py0xc3
April 1, 2024, 12:23pm
41
py0xc3
March 31, 2024, 4:13pm
42
An update for users who follow on “email only”:
Chris:
Attention about the Fedora Magazine article that elaborates this case: The article contained misleading information and still indicates misleading points after its update: If you have any F40 - including Beta - your “testing” branches are enabled by default: this means, any F40 has to be assumed to be affected and thus needs to follow the advice for mitigation below (please read the update 3 below). Communications between development and the magazine unfortunately is broken at the moment.
Chris:
Update 3: state as of 30.3.24, 15:00 UTC-0/GMT is in short (as of 31.3.24, 12:25 UTC-0/GMT, update 3 remains valid, but a few elaborations below have been improved):→ if you have any F40 or rawhide installation, it is suggested to follow the updates on the RH blog article, and if you want also the devel mailing list . You should also review this topic daily: we will update it at least once a day to contain a summary, likely more often. Also, if there are updates, feel free to post them yourself here.affected , STOP USING ANY FEDORA RAWHIDE INSTANCE FOR NOWinstalled the malicious packages (the affected “testing” repo seems enabled by default on F40 since its still pre-release), in some cases the malicious code might be broken but in some not - but it is nevertheless suggested in any case to conduct a mitigative action just to be sure: do a dnf update --refresh to get the fix for the vulnerability through your normal updates - the fix (=revert of the malicious code) is already in stable!dnf history info xz (feel free to grep: dnf history info xz | grep xz ) and then compare the output xz versions with the list of affected builds here . Silverblue/Kinoite users can use rpm -q xz instead, but this only outputs the current version, not the history - so it won’t help if you already reverted the vulnerability. (maybe someone can let me know the rpm-ostree counterpart of dnf history info xz?)rpm-ostree refresh-md; rpm-ostree upgradetoolbox should also do dnf update --refresh in their toolboxes
py0xc3
April 1, 2024, 12:20pm
43
py0xc3
March 31, 2024, 9:25pm
49
For people who follow on “email only”:
There is a minor update (update 4), but only the preferred mitigation for toolbox users has been updated:
The new preference is more of a best practice.
py0xc3
April 1, 2024, 12:25pm
50
I have moved the Fedora Magazine related posts into a separated topic since this has evolved into its own discussion.
py0xc3
April 1, 2024, 6:10pm
51
Update for users who follow “email only”:
Chris:
The below update 5 marks the final update: users no longer need to follow this page but they can consider the issue solved once they conducted the below steps:
Update 5: state as of 1.4.24, 18:00 UTC-0/GMT is in short (compared to update 4, only the rawhide point was changed):
Extract of the one changed point:
All other points of update 4 remain valid. See the top post for all currently valid posts.
1 Like
mattdm
April 2, 2024, 2:55pm
52
Thanks for doing this, @py0xc3 !
2 Likes
py0xc3
April 2, 2024, 4:59pm
53
I think I pinned the topic for a week, so it should start to disappear on Friday or Saturday. I would leave it pinned for that time to ensure that the “returnees from the Easter break” get the message (especially containers are not updated by everyone on a regular basis if there is no reason; toolbox etc.).
3 Likes
This does NOT affect users of the Fedora releases (F38, F39 are thus not affected)
This means even after updates?
adamwill
April 6, 2024, 6:09am
55
yes. the affected version was never submitted to any stable release.
4 Likes