Comments
cheimes
I have been looking at the xz builds for Fedora to see whether my test containers are affected by CVE-2024-3094. It looks like annocheck from static analysis checker has detected the attack, e.g. build xz-5.6.0-2.fc40 has failed tests:
Command: annocheck --ignore-unknown --verbose --profile=rawhide /usr/lib64/liblzma.so.5.6.0
Exit Code: 1
...
Hardened: /usr/lib64/liblzma.so.5.6.0: FAIL: cf-protection test because .note.gnu.property section did not contain the necessary flags
Hardened: /usr/lib64/liblzma.so.5.6.0: info: For more information visit: https://sourceware.org/annobin/annobin.html/Test-cf-protection.html
Hardened: /usr/lib64/liblzma.so.5.6.0: skip: dynamic-tags test because AArch64 specific
Hardened: /usr/lib64/liblzma.so.5.6.0: PASS: fast test
Hardened: /usr/lib64/liblzma.so.5.6.0: skip: fortify test because sources compiled as if they were assembler are not checked by this test
Hardened: /usr/lib64/liblzma.so.5.6.0: WARN: If real assembler source code is used it may need updating to support the tested feature
Hardened: /usr/lib64/liblzma.so.5.6.0: WARN: and it definitely needs updating to add notes about its security protections.
Hardened: /usr/lib64/liblzma.so.5.6.0: WARN: For more details see https://sourceware.org/annobin/annobin.html/Absence-of-compiled-code.html
...
Hardened: /usr/lib64/liblzma.so.5.6.0: skip: warnings test because sources compiled as if they were assembler are not checked by this test
Hardened: /usr/lib64/liblzma.so.5.6.0: Overall: FAIL.
This update has been unpushed.
This update has been unpushed.
Let's retract this update. We need to update PyOpenSSL and investigate + fix several other packages that may have a bad upper limit.
update.install_default_update_live test is failing. It complains that the installed version (41.0.7-1) is older than the updated version on the live system. I'm waiting for QA team to assess the situation.
- pyOpenSSL ticket: https://bugzilla.redhat.com/show_bug.cgi?id=2181444
- pyOpenSSL update PR: https://src.fedoraproject.org/rpms/pyOpenSSL/pull-request/10
- pgadmin4 ticket: https://bugzilla.redhat.com/show_bug.cgi?id=2230994
Dependency problems with repos:
nothing provides (python3.12dist(cryptography) < 41~~ with python3.12dist(cryptography) >= 38) needed by python3-pyOpenSSL-23.1.1-3.fc39.noarch
nothing provides (python3.12dist(cryptography) < 41~~ with python3.12dist(cryptography) >= 38) needed by python3-pyOpenSSL-23.1.1-3.fc39.noarch
nothing provides (python3dist(cryptography) >= 40 with python3dist(cryptography) < 40.1) needed by pgadmin4-7.0-1.fc39.x86_64
nothing provides (python3dist(cryptography) >= 40 with python3dist(cryptography) < 40.1) needed by pgadmin4-7.0-1.fc39.x86_64
nothing provides crate(asn1) = 0.13.0 needed by rust-asn1+const-generics-devel-0.13.0-2.fc39.noarch
nothing provides crate(asn1) = 0.13.0 needed by rust-asn1+const-generics-devel-0.13.0-2.fc39.noarch
- pyOpenSSL needs to be updated to 23.2.0
- pgadmin4 needs to be updated or patched to allow cryptography 41.0
- The const-generics feature was dropped from asn1 0.14. I'm adding an obsoletes to the package.
My fix was merged into Dogtag upstream.
Simon, could you please talk to your collaborators from upstream and ensure that python-ldap no removes features in patch releases with important updates?
Adam made me give this update Karma.
Everybody, please give NEGATIVE Karma to this update request.
cryptography 35.0.0 is causing a breaking change with FreeIPA. I'm unable to retract the update although I created it. I assume it's related to @zbyszek push and submisssion.
cryptography 35.0.0 is also causing issues with FreeIPA and Certmonger.
@kevin Could you please build python-jwt-2.1.0-3.fc35? I'll add the build to this update.
I asked upstream to drop or at least relax the upper bound, https://github.com/GehirnInc/python-jwt/issues/46 . It doesn't make sense with new version scheme.
The issue is fixed by jwt upstream commit https://github.com/GehirnInc/python-jwt/pull/45 and release 1.3.0.
Python 3.10b2 works as expected. _decimal.cpython-310-x86_64-linux-gnu.so is linked against libmpdec.so.3.
Thanks Adam!
I have created https://src.fedoraproject.org/rpms/389-ds-base/pull-request/13 with backport of rawhide patch and with correct patching of DNA plugin.
I made a mistake and forgot to hook up autosetup for F33 branch: https://src.fedoraproject.org/rpms/389-ds-base/pull-request/12
The update hasn't reached all mirrors yet. I worked around the problem by installing from Koji:
dnf install -y https://kojipkgs.fedoraproject.org//packages/mock-core-configs/34.1/1.fc33/noarch/mock-core-configs-34.1-1.fc33.noarch.rpm https://kojipkgs.fedoraproject.org//packages/distribution-gpg-keys/1.48/1.fc33/noarch/distribution-gpg-keys-1.48-1.fc33.noarch.rpm
If you are looking for more information, please check out Richard W.M. Jones' emails on the Fedora devel list, xz backdoor, xz backdoor