On Fri, Mar 29 2024 at 04:10:53 PM -05:00:00, Michael Catanzaro
<mcatanzaro@xxxxxxxxxx> wrote:
OK, I am going to ask Product Security to edit their blog post to
remove the incorrect information. I will CC you on that request.
Or maybe I should rephrase this as a "request for clarification,"
because maybe they know something that we don't. E.g. the Ars article
[1] says
"The build environment on Fedora 40, for example, contains
incompatibilities that prevent the injection from correctly occurring.
Fedora 40 has now reverted to the 5.4.x versions of xz Utils."
[1]
https://arstechnica.com/security/2024/03/backdoor-found-in-widely-used-linux-utility-breaks-encrypted-ssh-connections/
Now, that's a secondary source, and I'm not confident if it is true,
but perhaps Product Security had time to analyze the build logs before
publishing and found something that we don't know about. Richard, what
do you think?
--
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
