After installing this grub2 version, running "grub2-install /dev/sda", and "grub2-mkconfig -o /boot/grub2/grub.conf" (on a BIOS machine), then installing a new kernel, the boot options "rhgb quiet" were used upon booting it even though I had removed them from /etc/default/grub. This only happens with the latest kernel installed after grub2, the older kernels omit "rhgb quiet" as expected. Anyone else seeing this?

Sorry. I checked a box which added the "Security" keyword, then was unable to remove it to make it public. I finally just closed it as "NOTABUG" since this package was not in fact vulnerable (and you've submitted a new build for F35 as well).

@gotmax23 : Please see my comments in https://bodhi.fedoraproject.org/updates/FEDORA-2022-9986fbb3d7 concerning the possible failure to fix this CVE in the F36 version (since snapd-2.56.2-1.fc36 was pushed to stable before being replaced by snapd-2.55.3-2.fc36, and most people on stable releases don't check for downgrades).

@gotmax23 : I noticed that you just did a Koji build for snapd-2.56.2-2.fc35 to fix a CVE. Currently most F36 users probably also have snapd-2.56.2 since it was pushed to stable before being replaced with a lower version which fixes the CVEs (see #2105619 ). Can you check the F36 version and do a build for that also if necessary? Thanks.

I filed #2105619 for checking if the newer version is vulnerable.

From #fedora-admin :

<nirik> robatino: it's because the older one was in the go rebuild update and went stable after that one. ;( https://bodhi.fedoraproject.org/updates/FEDORA-2022-fae3ecee19

<robatino> thanks. is it fixable without another update?

<robatino> i guess most people don't run distro-sync and won't notice

<nirik> well, I could fix the tagging, but... is that newer version also fixed for the CVE that the rebuild was done for?

<robatino> i do it once in a while for QA since these things happen

<robatino> no idea

<nirik> ie, it might need another rebuild now...

<nirik> go is all static, so I guess it depends on where the fix is...

The 2.55.3-2.fc36 packages can be seen in https://dl.fedoraproject.org/pub/fedora/linux/updates/36/Everything/x86_64/Packages/s/ . The corresponding directory for F35 has the correct 2.56.2-1.fc35 packages.

On F36 I have these packages installed as of June 29, but "dnf distro-sync" wants to downgrade snap-confine, snapd and snapd-selinux to 2.55.3-2.fc36, which is not even in Bodhi. I see nothing in Bugzilla.

bump

In fact, I checked 3 of my machines with the same F36 kernels installed and all 3 are basically the same - the initramfs size jumped from 5.17.13 to 5.17.14 and then only increased slightly in 5.18.4.

Here's my initramfs sizes. For some reason it jumped between the two 5.17 kernels and stayed about the same with 5.18.

-rw-------. 1 root root 21M Jun 9 13:57 /boot/initramfs-5.17.13-300.fc36.x86_64.img -rw-------. 1 root root 33M Jun 14 22:48 /boot/initramfs-5.17.14-300.fc36.x86_64.img -rw-------. 1 root root 34M Jun 16 16:47 /boot/initramfs-5.18.4-201.fc36.x86_64.img