On 29/03/2024 21.01, Richard W.M. Jones wrote:
On Fri, Mar 29, 2024 at 06:46:59PM +0000, Christopher Klooz wrote:
Yes, F40 beta is affected, along with rawhide, but not F38/F39.
https://discussion.fedoraproject.org/t/warning-malicious-code-in-current-pre-release-testing-versions-variants-f40-and-rawhide-affected-users-of-f40-rawhide-need-to-respond/110683
https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users
https://access.redhat.com/security/cve/CVE-2024-3094
https://www.linkedin.com/posts/fedora-project_urgent-security-alert-for-fedora-41-and-fedora-activity-7179540438494629888-EH4d?utm_source=share&utm_medium=member_desktop
It might be noted that the header of the RH article is wrong and refers to "F41 and rawhide", whereas the RH article content is correct and refers to "F40 and rawhide". Other sources, including the publication of Fedora Project (e.g., on linkedin), also refer to F40 and rawhide. However, the RH CVE article also refers to "F41 and rawhide".
Can someone from RH check and change the RH article header and the RH CVE page content to avoid confusion? I tend to assume that "F41 and rawhide" makes no sense at all since the two are currently equal.
There was an F40 change that was vulnerable but it was in testing only
briefly. After disabling ifuncs we (accidentally) were not vulnerable
in F40. So the RH article is kind of correct.
I still recommend everyone updating to the Epoch: 1 package if they're
on F40 or F41.
Also if you're on F41 and/or think you might have installed the
vulnerable xz anywhere, note that the exploit has not been fully
analyzed and no one really knows what it could do. I'm currently
reinstalling a couple of machines from scratch and have regenerated
my SSH keys.
Rich.
Thanks for the clarifications and your quick responses to the issue!
However, the article could be still adjusted in some direction to avoid confusion, e.g.:
page header: "Urgent security alert for Fedora Linux 41 and Fedora Rawhide users " (-> 41)
page headline: "Urgent security alert for Fedora Linux 40 and Fedora Rawhide users " (-> 40)
Not the most urgent problem at the moment of course, but maybe someone could adjust it at some time. As Michael already mentioned, the term "F41" can be on itself a little confusing at the moment.
Chris
On 29/03/2024 19.37, Barry wrote:
Has this shipped on f40 beta?
Barry
On 29 Mar 2024, at 18:08, Richard W.M. Jones <rjones@xxxxxxxxxx> wrote:
On Fri, Mar 29, 2024 at 07:00:37PM +0100, Kevin Kofler via devel wrote:
Hi,
wow: https://www.openwall.com/lists/oss-security/2024/
I think at this point we clearly cannot trust xz upstream anymore and should
probably fork the project.
I kind of agree here, though it saddens me to say it. Any commit or
release by "Jia Tan" or "Hans Jansen" [1] is suspect until proven
otherwise, and those go back 2 or more years.
Rich.
[1] Putting quotes here because those are almost certainly not real
peoples' names.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
virt-top is 'top' for virtual machines. Tiny program with many
powerful monitoring features, net stats, disk stats, logging, etc.
http://people.redhat.com/~rjones/virt-top
--
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
--
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
--
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
--
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
