On Wed, May 03, 2023 at 02:48:05PM -0500, Carl George wrote: > On Thu, Apr 27, 2023 at 9:42 AM Dave Dykstra via epel-devel > <epel-devel@xxxxxxxxxxxxxxxxxxxxxxx> wrote: > > > > We believe that it is important to apply this change to all EPEL releases, > > for these reasons: > > 1. The general vulnerability described in this CVE applies equally to all > > currently supported Linux distributions. The Singularity/Apptainer > > CVE-2023-30549 only applies to apptainer on RHEL 7 because the > underlying vulnerability (CVE-2022-1184) has been fixed on RHEL 8 and > 9. CVE-2023-30549 most urgently applies to RHEL 7 because of the example of CVE-2022-1184, but as I explain in the rest of the point, it also applies in general to any similar moderate or low severity memory- corruption ext4 vulnerability that will come in the future on RHEL 8 & RHEL 9 because Red Hat has no motivation to fix them urgently. > > community has long been aware that making setuid-root kernel > > filesystem mounts available to all users has been a risk, because > > https://lwn.net/Articles/652468/ briefly explained that kernel > > developers considered that to be a great risk. System admins have > > been willing to live with the risk because (a) nobody had identified > > an attack, (b) the functionality was so useful, especially the > > squashfs mounts, and (c) there wasn't an alternative. With the new > > information from the ext4 kernel filesystem owner, we now have more > > specifics on how the attack can be done including an example > > vulnerability, the ext3 mounts aren't as widely used as squashfs, > > and Apptainer has an alternative using unprivileged user namespaces. > > 2. RHEL8 & RHEL9 have unprivileged user namespaces enabled by default, > > so the functionality will still be available to most of the users. > > It does not automatically switch to the alternative, but there's a > > clear error message saying that it is disabled by configuration and > > suggesting that users add the --userns option (and of course if > > apptainer-suid is not installed it uses the user namespace mode > > automatically). > > 3. It is important to have consistency across platforms, since users and > > administrators often use more than one and it would be confusing to > > have different behavior on different platforms. Admins can also > > If consistency across platforms is important, then it seems prudent to > avoid this incompatible update across all three platforms, especially > this late in the RHEL 7 lifecycle. It's not prudent to leave RHEL 7 exposed to high-severity vulnerabilities. Apptainer also supports more platforms than Red Hat. > > install the rpm on RHEL8 & 9 directly from github, and it would not > > be good to have different behavior when installed from EPEL. Dave _______________________________________________ epel-devel mailing list -- epel-devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to epel-devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/epel-devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
