On Fri, Mar 29, 2024 at 03:01:34PM -0500, Michael Catanzaro wrote: > On Fri, Mar 29 2024 at 07:56:49 PM +00:00:00, Richard W.M. Jones > <rjones@xxxxxxxxxx> wrote: > >secalert are already well aware and have approved the update. Kevin > >Fenzi, myself and others were working on it late last night :-( > > Sorry, I linked to the wrong article. I meant to link to [1] which > says that "At this time the Fedora Linux 40 builds have not been > shown to be compromised. We believe the malicious code injection did > not take effect in these builds." But this statement contradicts my > findings above, and you just replied "yes" to those, implying that > my understanding is correct. So I guess either this blog post is > wrong and needs to be updated, or you're wrong about me being right. > Er, correct? :) > > [1] https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users These are the exact builds which were vulnerable. Note the tags are all empty because Kevin untagged them last night, so you'll probably need to cross-reference these with bodhi updates. xz-5.6.0-1.fc41 https://koji.fedoraproject.org/koji/buildinfo?buildID=2411083 xz-5.6.0-1.fc40 https://koji.fedoraproject.org/koji/buildinfo?buildID=2411092 xz-5.6.0-2.fc41 https://koji.fedoraproject.org/koji/buildinfo?buildID=2412686 xz-5.6.0-2.fc40 https://koji.fedoraproject.org/koji/buildinfo?buildID=2412698 xz-5.6.0-2.eln136 https://koji.fedoraproject.org/koji/buildinfo?buildID=2412908 xz-5.6.1-1.fc41 https://koji.fedoraproject.org/koji/buildinfo?buildID=2417414 xz-5.6.1-1.eln136 https://koji.fedoraproject.org/koji/buildinfo?buildID=2417425 NOT known to be vulnerable: * xz-5.6.0-3.fc41 (because --disable-ifunc) * xz-5.6.0-3.fc40 (because --disable-ifunc) * anything < 5.6.0 You can also use the detection script "detect.sh" written by Vegard Nossum (https://www.openwall.com/lists/oss-security/2024/03/29/4) Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones Read my programming and virtualization blog: http://rwmj.wordpress.com libguestfs lets you edit virtual machines. Supports shell scripting, bindings from many languages. http://libguestfs.org -- _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
