On 29/03/2024 22.10, Michael Catanzaro wrote:
On Fri, Mar 29 2024 at 08:16:55 PM +00:00:00, Richard W.M. Jones rjones@redhat.com wrote:
These are the exact builds which were vulnerable. Note the tags are all empty because Kevin untagged them last night, so you'll probably need to cross-reference these with bodhi updates.
OK, I am going to ask Product Security to edit their blog post to remove the incorrect information. I will CC you on that request.
Thanks,
Michael
Confusion is increasing a little among different channels, and it would be nice if the RH blog post and the Red Hat CVE page would be updated, and maybe clarified: According to Adam Williamson, F40 is likely to have installed the packages because testing is enabled by default in pre-release. If I got Rich right, the malicious code is likely to be broken on F40, but F40 users still should update to be sure.
At the moment several "versions" and "assumptions" are rising that try to somehow make sense of the different publications (e.g., header of RH article "F41 and rawhide" -> headline in content "F40 and rawhide"). I don't know how the assumption came up that F40 is only affected if users opted in for testing, but that interpretation already ended up in the Fedora Magazine and in the official linkedin post of Fedora (I already asked to correct it).
Creating some clarification and unify our information provision can help to get rid of the current interpretations between "F40 - just don't care" and "F40 - the end of the world is coming" (sorry for the dramatization ;). I think one or two sentences in the RH blog post + RH CVE page should be fine to clarify, to avoid further confusion and to re-unify knowledge towards the facts, of course the same for the Fedora Magazine article but that's already underway.