Comments
robatino
provided feedback
on firefox-104.0.2-1.fc36
9 months ago
Both the previous version and this one just say "Loading ..." without ever showing the weather. Filed #2124018. (Also needs to be compatible with GNOME 43 when it gets out of Beta.)
Posted comment in #2113883.
After installing this grub2 version, running "grub2-install /dev/sda", and "grub2-mkconfig -o /boot/grub2/grub.conf" (on a BIOS machine), then installing a new kernel, the boot options "rhgb quiet" were used upon booting it even though I had removed them from /etc/default/grub. This only happens with the latest kernel installed after grub2, the older kernels omit "rhgb quiet" as expected. Anyone else seeing this?
Sorry. I checked a box which added the "Security" keyword, then was unable to remove it to make it public. I finally just closed it as "NOTABUG" since this package was not in fact vulnerable (and you've submitted a new build for F35 as well).
@gotmax23 : Please see my comments in https://bodhi.fedoraproject.org/updates/FEDORA-2022-9986fbb3d7 concerning the possible failure to fix this CVE in the F36 version (since snapd-2.56.2-1.fc36 was pushed to stable before being replaced by snapd-2.55.3-2.fc36, and most people on stable releases don't check for downgrades).
@gotmax23 : I noticed that you just did a Koji build for snapd-2.56.2-2.fc35 to fix a CVE. Currently most F36 users probably also have snapd-2.56.2 since it was pushed to stable before being replaced with a lower version which fixes the CVEs (see #2105619 ). Can you check the F36 version and do a build for that also if necessary? Thanks.
I filed #2105619 for checking if the newer version is vulnerable.
From #fedora-admin :
<nirik> robatino: it's because the older one was in the go rebuild update and went stable after that one. ;( https://bodhi.fedoraproject.org/updates/FEDORA-2022-fae3ecee19
<robatino> thanks. is it fixable without another update?
<robatino> i guess most people don't run distro-sync and won't notice
<nirik> well, I could fix the tagging, but... is that newer version also fixed for the CVE that the rebuild was done for?
<robatino> i do it once in a while for QA since these things happen
<robatino> no idea
<nirik> ie, it might need another rebuild now...
<nirik> go is all static, so I guess it depends on where the fix is...