This update addresses a security vulnerability in the getrandom
and arc4random
implementation (CVE-2024-12455) on POWER systems (pcpc64le). Other architectures are not affected.
Updates may require up to 24 hours to propagate to mirrors. If the following command doesn't work, please retry later:
sudo dnf upgrade --refresh --advisory=FEDORA-2024-846e191001
Please login to add feedback.
This update has been submitted for testing by fweimer.
This update's test gating status has been changed to 'waiting'.
This update's test gating status has been changed to 'waiting'.
This update's test gating status has been changed to 'failed'.
This build is wrongly versioned. The current stable is 2.40-12.fc41. That's why all the openQA tests failed.
Bodhi is disabling automatic push to stable due to negative karma. The maintainer may push manually if they determine that the issue is not severe.
@adamwill The correct build is glibc-2.40-13.fc41 and contains the fix for CVE-2024-12455, so I think that the mistake is that we attached an old build.
@codonell, you still have a few hours to correct that before the next compose.
Ugh, looks like I submitted an older build by mistake without checking NVR. Not sure what happened to the -13 build.
@adamwill @bojan Thanks, Florian and I discussed. I've got the baton to get this sorted shortly and update the errata.
Build is complete and I verified the testing results: https://koji.fedoraproject.org/koji/taskinfo?taskID=126767216 So we have a glibc-2.40-13.fc41 ready, but the update is currently locked so I can't change it.
You can just submit it as a new update, it should obsolete this one.
FWIW I DLed glibc-2.40-13.fc41 off koji and the system is working fine after a reboot.
This update has been pushed to testing.
adamwill edited this update.
New build(s):
Removed build(s):
Karma has been reset.
This update has been submitted for testing by adamwill.
I edited in the correct build.
This update's test gating status has been changed to 'waiting'.
This update's test gating status has been changed to 'passed'.
codonell edited this update.
This update has been pushed to testing.
This update's test gating status has been changed to 'failed'.
Works great! LGTM! =)
Works here.
This update's test gating status has been changed to 'waiting'.
This update's test gating status has been changed to 'failed'.
works for me
works for me
fweimer edited this update.
New build(s):
Removed build(s):
Karma has been reset.
This update has been submitted for testing by fweimer.
This update's test gating status has been changed to 'waiting'.
This update's test gating status has been changed to 'passed'.
This update's test gating status has been changed to 'waiting'.
This update's test gating status has been changed to 'passed'.
I filed the rpminspect crash as:
This update has been pushed to testing.
This update's test gating status has been changed to 'failed'.
Still works here. Admittedly, x86_64 across the board (i.e. no PPC64).
I re-reported the rpminspect segfault here: https://gitlab.com/testing-farm/general/-/issues/94
I'm going to waive the failure, hoping that it's unrelated to the present builds.
This update's test gating status has been changed to 'waiting'.
This update's test gating status has been changed to 'passed'.
This update has been submitted for stable by fweimer.
Note this little sequence of events:
indicates that glibc has a per-package gating policy with different requirements for testing vs. stable. Unfortunately, Bodhi internally doesn't handle this very well. It mostly only considers an update to have a single "gating status" at a time. The status was shown as 'passed' while the update was pending push to testing (as the requirements for testing push were met), then flipped to 'failed' as soon as it reached testing (as the requirements for push to stable were not met).
It should really track the gating statuses for push-to-testing and push-to-stable separately, and display them more clearly, and enforce them correctly. I think right now this situation creates a 'loophole' where you could actually have successfully pushed the update stable before it made it to testing). Also, I'm not sure the push-to-testing policy is ever actually applied.
https://github.com/fedora-infra/bodhi/issues/5660 tracks this stuff. Just something to be aware of...
“indicates that glibc has a per-package gating policy with different requirements for testing vs. stable”
I'm not sure this is intentional. Do we need to add more items here?
Is this the reason why this update appears stuck?
This update has been pushed to stable.