On F36 I have these packages installed as of June 29, but "dnf distro-sync" wants to downgrade snap-confine, snapd and snapd-selinux to 2.55.3-2.fc36, which is not even in Bodhi. I see nothing in Bugzilla.
Sorry. I checked a box which added the "Security" keyword, then was unable to remove it to make it public. I finally just closed it as "NOTABUG" since this package was not in fact vulnerable (and you've submitted a new build for F35 as well).
This update has been submitted for testing by bboozzoo.
This update's test gating status has been changed to 'ignored'.
This update has been pushed to testing.
This update has been submitted for stable by bodhi.
This update has been pushed to stable.
On F36 I have these packages installed as of June 29, but "dnf distro-sync" wants to downgrade snap-confine, snapd and snapd-selinux to 2.55.3-2.fc36, which is not even in Bodhi. I see nothing in Bugzilla.
The 2.55.3-2.fc36 packages can be seen in https://dl.fedoraproject.org/pub/fedora/linux/updates/36/Everything/x86_64/Packages/s/ . The corresponding directory for F35 has the correct 2.56.2-1.fc35 packages.
From #fedora-admin :
<nirik> robatino: it's because the older one was in the go rebuild update and went stable after that one. ;( https://bodhi.fedoraproject.org/updates/FEDORA-2022-fae3ecee19
<robatino> thanks. is it fixable without another update?
<robatino> i guess most people don't run distro-sync and won't notice
<nirik> well, I could fix the tagging, but... is that newer version also fixed for the CVE that the rebuild was done for?
<robatino> i do it once in a while for QA since these things happen
<robatino> no idea
<nirik> ie, it might need another rebuild now...
<nirik> go is all static, so I guess it depends on where the fix is...
I filed #2105619 for checking if the newer version is vulnerable.
I can not see #2105619. It looks like you made it private.
Sorry. I checked a box which added the "Security" keyword, then was unable to remove it to make it public. I finally just closed it as "NOTABUG" since this package was not in fact vulnerable (and you've submitted a new build for F35 as well).