On 31/03/2024 22.30, Leon Fauster via devel wrote:
Am 31.03.24 um 21:33 schrieb Sandro:
> On 31-03-2024 20:54, Christopher Klooz wrote:
>> On 31/03/2024 20.52, Christopher Klooz wrote:
>>>
>>> On 31/03/2024 20.21, Michael Catanzaro wrote:
>>>> On Sun, Mar 31 2024 at 09:56:04 AM -05:00:00, Michael Catanzaro
<mcatanzaro(a)redhat.com> wrote:
>>>>> I'm really frustrated with our communication regarding this
issue. Does anybody know who can fix this?
>>>>
>>>> The Fedora Magazine article has been fixed (thanks!).
>>>>
>>> "*Fedora Linux 40 branched users (i.e. pre-Beta) likely received the
potentially vulnerable /5.6.0-2.fc40/ build
<
https://bodhi.fedoraproject.org/updates/FEDORA-2024-4417db3376> if the system
updated between March 2nd and March 6th*. Fedora Linux 40 Beta users only using stable
repositories are NOT impacted. Fedora Linux 39 and 38 users are also NOT impacted."
>>>
>>> -> only pre-beta, not beta, affected
>>> -> F40 beta using stable NOT impacted (without challenging the previously
distributed assumption that testing is disabled by default)
>>>
>>> That's still the same false information, isn't it?
>> Justin just has shown up in discourse. I suggested to get in touch with you, Adam
or Kevin since he seemed to be convinced the article is fine as it is. When I refresh the
article, it still seems to be unchanged. Is the update you mean already online Michael?
>
> I clarified what's wrong with Justin in a DM on Matrix. He was on the same garden
path as I was regarding "Beta release" vs. "Final release".
>
> There will be another update to the article.
>
Not sure, if it was already mentioned -> containers. I had here a toolbox environment
with F40. That I had not in my first actions
on the screen. The last state had 5.6.0-3 installed but not sure
if the previous release was also installed ...
The repo files should be the same on Fedora containers, so if the container is F40
and the testing repo is enabled, it might have installed the malicious build.
Preemptively, I added yesterday to the Fedora Discussion topic that people shall also
update their toolbox containers. I am not sure if a container can end up in a condition
that is vulnerable (especially since it has no dedicated systemd), but I assume we do not
know for sure at this time, and the package was available to toolbox if the testing was
enabled on a F40 container (I assume there are already F40 containers available?
Didn't verify).
So I suggest to preemptively act with F40 toolboxes in the same way as with F40 if testing
was enabled. ->
https://discussion.fedoraproject.org/t/attention-malicious-code-in-curren...