On Fri, 2024-03-29 at 15:01 -0500, Michael Catanzaro wrote: > On Fri, Mar 29 2024 at 07:56:49 PM +00:00:00, Richard W.M. Jones > <rjones@xxxxxxxxxx> wrote: > > secalert are already well aware and have approved the update. Kevin > > Fenzi, myself and others were working on it late last night :-( > > Sorry, I linked to the wrong article. I meant to link to [1] which says > that "At this time the Fedora Linux 40 builds have not been shown to be > compromised. We believe the malicious code injection did not take > effect in these builds." But this statement contradicts my findings > above, and you just replied "yes" to those, implying that my > understanding is correct. So I guess either this blog post is wrong and > needs to be updated, or you're wrong about me being right. Er, correct? > :) FWIW, I wrote that text, modified from a slightly different version in the earlier draft that was briefly published, and based on my best understanding at the time (which was that *no* build that reached F40 actually had a working version of the exploit). If Richard says the exploit potentially worked in 5.6.0-2, then F40 potentially *was* vulnerable for some time, because 5.6.0-2 reached updates-testing. You can use `dnf history info xz` to check if you ever had the vulnerable version installed. I'll see if we can get the post tweaked again; it will be hard to word it with the appropriate level of accuracy and urgency and still be readable, but I'll try... Oh, and we can't easily fix the URL of the blog post, apparently, because CMSes suck. It seems we're more less stuck with the "41" in that. -- Adam Williamson (he/him/his) Fedora QA Fedora Chat: @adamwill:fedora.im | Mastodon: @adamw@xxxxxxxxxxxxx https://www.happyassassin.net -- _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
