Attention: Malicious code in current Beta, pre-release & testing versions/variants: F40 and rawhide affected - users of F40/rawhide need to respond

Some new information / clarification from @rjones → it seems that the vulnerability was only very shortly in the testing for F40 and thus unlikely to be installed. Some response is nevertheless suggested:

There was an F40 change that was vulnerable but it was in testing only
briefly.  After disabling ifuncs we (accidentally) were not vulnerable
in F40.  So the RH article is kind of correct.

I still recommend everyone updating to the Epoch: 1 package if they're
on F40 or F41.

Also if you're on F41 and/or think you might have installed the
vulnerable xz anywhere, note that the exploit has not been fully
analyzed and no one really knows what it could do.  I'm currently
reinstalling a couple of machines from scratch and have regenerated
my SSH keys.

( xz backdoor - devel - Fedora Mailing-Lists )


A list of all affected packages, including a deletion script in case, are also in the devel mailing list. Affected users might review Rich’s comments to get some overview about if they are affected, what they are up against and what to do.


Thanks for the update Rich :wink:

3 Likes