Closed travier closed 2 years ago
To clarify, AFAICT this patch is already applied on f34 and f35, and this PR is also adding it on rawhide (not sure why it wasn't done there before and then propagated down).
f35 build with patch is already in bodhi and being pushed to stable: https://bodhi.fedoraproject.org/updates/FEDORA-2022-da040e6b94
We were going to do an ad-hoc release soon anyway to unpin the kernel, so we can bundle this too.
To clarify, AFAICT this patch is already applied on f34 and f35, and this PR is also adding it on rawhide (not sure why it wasn't done there before and then propagated down).
Oh, indeed. I was wondering why this had not been done yet. This makes sense now.
The fix for this went into next
stream release 35.20220116.1.1
. Please try out the new release and report issues.
The fix for this went into testing
stream release 35.20220116.2.1
. Please try out the new release and report issues.
The fix for this went into stable stream release 35.20220116.3.0
.
CVE-2021-45469 kernel: out-of-bounds memory access in __f2fs_setxattr() in fs/f2fs/xattr.c when an inode has an invalid last xattr entry
See:
CVE-2021-4034: pwnkit: Local Privilege Escalation in polkit's pkexec
Describe the bug
Link to the advisory: https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt RHSA: https://access.redhat.com/security/vulnerabilities/RHSB-2022-001 Upstream fix: https://gitlab.freedesktop.org/polkit/polkit/-/commit/a2bf5c9c83b6ae46cbd5c779d3055bff81ded683 Not fixed in Fedora yet: https://src.fedoraproject.org/rpms/polkit
Mitigation
Potential mitigation until a package update is released in Fedora:
user_u
SELinux user