On 29/03/2024 22.10, Michael Catanzaro wrote:
On Fri, Mar 29 2024 at 08:16:55 PM +00:00:00, Richard W.M. Jones
<rjones(a)redhat.com> wrote:
> These are the exact builds which were vulnerable. Note the tags are
> all empty because Kevin untagged them last night, so you'll probably
> need to cross-reference these with bodhi updates.
OK, I am going to ask Product Security to edit their blog post to remove the incorrect
information. I will CC you on that request.
Thanks,
Michael
Confusion is increasing a little among different channels, and it would be nice if
the RH blog post and the Red Hat CVE page would be updated, and maybe clarified: According
to Adam Williamson, F40 is likely to have installed the packages because testing is
enabled by default in pre-release. If I got Rich right, the malicious code is likely to be
broken on F40, but F40 users still should update to be sure.
At the moment several "versions" and "assumptions" are rising that try
to somehow make sense of the different publications (e.g., header of RH article "F41
and rawhide" -> headline in content "F40 and rawhide"). I don't know
how the assumption came up that F40 is only affected if users opted in for testing, but
that interpretation already ended up in the Fedora Magazine and in the official linkedin
post of Fedora (I already asked to correct it).
Creating some clarification and unify our information provision can help to get rid of the
current interpretations between "F40 - just don't care" and "F40 - the
end of the world is coming" (sorry for the dramatization ;). I think one or two
sentences in the RH blog post + RH CVE page should be fine to clarify, to avoid further
confusion and to re-unify knowledge towards the facts, of course the same for the Fedora
Magazine article but that's already underway.