[EPEL-devel] What to do about an incompatible update I approved
Hello all, It is been pointed out to me that I pushed out an update of a package to EPEL that did not follow the incompatible upgrades policy: https://docs.fedoraproject.org/en-US/epel/epel-policy-incompatible-upgrades/ That's because I wasn't aware of the policy until it was pointed out to me (or possibly I had seen it once and had forgotten). The incompatible change to the "apptainer" package that was pushed to stable 3 weeks ago moved the setuid-root portion to another package called "apptainer-suid", which does not get installed by default. The remaining package can run non-setuid for most important operations, but only if unprivileged user namespaces are enabled. This most effects EPEL7 because unprivileged user namespaces are not enabled by default. So the upgrade forces admins who haven't enabled them to either enable them or install the extra package. This was done intentionally because of the inherent risks associated with setuid programs, especially the fact that the things that this program does with setuid (mounting filesystems implemented in the kernel although the raw files are writable by users) is something that kernel developers say should never be allowed for unprivileged users (https://lwn.net/Articles/652468/). On the other hand there aren't any known published exploits (anybody know a good squashfs or ext3/4 filesystem developer who could find one?). So the question is, what should be done about it since I didn't follow the procedure before the release 3 weeks ago? On a related note, I maintain golang in EPEL7 too, and every time that RHEL8 upgrades to a new minor golang version number 1.X I do the same for EPEL7. I expect that could be considered an incompatible update too, although every time that's done there's a ton of CVEs that go along with them so it's much easier to argue that the exceptions in the incompatible upgrade policy apply. The question is, am I supposed to go through the whole process every time? Dave ___ epel-devel mailing list -- epel-devel@lists.fedoraproject.org To unsubscribe send an email to epel-devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/epel-devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[EPEL-devel] EPEL7 repo error for distribution-gpg-keys?
On a server I don't use very often, I am trying to update mock-core-configs with yum and I am seeing: Resolving Dependencies --> Running transaction check ---> Package mock-core-configs.noarch 0:36.9-1.el7 will be updated ---> Package mock-core-configs.noarch 0:36.13-1.el7 will be an update --> Processing Dependency: distribution-gpg-keys >= 1.77 for package: mock-core-configs-36.13-1.el7.noarch --> Finished Dependency Resolution Error: Package: mock-core-configs-36.13-1.el7.noarch (epel-unverified) Requires: distribution-gpg-keys >= 1.77 Installed: distribution-gpg-keys-1.75-1.el7.noarch (@epel-unverified) distribution-gpg-keys = 1.75-1.el7 You could try using --skip-broken to work around the problem You could try running: rpm -Va --nofiles --nodigest On another server I regularly use and update I have distribution-gpg-keys-1.77-1.el7.noarch which I updated to a while back, so it appears that the updated package has been removed? Obviously this then breaks updating mock-core-configs. If distribution-gpg-keys-1.77-1.el7.noarch was a bad release, perhaps 1.75 should be bumped to a later version so it gets installed over 1.77 rather than just removing the package? Regards, Nick___ epel-devel mailing list -- epel-devel@lists.fedoraproject.org To unsubscribe send an email to epel-devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/epel-devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[EPEL-devel] Fedora EPEL 7 updates-testing report
The following Fedora EPEL 7 Security updates need testing: Age URL 3 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2022-473e5052db ckeditor-4.20.0-1.el7 3 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2022-576e858e93 php-Smarty-3.1.47-1.el7 3 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2022-22e6871166 drupal7-7.92-1.el7 0 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2022-42745d5b54 wordpress-5.1.15-1.el7 The following builds have been pushed to Fedora EPEL 7 updates-testing jhead-3.06.0.1-5.el7 Details about builds: jhead-3.06.0.1-5.el7 (FEDORA-EPEL-2022-204b242845) Tool for displaying EXIF data embedded in JPEG images Update Information: added patches to fix CVE-2022-41751 ChangeLog: * Tue Oct 18 2022 Adrian Reber - 3.06.0.1-5 - added patches to fix CVE-2022-41751 * Thu Jul 21 2022 Fedora Release Engineering - 3.06.0.1-4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild * Thu Jan 20 2022 Fedora Release Engineering - 3.06.0.1-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild * Thu Jul 22 2021 Fedora Release Engineering - 3.06.0.1-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild * Wed Apr 14 2021 Adrian Reber - 3.06.0.1-1 - updated to 3.06.0.1 * Tue Jan 26 2021 Fedora Release Engineering - 3.04-4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild * Tue Jul 28 2020 Fedora Release Engineering - 3.04-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild * Wed Jan 29 2020 Fedora Release Engineering - 3.04-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild References: [ 1 ] Bug #2135593 - CVE-2022-41751 jhead: arbitrary OS commands by placing them in a JPEG filename [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=2135593 ___ epel-devel mailing list -- epel-devel@lists.fedoraproject.org To unsubscribe send an email to epel-devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/epel-devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue