NPlease include all continuing conversations here regarding the new CVE.
Jyeah we need HWE, then bazzifin, then fresh ISOs
Jwe don't need to manually kick off 38's right? leave those to the cronjob?
Bi'm testing 38 now to know it's status for sure, but i think it was basically uneffected
Bplease start hwe 39 and 40 builds
RHWE cron should kick off in 15 minutes, so I think we can ignore HWE to prevent double builds.
Bluefin and Bazzote looks like about 1 hour after HWE, so we can trigger that after HWE scheduled builds?
Bluefin and Bazzote looks like about 1 hour after HWE, so we can trigger that after HWE scheduled builds?
JHow are you confirming you're on the right version
Jcan someone paste in the rpm -qa command or whatever so I can put it in the announcement?
Rbsherman ran
systemctl status rpm-ostree-fix-shadow-mode.service
Bsee my screeshot, it shows checking a status of a service which does the fix
Jsgtm to do bluefin right after hwe, the ISOs take like 30m so firing those off asap
Bright, this service does not exist before the fixed version
Jhttps://universal-blue.discourse.group/t/updates-needed-cve-2024-2905/1053 added this to the announcement with quick confirmation instructions
Bhmmm... we need to address this for ucore too
SSo for custom images based on ublue we just need to update and we'll get the fix right?
Byes, after your respective upstream is confirmed good
so far, only the ublue-os/*-main images are fixed, not the nvidia/asus/surface/framework or bluefin/bazzite
so far, only the ublue-os/*-main images are fixed, not the nvidia/asus/surface/framework or bluefin/bazzite
BI think i need to also update for ucore, but will do so after the desktop stuff is tested
SIf main is good it's the only I'm building atm, since my image is still a WiP I haven't introduced nvidia drivers yet. I triggered a build. Thanks you!
Bscheduled hwe builds are in progress... i'm monitoring ...
Band testing F40/F38 main builds locally for confirmation of fix
Bohhh! F40 main does NOT have the fixed rpm-ostree yet... so... an F39 upgraded to F40 doesn't yet have the fix
Noh boy.
Nshould we revise the CVE announcement?
Bhold for confirmation plz
BSo, this shows us the versions we should expect to contain the fix on respective releases: https://koji.fedoraproject.org/koji/packageinfo?packageID=18142
F38: rpm-ostree-2023.10-4.fc38
F39: rpm-ostree-2024.4-6.fc39
F40: rpm-ostree-2024.4-5.fc40
F38: rpm-ostree-2023.10-4.fc38
F39: rpm-ostree-2024.4-6.fc39
F40: rpm-ostree-2024.4-5.fc40
Bour current F40 build has
so yeah, it didn't make it yet...it looks like from the koji page it's still stuck in
so yeah, it didn't make it yet...it looks like from the koji page it's still stuck in
f40-updates-testingbut 39 is fine?
Jok rolling with bluefin then since hwe just finished
Jcan deal with 40 later, mostly want to get the ISOs refreshed for 38/39
Byes F39 is fine... and arguably the most important since thats where the problem occurred
Ban F38 user MUST have installed from an F38 ISO and thus never had the vuln, even though they don't have the fixed rpm-ostree package yet, they are not vulnerable
Ban F39 user who updates after all our builds are done today will be fine
Jok so really we don't need to rebuild the world, just F39 and ISOs
Byeah, but schedules are going to do most of it for us
JF40 will come whenever it comes out of testing so whatever.
Byou can push bluefin 39 out sooner though
Bit's still beta
Jyeah gonna get it outta the way since the ISOs take a while to build
Jyeah I don't care about 40
Bask me if i care 
Jyou're on 40 you live the cron lifestyle rn.
Nif you're on 40, you can fix it with the manual command I posted in the announcement.
Bfurther verification of F39 per koji and local testing:
Band confirmation that F38 images match expectations from koji
Bwith desktop stuff in a known state
i just queued builds for
i'll find out the status before updating the announcement
i just queued builds for
ucorei'll find out the status before updating the announcement
Balso, i don't know if it was mentioned here: but @Kyle Gospo stated that bazzite has build issues so those images are not getting updated now... but users can fix with the manual mitigation
Bucore:testing is failing for flavors w/ kmods... so i'm rebuilding ucore-kmods
J22/60 builders, we're looking good
Bi need ucore-kdmods:testing to finish... probably anothe 6 minutes, then i'll re-kick ucore:testing
DIs this CVE just that the permissions on the shadow files are too broad? It would seem someone needs local access to abuse it and get the hashes, right?
