The following Fedora EPEL 7 Security updates need testing:
Age URL
4 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-30f3deb00a
chromium-112.0.5615.165-1.el7
2 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-18a0e3fa23
apptainer-1.1.8-1.el7
The following builds
The following Fedora EPEL 9 Security updates need testing:
Age URL
4 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-91a369658f
chromium-112.0.5615.165-1.el9
2 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-b31211e2ce
apptainer-1.1.8-1.el9
The following builds
On Thu, Apr 27, 2023 at 12:00:47PM +0100, David Trudgian wrote:
> On Thu, Apr 27, 2023, at 8:11 AM, Carl George wrote:
> > The Red Hat CVSS score for CVE-2022-1184 has the same breakdown as the
> > NVD CVSS score. Both rate the "privileges required" property as low.
> > From what I can tell that
On Thu, Apr 27, 2023 at 02:11:46AM -0500, Carl George wrote:
> On Wed, Apr 26, 2023 at 11:20 AM Dave Dykstra via epel-devel
...
> > The summary of the CVE is that the way that apptainer & singularity
> > allow mounts of ext3 filesystems in setuid mode raises the severity of
> > many ext4
On Thu, Apr 27, 2023 at 09:09:57AM +0100, Nick Howitt via epel-devel wrote:
> On 2023-04-27 08:42, Carl George wrote:
...
> > should be modified to set the "allow setuid-mount extfs" option to yes
> > for compatibility, even if that isn't the upstream default.
>
> Can you not set the option to no
We believe that it is important to apply this change to all EPEL releases,
for these reasons:
1. The general vulnerability described in this CVE applies equally to all
currently supported Linux distributions. The Singularity/Apptainer
community has long been aware that making setuid-root
On Thu, Apr 27, 2023, at 8:11 AM, Carl George wrote:
> The Red Hat CVSS score for CVE-2022-1184 has the same breakdown as the
> NVD CVSS score. Both rate the "privileges required" property as low.
> From what I can tell that property would be rated high if they
> considered root privileges to be
On 2023-04-27 08:42, Carl George wrote:
On Wed, Apr 26, 2023 at 12:54 PM David Trudgian
wrote:
Dave, Jonathan,
Thank you for the replies and actions after my original message r.e.
the incompatible upgrades policy.
I should now declare that I have an interest in how the discussion
On Wed, Apr 26, 2023 at 12:54 PM David Trudgian wrote:
>
> Dave, Jonathan,
>
> Thank you for the replies and actions after my original message r.e. the
> incompatible upgrades policy.
>
> I should now declare that I have an interest in how the discussion around the
> incompatible change for