On 31/03/2024 22.30, Leon Fauster via devel wrote:
Am 31.03.24 um 21:33 schrieb Sandro:
On 31-03-2024 20:54, Christopher Klooz wrote:
On 31/03/2024 20.52, Christopher Klooz wrote:
On 31/03/2024 20.21, Michael Catanzaro wrote:
On Sun, Mar 31 2024 at 09:56:04 AM -05:00:00, Michael Catanzaro
<mcatanz...@redhat.com> wrote:
I'm really frustrated with our communication regarding this issue. Does anybody
know who can fix this?
The Fedora Magazine article has been fixed (thanks!).
"*Fedora Linux 40 branched users (i.e. pre-Beta) likely received the potentially
vulnerable /5.6.0-2.fc40/ build
<https://bodhi.fedoraproject.org/updates/FEDORA-2024-4417db3376> if the system updated
between March 2nd and March 6th*. Fedora Linux 40 Beta users only using stable repositories are
NOT impacted. Fedora Linux 39 and 38 users are also NOT impacted."
-> only pre-beta, not beta, affected
-> F40 beta using stable NOT impacted (without challenging the previously
distributed assumption that testing is disabled by default)
That's still the same false information, isn't it?
Justin just has shown up in discourse. I suggested to get in touch with you,
Adam or Kevin since he seemed to be convinced the article is fine as it is.
When I refresh the article, it still seems to be unchanged. Is the update you
mean already online Michael?
I clarified what's wrong with Justin in a DM on Matrix. He was on the same garden path as I was
regarding "Beta release" vs. "Final release".
There will be another update to the article.
Not sure, if it was already mentioned -> containers. I had here a toolbox
environment with F40. That I had not in my first actions
on the screen. The last state had 5.6.0-3 installed but not sure
if the previous release was also installed ...
The repo files should be the same on Fedora containers, so if the container is
F40 and the testing repo is enabled, it might have installed the malicious
build.
Preemptively, I added yesterday to the Fedora Discussion topic that people
shall also update their toolbox containers. I am not sure if a container can
end up in a condition that is vulnerable (especially since it has no dedicated
systemd), but I assume we do not know for sure at this time, and the package
was available to toolbox if the testing was enabled on a F40 container (I
assume there are already F40 containers available? Didn't verify).
So I suggest to preemptively act with F40 toolboxes in the same way as with F40 if
testing was enabled. ->
https://discussion.fedoraproject.org/t/attention-malicious-code-in-current-beta-pre-release-testing-versions-variants-f40-and-rawhide-affected-users-of-f40-rawhide-need-to-respond/110683
--
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue