OLD: Fedora-Rawhide-20240328.n.0
NEW: Fedora-Rawhide-20240329.n.0
= SUMMARY =
Added images:2
Dropped images: 1
Added packages: 58
Dropped packages:0
Upgraded packages: 135
Downgraded packages: 0
Size of added packages: 7.63 MiB
Size of dropped packages:0
Hi,
wow: https://www.openwall.com/lists/oss-security/2024/
I think at this point we clearly cannot trust xz upstream anymore and should
probably fork the project.
Kevin Kofler
--
___
devel mailing list -- devel@lists.fedoraproject.org
To unsub
That would be a bit premature. At this point it looks like one bad actor,
and the other maintainer probably wasn't even aware. We should wait and
see how this plays out.
On Fri, Mar 29, 2024 at 1:01 PM Kevin Kofler via devel <
devel@lists.fedoraproject.org> wrote:
> Hi,
>
> wow: https://www.ope
On Fri, Mar 29, 2024 at 07:00:37PM +0100, Kevin Kofler via devel wrote:
> Hi,
>
> wow: https://www.openwall.com/lists/oss-security/2024/
>
> I think at this point we clearly cannot trust xz upstream anymore and should
> probably fork the project.
I kind of agree here, though it saddens me to s
On 3/29/24 11:00, Kevin Kofler via devel wrote:
wow: https://www.openwall.com/lists/oss-security/2024/
Specifically:
https://www.openwall.com/lists/oss-security/2024/03/29/4
I think at this point we clearly cannot trust xz upstream anymore and should
probably fork the project.
--
___
On Fri, Mar 29, 2024 at 2:08 PM Richard W.M. Jones wrote:
>
>
> On Fri, Mar 29, 2024 at 07:00:37PM +0100, Kevin Kofler via devel wrote:
> > Hi,
> >
> > wow: https://www.openwall.com/lists/oss-security/2024/
> >
> > I think at this point we clearly cannot trust xz upstream anymore and should
> > pr
On Fri, Mar 29, 2024 at 12:08 PM Richard W.M. Jones wrote:
> On Fri, Mar 29, 2024 at 07:00:37PM +0100, Kevin Kofler via devel wrote:
> > Hi,
> >
> > wow: https://www.openwall.com/lists/oss-security/2024/
> >
> > I think at this point we clearly cannot trust xz upstream anymore and should
> > proba
Has this shipped on f40 beta?
Barry
> On 29 Mar 2024, at 18:08, Richard W.M. Jones wrote:
>
>
>> On Fri, Mar 29, 2024 at 07:00:37PM +0100, Kevin Kofler via devel wrote:
>> Hi,
>>
>> wow: https://www.openwall.com/lists/oss-security/2024/
>>
>> I think at this point we clearly cannot trust xz
Hi,
I'm seeing weird things.
For whatever reason Source for xz was changed 2 months ago[1] to use
GH releases instead of tukaani.org site.
The XZ page[2] has a note stating:
"Note: GitHub automatically includes two archives Source code (zip)
and Source code (tar.gz) in the releases. These archi
Yes, F40 beta is affected, along with rawhide, but not F38/F39.
https://discussion.fedoraproject.org/t/warning-malicious-code-in-current-pre-release-testing-versions-variants-f40-and-rawhide-affected-users-of-f40-rawhide-need-to-respond/110683
https://www.redhat.com/en/blog/urgent-security-alert
Mikel Olasagasti wrote:
> And they wayback WayBackMachine[3] doesn't have previous versions.
We have the previous versions in the dist-git lookaside cache and in the old
SRPMs.
Kevin Kofler
--
___
devel mailing list -- devel@lists.fedoraproject
On Fri, Mar 29 2024 at 06:46:59 PM +00:00:00, Christopher Klooz
wrote:
Yes, F40 beta is affected, along with rawhide, but not F38/F39.
Unless I'm misunderstanding something, it looks xz-5.6.0-1.fc40 and
5.6.0-2.fc40 are backdoored, yes? Then rjones unknowingly broke the
backdoor in two diffe
On Fri, Mar 29, 2024 at 02:40:48PM -0500, Michael Catanzaro wrote:
> On Fri, Mar 29 2024 at 06:46:59 PM +00:00:00, Christopher Klooz
> wrote:
> >Yes, F40 beta is affected, along with rawhide, but not F38/F39.
>
> Unless I'm misunderstanding something, it looks xz-5.6.0-1.fc40 and
> 5.6.0-2.fc40 a
On Fri, Mar 29, 2024 at 06:46:59PM +, Christopher Klooz wrote:
> Yes, F40 beta is affected, along with rawhide, but not F38/F39.
>
> https://discussion.fedoraproject.org/t/warning-malicious-code-in-current-pre-release-testing-versions-variants-f40-and-rawhide-affected-users-of-f40-rawhide-need
On Fri, Mar 29 2024 at 07:56:49 PM +00:00:00, Richard W.M. Jones
wrote:
secalert are already well aware and have approved the update. Kevin
Fenzi, myself and others were working on it late last night :-(
Sorry, I linked to the wrong article. I meant to link to [1] which says
that "At this ti
On Fri, Mar 29 2024 at 07:44:12 PM +01:00:00, Mikel Olasagasti
wrote:
Do we know if GH release tarballs are safe?
The tarballs generated by GitHub that just include the contents of the
git repo should be safe (at least from this particular issue), but the
Fedora package is not built from tho
It would be interesting to study how SELinux would have reacted to such
kind of attack against sshd
--
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct:
h
On Fri, Mar 29, 2024 at 03:01:34PM -0500, Michael Catanzaro wrote:
> On Fri, Mar 29 2024 at 07:56:49 PM +00:00:00, Richard W.M. Jones
> wrote:
> >secalert are already well aware and have approved the update. Kevin
> >Fenzi, myself and others were working on it late last night :-(
>
> Sorry, I li
On Fri, Mar 29, 2024 at 07:44:12PM +0100, Mikel Olasagasti wrote:
> Hi,
>
> I'm seeing weird things.
>
> For whatever reason Source for xz was changed 2 months ago[1] to use
> GH releases instead of tukaani.org site.
>
> The XZ page[2] has a note stating:
>
> "Note: GitHub automatically include
Once upon a time, Richard W.M. Jones said:
> On Fri, Mar 29, 2024 at 07:44:12PM +0100, Mikel Olasagasti wrote:
> > Do we know if GH release tarballs are safe?
> > @richard, do you remember why you had to change the source for the tarball?
>
> Sadly the release tarballs we used *do* contain the vu
Mikel Olasagasti wrote:
> For whatever reason Source for xz was changed 2 months ago[1] to use
> GH releases instead of tukaani.org site.
The public key jia_tan_pubkey.txt did not change at the same time. It
was introduced on 2023-05-04 when the package was updated to version
5.4.3. Apparently the
Michael Catanzaro wrote:
> On Fri, Mar 29 2024 at 07:44:12 PM +01:00:00, Mikel Olasagasti
> wrote:
> > Do we know if GH release tarballs are safe?
>
> The tarballs generated by GitHub that just include the contents of the
> git repo should be safe (at least from this particular issue),
So it
On 29/03/2024 21.01, Richard W.M. Jones wrote:
On Fri, Mar 29, 2024 at 06:46:59PM +, Christopher Klooz wrote:
Yes, F40 beta is affected, along with rawhide, but not F38/F39.
https://discussion.fedoraproject.org/t/warning-malicious-code-in-current-pre-release-testing-versions-variants-f40-an
On Fri, Mar 29 2024 at 08:16:55 PM +00:00:00, Richard W.M. Jones
wrote:
These are the exact builds which were vulnerable. Note the tags are
all empty because Kevin untagged them last night, so you'll probably
need to cross-reference these with bodhi updates.
OK, I am going to ask Product Secu
Please add “Fedora ELN” as well. We have updates ready that should be
composed by midnight tonight, but it should be mentioned in the
announcements.
On Fri, Mar 29, 2024 at 5:11 PM Michael Catanzaro
wrote:
> On Fri, Mar 29 2024 at 08:16:55 PM +00:00:00, Richard W.M. Jones
> wrote:
> > These are
On Fri, Mar 29 2024 at 04:10:53 PM -05:00:00, Michael Catanzaro
wrote:
OK, I am going to ask Product Security to edit their blog post to
remove the incorrect information. I will CC you on that request.
Or maybe I should rephrase this as a "request for clarification,"
because maybe they know s
On Fri, Mar 29, 2024 at 04:46:54PM -0500, Michael Catanzaro wrote:
> On Fri, Mar 29 2024 at 04:10:53 PM -05:00:00, Michael Catanzaro
> wrote:
> >OK, I am going to ask Product Security to edit their blog post to
> >remove the incorrect information. I will CC you on that request.
>
> Or maybe I sho
There is a chance Fedora is not affected according to the following
analysis:
https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27
Quoting:
=
If those conditions check, the payload is injected into the source tree. We
have not analyzed this payload in detail. Here are the main
Once upon a time, Richard W.M. Jones said:
> (1) We built 5.6.0 for Fedora 40 & 41. Jia Tan was very insistent in
> emails that we should update.
So this wasn't just a "hey, new upstream version", this was PUSHED on
distributions by the culprit. Are they a contributor to any other
software in t
More about this is now published on the Fedora Magazine as well in this
statement:
https://fedoramagazine.org/cve-2024-3094-security-alert-f40-rawhide/
Thank you to all of our Fedora first responders who stopped something that
could have been much worse. We should feel proud here. As far as Fedora
Hi Jens,
Apologies for resurrecting and older thread here
On Thu, Feb 22, 2024 at 02:06:22PM +0800, Jens-Ulrik Petersen wrote:
> (Not sure if it makes sense to post to Discourse: Haskell library reviews
> are still a little bit "esoteric" since ghc uses some non-standard linking
> (ie various war
This might be a good place to start
https://gitlab.gnome.org/GNOME/nautilus/-/issues/1936
--
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs
32 matches
Mail list logo
