What i need to do for my system for the vulnerability

I am running fedora silverblue and just 2days ago i have updated to fedora silverblue 40 beta and updated to the latest what ever was available.
Should i reinstall now or do something else.

Your probably fine, run rpm -q xz to get the installed version. On my silverblue machine it reports xz-5.4.6-1.fc40.x86_64, which is not affected.

If I am interpreting this bodhi page correctly fedora 40 was never effected.

I am not near my system but i will be with in 3h
Should i change my os

What should I do if I am running an affected distribution?

For both personal and business activities, immediately stop using Fedora 40 Not 41 or Fedora Rawhide.

At this time the Fedora Linux 40 builds have not been shown to be compromised. We believe the malicious code injection did not take effect in these builds. However, Fedora Linux 40 users should still downgrade to a 5.4 build to be safe. An update that reverts xz to 5.4.x has recently been published and is becoming available to Fedora Linux 40 users through the normal update system. Concerned users can force the update by following the instructions at FEDORA-2024-d02c7bb266 — unspecified update for perl-Compress-Raw-Lzma and xz — Fedora Updates System.

I guess with silverblue you just could pull F39 again and use it till it is fixed.

Or should i just reinstall as my system is not affected.
I have never saw a class 10 level vulnerability running on my system

Then please do what is written in the article you linked. And you not have to panic because of this.


xz --version
xz (XZ Utils) 5.4.4
liblzma 5.4.4

is ok.

So I checked whether we silverblue users are affected with some extremely horrible bash. I am not proud of it, there is probably a much easier way to do this, but it works. Anyway, learned some useful commands.

# Pull last 60 commits of Fedora Silverblue version 40
# This goes back to 13 feb 2024
sudo ostree pull --commit-metadata-only --depth 60 fedora:fedora/40/x86_64/silverblue

# Get all commits, and loop over them
ostree log fedora:fedora/40/x86_64/silverblue | grep 'commit' | grep -v 'not fetched' | while read -r line; do
    # Get commit id
    commit=$(echo $line | awk '{print $2}')

    # rpm-ostree db list prints all version, grab the xz version
    rpm-ostree db list "$commit" | grep 'xz'
done | grep -q '5.6' && echo "we're screwed" || echo "we're good"
# Output: we're good

So you’re good. If you’re on silverblue 40 testing though, that is a different story:

sudo ostree pull --commit-metadata-only --depth 20 fedora:fedora/40/x86_64/testing/silverblue
ostree log fedora:fedora/40/x86_64/testing/silverblue | grep 'commit' | grep -v 'not fetched' | while read -r line; do
    rpm-ostree db list "$(echo $line | awk '{print $2}')" | grep 'xz'
done | grep -q '5.6' && echo "testing is screwed" || echo "we're good"
# Output: testing is screwed

Edit: testing does have the 5.6 version but might not be vurnable. See the other discussion


To link this to the original discussion:

@frankjunior you might check the suggestion of alciregi here

Again, just too ensure we are on the same page: “F41 and rawhide” is a mistake → correct is “F40 and rawhide”. But keep watching the original topic for updates and the devel mailing list. So far it seems that it is unlikely that F40 has been actually affected. But it is still suggested to respond and verify on F40. The devel mailing list contains some comments from Richard about this confusion.

Fedora 40 was affected if the user did an update while the corrupted package (xz version 5.6.0) was in the testing repo. I had the affected package installed on my test bed after doing an update on March 25.

I have also done that same thing.

According to the CVE, you would have to stop using all linuxes if you were to change your OS, or you could just downgrade XZ.

I do not know why you not fixed it … instead you make a blockquote of it. Just to let you know that i fixed it above while make it visible that it is an error.

It is just silly … talking everywhere that it is wrong, @RedHat blog poster should just fix it there. In the end we do link the article and not copy and paste in general.

Affected are (please correct to F40 & Rawhide):
and more?

We have forwarded the information, someone from RH (I am not from RH) wanted to inform the respective team, but they need to change it. It’s finally a RH page.

1 Like

I have just reminded about this and some other issues. Be aware that the article and the confusion are at the moment not the top priority, because this has become a wider phenomenon. But hopefully, we get all publications synchronized soon.

1 Like

True, I updated my F40 today and the update brings a xz downgrade with it, to the version we use on F39.

I also see that @frankjunior wanted to be correct and made a own topic for Silverblue. Unfortunately I was reading first his topic and just saw afterwards the topic of you @py0xc3.

In my opinion cleaning up this topic and merge with yours would probably give you a bit more room for other tasks. Fedora reacted quite fast and I do believe within hours we do have also a fix for Silverblue.

@frankjunior as a Silverblue user, if you are so scared about a bug please roll back to F39:

1 Like

Indeed, I tend to close this topic because it is no longer relevant to separate between Silverblue and normal variants: the mitigation has been pushed to stable, and everyone with any F40 should do a normal update with --refresh, may it be with dnf or rpm-ostree.

Please follow the major topic from now on: Attention: Malicious code in current pre-release & testing versions/variants: F40 and rawhide affected - users of F40/rawhide need to respond - #27 by py0xc3

I will not merge the topics because that would cause too much confusion. Both topics are already sufficiently hard to follow on themselves.