On Thu, 2023-10-05 at 19:01 +0200, Tomasz Torcz wrote: > On Thu, Oct 05, 2023 at 11:23:35AM -0400, Stephen Smoogen wrote: > > On Sat, 30 Sept 2023 at 05:13, Marius Schwarz <fedoradev@xxxxxxxxxxxx> > > wrote: > > > > > > > > Hi, > > > > > > this is emerg ping for the security team, to take a look at this bz : > > > > > > https://bugzilla.redhat.com/show_bug.cgi?id=2241470 > > > > > > The deadline for having a fix shipped is the afternoon of SUN, 1. of Oct > > > 2023 . On this date, the patches in upstream go public and exploits > > > will be developed for them. this impacts ALL of redhat based > > > installations which run as servers and are publically reachable. The > > > component in question is the default package for rh based installations. > > > > > So does anyone know which of this weeks major security problems this was > > about? Since it is supposedly past the release date, I figure it is ok to > > ask. If it isn't due to some other delay.. my apologies. > > My guess is on glibc's suid local root: https://lwn.net/Articles/946381/ That doesn't seem to really fit, though. You need to be able to at least set environment variables and execute processes to exploit that, right? That hardly covers "all publically reachable servers". I guess it's the closest candidate, but meh. In any case, the updates for that all went stable yesterday. -- Adam Williamson (he/him/his) Fedora QA Fedora Chat: @adamwill:fedora.im | Mastodon: @adamw@xxxxxxxxxxxxx https://www.happyassassin.net _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
