Bug 2056592 (CVE-2020-35211)

Summary: CVE-2020-35211 atomix: Atomix 3.1.5 allows unauthorized Atomix nodes to become the lead node in a target cluster
Product: [Other] Security Response Reporter: Avinash Hanwate <ahanwate>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aileenc, avibelli, bgeorges, chazlett, clement.escoffier, dandread, dkreling, gmalinko, gsmet, janstey, jaromir.capik, jnethert, jochrist, jwon, lthon, pantinor, pdelbell, peholase, pgallagh, pjindal, probinso, rruss, rsvoboda, sbiarozk, sdouglas
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2056593    
Bug Blocks: 2034713    

Description Avinash Hanwate 2022-02-21 14:37:34 UTC 
An issue in Atomix v3.1.5 allows unauthorized Atomix nodes to become the lead node in a target cluster via manipulation of the variable terms in RaftContext.

https://docs.google.com/presentation/d/1C_IpRfSU-9FMezcHCFZ-qg-15JO-W36yvqcnzI8sQs8/edit?usp=sharing
Comment 1 Avinash Hanwate 2022-02-21 14:38:00 UTC 
Created atomix tracking bugs for this issue:

Affects: fedora-all [bug 2056593]
Comment 5 Hans de Goede 2022-02-23 09:11:51 UTC 
(In reply to Avinash Hanwate from comment #1)
> Created atomix tracking bugs for this issue:
> 
> Affects: fedora-all [bug 2056533]

As I already mentioned in bug 2056593, the Fedora atomix package has nothing to do what soever with the Atomix softwasre these CVEs are for:

"""
From: https://src.fedoraproject.org/rpms/atomix

"Atomix is yet another little mind game. You have to build molecules out of single atoms laying around. Of course there is a time limit and the handling is not as easy as you might expect ;-). This game is inspired by the original Amiga game Atomix and uses the GNOME libraries."

IOW this is not the Atomix you are looking for, closing.
"""

I had 24! bugzilla emails about this because no-one checked this was actually the right atomix. Please stop creating Fedora bugs for this and stop adding the Fedora atomix maintainers to the Cc of the overall tracking bugs for these!