Our weekly status meeting seems to conflict for many of our participants,
let's try to work out a better time for all.
If you would like to attend, please add your preference to -
https://whenisgood.net/y9585xf
Thanks,
Paul
---------- Forwarded message ---------
From: Timothée Ravier <siosm(a)fedoraproject.org>
Date: Wed, 10 Apr 2024 at 14:52
Subject: CVE-2024-2905: World-readable /etc/shadow & /etc/gshadow on
Fedora CoreOS, IoT, Atomic Desktops
To: <devel(a)lists.fedoraproject.org>
Due to a bug in rpm-ostree, the /etc/shadow, /etc/shadow-,
/etc/gshadow and /etc/gshadow- files in Fedora CoreOS, IoT, Atomic
Desktops have the world-readable bit set.
== Affected versions ==
All Fedora CoreOS nodes installed starting from the following versions
are impacted:
- stable: 38.20230902.3.0
- testing: 38.20230902.2.1
- next: 38.20230902.1.1
Fedora IoT and Fedora Atomic Desktops (Silverblue, Kinoite, Sway
Atomic, Budgie Atomic) systems that were installed from Fedora 39 and
later release media and ISOs are affected.
This only impacts new installations and not updated systems thus
systems installed from artifacts before those releases are not
impacted (Fedora 38 or earlier).
This only impacts systems where a password is set. Systems where only
SSH keys were used are not impacted by this vulnerability even though
it is present on the node.
On systems with SELinux enabled and in enforcing mode, access to those
files is limited to unconfined (usually interactive) users, unconfined
systemd services and privileged containers. Confined daemons, users
and containers are not able to access them.
== Fixed versions ==
The following Fedora CoreOS versions fix the issue and include a
systemd unit to fix existing systems on update:
- stable: 39.20240322.3.1
- testing: 39.20240407.2.0
- next: 40.20240408.1.0
Fedora CoreOS systems with automatic updates enabled will
automatically get the update starting on 2024-04-10 14:00 UTC.
Fedora Atomic Desktops version 39.20240410.1 includes the fix. The fix
is still pending for Fedora Atomic Desktops 40 (not officially
released yet).
An update with the fix for Fedora IoT is still pending.
== Workaround / immediate fix ==
To immediately fix existing systems, you can run the following command as root:
chmod --verbose 0000 /etc/shadow /etc/gshadow /etc/shadow- /etc/gshadow-
As a precaution, we recommend rotating all user credentials stored in
those files.
== References ==
GitHub Security Advisory:
https://github.com/coreos/rpm-ostree/security/advisories/GHSA-2m76-cwhg-7wv6
Red Hat Security Advisory: https://access.redhat.com/security/cve/CVE-2024-2905
Fedora CoreOS issue: https://github.com/coreos/fedora-coreos-tracker/issues/1705
--
_______________________________________________
devel mailing list -- devel(a)lists.fedoraproject.org
To unsubscribe send an email to devel-leave(a)lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue