On Fri, Mar 29, 2024 at 06:46:59PM +0000, Christopher Klooz wrote: > Yes, F40 beta is affected, along with rawhide, but not F38/F39. > > https://discussion.fedoraproject.org/t/warning-malicious-code-in-current-pre-release-testing-versions-variants-f40-and-rawhide-affected-users-of-f40-rawhide-need-to-respond/110683 > > https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users > > https://access.redhat.com/security/cve/CVE-2024-3094 > > https://www.linkedin.com/posts/fedora-project_urgent-security-alert-for-fedora-41-and-fedora-activity-7179540438494629888-EH4d?utm_source=share&utm_medium=member_desktop > > It might be noted that the header of the RH article is wrong and refers to "F41 and rawhide", whereas the RH article content is correct and refers to "F40 and rawhide". Other sources, including the publication of Fedora Project (e.g., on linkedin), also refer to F40 and rawhide. However, the RH CVE article also refers to "F41 and rawhide". > > Can someone from RH check and change the RH article header and the RH CVE page content to avoid confusion? I tend to assume that "F41 and rawhide" makes no sense at all since the two are currently equal. There was an F40 change that was vulnerable but it was in testing only briefly. After disabling ifuncs we (accidentally) were not vulnerable in F40. So the RH article is kind of correct. I still recommend everyone updating to the Epoch: 1 package if they're on F40 or F41. Also if you're on F41 and/or think you might have installed the vulnerable xz anywhere, note that the exploit has not been fully analyzed and no one really knows what it could do. I'm currently reinstalling a couple of machines from scratch and have regenerated my SSH keys. Rich. > Chris > > On 29/03/2024 19.37, Barry wrote: > >Has this shipped on f40 beta? > > > >Barry > > > >>On 29 Mar 2024, at 18:08, Richard W.M. Jones <rjones@xxxxxxxxxx> wrote: > >> > >> > >>>On Fri, Mar 29, 2024 at 07:00:37PM +0100, Kevin Kofler via devel wrote: > >>>Hi, > >>> > >>>wow: https://www.openwall.com/lists/oss-security/2024/ > >>> > >>>I think at this point we clearly cannot trust xz upstream anymore and should > >>>probably fork the project. > >>I kind of agree here, though it saddens me to say it. Any commit or > >>release by "Jia Tan" or "Hans Jansen" [1] is suspect until proven > >>otherwise, and those go back 2 or more years. > >> > >>Rich. > >> > >>[1] Putting quotes here because those are almost certainly not real > >>peoples' names. > >> > >>-- > >>Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones > >>Read my programming and virtualization blog: http://rwmj.wordpress.com > >>virt-top is 'top' for virtual machines. Tiny program with many > >>powerful monitoring features, net stats, disk stats, logging, etc. > >>http://people.redhat.com/~rjones/virt-top > >>-- > >>_______________________________________________ > >>devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx > >>To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx > >>Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > >>List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > >>List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx > >>Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue > >-- > >_______________________________________________ > >devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx > >To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx > >Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > >List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > >List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx > >Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue > -- > _______________________________________________ > devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx > Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones Read my programming and virtualization blog: http://rwmj.wordpress.com virt-p2v converts physical machines to virtual machines. Boot with a live CD or over the network (PXE) and turn machines into KVM guests. http://libguestfs.org/virt-v2v -- _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
