On 31/03/2024 23.11, Kevin Fenzi wrote:
On Sun, Mar 31, 2024 at 08:55:37PM +0000, Christopher Klooz wrote:
The repo files should be the same on Fedora containers, so if the container is F40 and the testing repo is enabled, it might have installed the malicious build.
Right, if it was dnf updated during the time that the bad update was in
updates-testing.
Folks should pull the latest and restart.
Preemptively, I added yesterday to the Fedora Discussion topic that people shall also update their toolbox containers. I am not sure if a container can end up in a condition that is vulnerable (especially since it has no dedicated systemd), but I assume we do not know for sure at this time, and the package was available to toolbox if the testing was enabled on a F40 container (I assume there are already F40 containers available? Didn't verify).
Yeah, best to be safe and pull the latest that doesn't have the affected
build and rerun.
Yes, there are f40 containers available.
kevin
Great point. I adjusted the Fedora Discussion topic.
--
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue