On 30/03/2024 20.08, Sandro wrote:
On 30-03-2024 13:26, Christopher Klooz wrote:
I don't know how the assumption came up that F40 is only affected if users
opted in for testing, but that interpretation already ended up in the Fedora
Magazine and in the official linkedin post of Fedora (I already asked to
correct it).
I believe that statement is correct, since none of the xz-5.6.x packages ever
made it to F40 stable. The furthest they've got was updates-testing, which is
not enabled in the official Beta releases. However, if you installed F40 before
Beta was released, then updates-testing is enabled and users may have installed
the vulnerable package with a simple `sudo dnf upgrade`.
I admit the wording could be clearer in that opting in to updates-testing might
have been done on your behalf simply by installing F40 sometime between
branching and the Beta release. Some users might not be aware of that.
It may also help providing some simple instructions on how users can check if
they have any of the vulnerable versions installed in the article itself. I see
a comment to that extent.
So, the situation around F40 is somewhat murky since a lot of factors come into
play, but the statement that 5.6.x never made to F40 stable is correct[1] and
therefore users not having updates-testing enabled could not have installed
5.6.x without expressly enabling it.
[1] https://bodhi.fedoraproject.org/updates/?search=xz-5.6
I don't think this is right. Adam Williamson and Michael Catanzaro already
confirmed that F40 has testing enabled by default because it is pre-release. It
was also confirmed that some packages could have been installed on F40 variants
(see also the points of Michael and Richard here in the devel mailing list).
Michael and Adam also wrote some references in the Fedora Discussion topic [1]
about this.
It is obviously still an issue that is evolving and what seems clear now might
prove different later. But so far I tend to leave the discussion topic as it is
and ensure that F40 users expect being compromised and get informed to act
correspondingly with the suggested actions. However, I already added a point
how users can check if they have a malicious build.
[1]
https://discussion.fedoraproject.org/t/attention-malicious-code-in-current-pre-release-testing-versions-variants-f40-and-rawhide-affected-users-of-f40-rawhide-need-to-respond/110683/36
--
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
