On Mon, Apr 1 2024 at 10:25:16 AM -07:00:00, Adam Williamson adamwill@fedoraproject.org wrote:
Oh, ISWYM. Well, I suppose yes, that does happen to be true. We could communicate that if it's done very carefully and made really clear that it's about the *time frame*, nothing to do with the repositories.
It's been brought to my attention that the Fedora Magazine article [1] has been updated yet again, and now it warns that the 5.6.0-3.fc40 build was "tainted." This build is not affected by the backdoor because ifuncs were disabled.
I'm quite frustrated now. The message from Richard and other engineers has been very consistent. The bad builds are 5.6.0-1.fc40 and 5.6.0-2.fc40. We have been saying as much since Friday. Please fix the article once again.
(There is no strong reason to believe 5.6.0 is otherwise worse than 5.4.6, since both versions were released by the same attacker. It doesn't make sense to refer to the -3 build as "tainted.")
Michael
[1] https://fedoramagazine.org/cve-2024-3094-security-alert-f40-rawhide/