stable

glibc-2.40-14.fc41

FEDORA-2024-846e191001 created by fweimer 4 months ago for Fedora 41

This update addresses a security vulnerability in the getrandom and arc4random implementation (CVE-2024-12455) on POWER systems (pcpc64le). Other architectures are not affected.

Reboot Required
After installing this update it is required that you reboot your system to ensure the changes supplied by this update are applied properly.

How to install

Updates may require up to 24 hours to propagate to mirrors. If the following command doesn't work, please retry later:

sudo dnf upgrade --refresh --advisory=FEDORA-2024-846e191001

This update has been submitted for testing by fweimer.

4 months ago

This update's test gating status has been changed to 'waiting'.

4 months ago

This update's test gating status has been changed to 'waiting'.

4 months ago

This update's test gating status has been changed to 'failed'.

4 months ago
User Icon markec provided feedback 4 months ago
karma
User Icon adamwill commented & provided feedback 4 months ago
karma

This build is wrongly versioned. The current stable is 2.40-12.fc41. That's why all the openQA tests failed.

[adamw@xps13a openQA-python-client (main %)]$ koji list-history --utc --tag=f41-updates --package=glibc | grep "tagged into"
Sat Nov  2 00:14:33 2024 glibc-2.40-9.fc41 tagged into f41-updates by bodhi [still active]
Thu Nov 14 00:14:53 2024 glibc-2.40-11.fc41 tagged into f41-updates by bodhi [still active]
Mon Nov 25 00:14:53 2024 glibc-2.40-12.fc41 tagged into f41-updates by bodhi [still active]

Bodhi is disabling automatic push to stable due to negative karma. The maintainer may push manually if they determine that the issue is not severe.

4 months ago

@adamwill The correct build is glibc-2.40-13.fc41 and contains the fix for CVE-2024-12455, so I think that the mistake is that we attached an old build.

@codonell, you still have a few hours to correct that before the next compose.

Ugh, looks like I submitted an older build by mistake without checking NVR. Not sure what happened to the -13 build.

@adamwill @bojan Thanks, Florian and I discussed. I've got the baton to get this sorted shortly and update the errata.

User Icon markec provided feedback 4 months ago
karma

Build is complete and I verified the testing results: https://koji.fedoraproject.org/koji/taskinfo?taskID=126767216 So we have a glibc-2.40-13.fc41 ready, but the update is currently locked so I can't change it.

You can just submit it as a new update, it should obsolete this one.

User Icon nixuser commented & provided feedback 4 months ago
karma

FWIW I DLed glibc-2.40-13.fc41 off koji and the system is working fine after a reboot.

This update has been pushed to testing.

4 months ago

adamwill edited this update.

New build(s):

  • glibc-2.40-13.fc41

Removed build(s):

  • glibc-2.40-10.fc41

Karma has been reset.

4 months ago

This update has been submitted for testing by adamwill.

4 months ago

I edited in the correct build.

This update's test gating status has been changed to 'waiting'.

4 months ago

This update's test gating status has been changed to 'passed'.

4 months ago
User Icon markec provided feedback 4 months ago
karma

codonell edited this update.

4 months ago

This update has been pushed to testing.

4 months ago

This update's test gating status has been changed to 'failed'.

4 months ago
User Icon besser82 commented & provided feedback 4 months ago
karma

Works great! LGTM! =)

karma
User Icon bojan commented & provided feedback 4 months ago
karma

Works here.

This update's test gating status has been changed to 'waiting'.

4 months ago

This update's test gating status has been changed to 'failed'.

4 months ago
User Icon filiperosset commented & provided feedback 4 months ago
karma

works for me

User Icon filiperosset commented & provided feedback 4 months ago
karma

works for me

fweimer edited this update.

New build(s):

  • glibc-2.40-14.fc41

Removed build(s):

  • glibc-2.40-13.fc41

Karma has been reset.

4 months ago

This update has been submitted for testing by fweimer.

4 months ago

This update's test gating status has been changed to 'waiting'.

4 months ago

This update's test gating status has been changed to 'passed'.

4 months ago

This update's test gating status has been changed to 'waiting'.

4 months ago

This update's test gating status has been changed to 'passed'.

4 months ago
User Icon fweimer commented & provided feedback 4 months ago

This update has been pushed to testing.

4 months ago

This update's test gating status has been changed to 'failed'.

4 months ago
User Icon bojan commented & provided feedback 4 months ago
karma

Still works here. Admittedly, x86_64 across the board (i.e. no PPC64).

User Icon markec provided feedback 4 months ago
karma
User Icon fweimer commented & provided feedback 4 months ago

I re-reported the rpminspect segfault here: https://gitlab.com/testing-farm/general/-/issues/94

I'm going to waive the failure, hoping that it's unrelated to the present builds.

This update's test gating status has been changed to 'waiting'.

4 months ago

This update's test gating status has been changed to 'passed'.

4 months ago

This update has been submitted for stable by fweimer.

4 months ago
User Icon adamwill commented & provided feedback 4 months ago

Note this little sequence of events:

This update's test gating status has been changed to 'passed'.
5 days ago
This update has been pushed to testing.
4 days ago

This update's test gating status has been changed to 'failed'.
4 days ago

indicates that glibc has a per-package gating policy with different requirements for testing vs. stable. Unfortunately, Bodhi internally doesn't handle this very well. It mostly only considers an update to have a single "gating status" at a time. The status was shown as 'passed' while the update was pending push to testing (as the requirements for testing push were met), then flipped to 'failed' as soon as it reached testing (as the requirements for push to stable were not met).

It should really track the gating statuses for push-to-testing and push-to-stable separately, and display them more clearly, and enforce them correctly. I think right now this situation creates a 'loophole' where you could actually have successfully pushed the update stable before it made it to testing). Also, I'm not sure the push-to-testing policy is ever actually applied.

https://github.com/fedora-infra/bodhi/issues/5660 tracks this stuff. Just something to be aware of...

User Icon fweimer commented & provided feedback 4 months ago

“indicates that glibc has a per-package gating policy with different requirements for testing vs. stable”

I'm not sure this is intentional. Do we need to add more items here?

decision_contexts:
  - bodhi_update_push_stable
  - bodhi_update_push_stable_critpath

Is this the reason why this update appears stuck?

This update has been pushed to stable.

4 months ago

Please login to add feedback.

Metadata
Type
security
Severity
medium
Karma
2
Signed
Content Type
RPM
Test Gating
Autopush Settings
Unstable by Karma
-3
Stable by Karma
disabled
Stable by Time
disabled
Dates
submitted
4 months ago
in testing
4 months ago
in stable
4 months ago
modified
4 months ago
BZ#2332112 CVE-2024-12455 glibc: glibc in Fedora 41 ships a broken getrandom/arc4random for ppc64le platform [fedora-41]
0
0

Automated Test Results