 and the testing repo is enabled, it might have installed the malicious build.
Preemptively, I added yesterday to the Fedora Discussion topic that people shall also update their toolbox containers. I am not sure if a container can end up in a condition that is vulnerable (especially since it has no dedicated systemd), but I assume we do not know for sure at this time, and the package was available to toolbox if the testing was enabled on a F40 container (I assume there are already F40 containers available? Didn't verify).
So I suggest to preemptively act with F40 toolboxes in the same way as with F40 if testing was enabled. -> https://discussion.fedoraproject.org/t/attention-malicious-code-in-current-b...