> > the
> > > > --userns option, as well as the original option?
> > > > Then for epel7 the rpm's would have the original option turned off, but
> > > for
> > > > epel8 and 9 the option could be there and update wouldn't be a breaking
> > >
golang-1.19.6 is now available in epel-testing for EPEL7, an update of a
minor version from 1.18.9. I expect it to be promoted in about a week
unless karma changes that.
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-ba899b9717
My policy for updating golang in EPEL7 is to follow
I posted the below a couple of weeks ago but I don't think it ever came
through. 1.9.6 is now in EPEL7's stable epel repository. Another new
update 1.9.9 is now in EPEL7's epel-testing, since RHEL8 did another
update due to a high severity vulnerability.
tem.
> > > >
> > > > Dave
> > > >
> > > > On Mon, May 08, 2023 at 06:47:04AM -0700, Troy Dawson wrote:
> > > > > That makes it more clear for epel7.
> > > > > But it will be strange for epel7 to have a higher version than
This change has now been approved by the EPEL Steering Committee and
requested to be pushed to stable. I expect it to be in stable sometime
tomorrow.
Dave
On Wed, Apr 26, 2023 at 01:07:32PM -0500, Dave Dykstra wrote:
> The apptainer-suid package version 1.1.8 now in epel-testing has an
>
uld have the original option turned off, but
> > for
> > > epel8 and 9 the option could be there and update wouldn't be a breaking
> > > update.
> > >
> > > That would allow users that have machines on RHEL 7,8 and 9 to use the
> > same
>
chines on RHEL 7,8 and 9 to use the same
> version and secure options.
> Users that only have machines on RHEL 8 and 9, would then have the option
> to move to the more secure option when the time is good for them.
>
> Troy
>
> On Fri, May 5, 2023 at 3:30 PM Dave Dykstra via
ess already gives privilege
> escalation in much easier ways. I said that that's probably why they only
> counted it as denial of service since that was the only thing new.
>
> Dave
>
> On Thu, May 04, 2023 at 02:14:08PM +0100, David Trudgian wrote:
> > Dave,
> >
g new.
Dave
On Thu, May 04, 2023 at 02:14:08PM +0100, David Trudgian wrote:
> Dave,
>
> On Wed, May 3, 2023, at 10:31 PM, Dave Dykstra via epel-devel wrote:
> > On Wed, May 03, 2023 at 02:59:42PM -0500, Carl George wrote:
> > > On Thu, Apr 27, 2023 at 10:20
On Wed, May 03, 2023 at 02:48:05PM -0500, Carl George wrote:
> On Thu, Apr 27, 2023 at 9:42 AM Dave Dykstra via epel-devel
> wrote:
> >
> > We believe that it is important to apply this change to all EPEL releases,
> > for these reasons:
> > 1. The general vulne
On Wed, May 03, 2023 at 02:59:42PM -0500, Carl George wrote:
> On Thu, Apr 27, 2023 at 10:20 AM Dave Dykstra via epel-devel
> wrote:
> >
> > On Thu, Apr 27, 2023 at 02:11:46AM -0500, Carl George wrote:
...
> > > The Red Hat CVSS score for CVE-2022-1184 has the same brea
On Thu, Apr 27, 2023 at 12:00:47PM +0100, David Trudgian wrote:
> On Thu, Apr 27, 2023, at 8:11 AM, Carl George wrote:
> > The Red Hat CVSS score for CVE-2022-1184 has the same breakdown as the
> > NVD CVSS score. Both rate the "privileges required" property as low.
> > From what I can tell that
On Thu, Apr 27, 2023 at 02:11:46AM -0500, Carl George wrote:
> On Wed, Apr 26, 2023 at 11:20 AM Dave Dykstra via epel-devel
...
> > The summary of the CVE is that the way that apptainer & singularity
> > allow mounts of ext3 filesystems in setuid mode raises the severi
On Thu, Apr 27, 2023 at 09:09:57AM +0100, Nick Howitt via epel-devel wrote:
> On 2023-04-27 08:42, Carl George wrote:
...
> > should be modified to set the "allow setuid-mount extfs" option to yes
> > for compatibility, even if that isn't the upstream default.
>
> Can you not set the option to no
We believe that it is important to apply this change to all EPEL releases,
for these reasons:
1. The general vulnerability described in this CVE applies equally to all
currently supported Linux distributions. The Singularity/Apptainer
community has long been aware that making setuid-root
The apptainer-suid package version 1.1.8 now in epel-testing has an
incompatible change because of a security vulnerability. The change is
that a new option "allow setuid-mount extfs" was added which defaults to
no, preventing ordinary users from mounting ext3 filesystems in
setuid-root mode.
DT is correct, this change is subject to the EPEL incompatible change
policy. apptainer-suid-1.1.8 by default disables mounting of ext3
filesystems, because of CVE-2023-30549
https://github.com/apptainer/apptainer/security/advisories/GHSA-j4rf-7357-f4cg
Most users don't use this feature,
golang-1.18.4 is now available in epel-testing for EPEL7, an update of a
minor version from 1.17.12. I expect it to be promoted in about a week
unless karma changes that.
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2022-96dbad9cd3
My policy for updating golang is to follow the
ave Dykstra via epel-devel <
> epel-devel@lists.fedoraproject.org> wrote:
>
> > Hello all,
> >
> > It is been pointed out to me that I pushed out an update of a package to
> > EPEL that did not follow the incompatible upgrades policy:
> >
> > ht
Hello all,
It is been pointed out to me that I pushed out an update of a package to
EPEL that did not follow the incompatible upgrades policy:
https://docs.fedoraproject.org/en-US/epel/epel-policy-incompatible-upgrades/
That's because I wasn't aware of the policy until it was pointed out to
me
I asked for a review swap on this on fedora-devel but so far did not
get any takers. I'm thinking maybe a lot of Fedora people don't care
that much about an epel7-only package. The package is fuse2fs and
this is the request:
https://bugzilla.redhat.com/show_bug.cgi?id=2104533
The tool is
21 matches
Mail list logo
