Bug 2061955

Summary: CVE-2022-0847 - include kernel 5.17.0-0.rc7 in Fedora 36 Beta
Product: [Fedora] Fedora Reporter: Adam Williamson <awilliam>
Component: kernelAssignee: Kernel Maintainer List <kernel-maint>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 36CC: acaringi, adscvr, airlied, alciregi, bskeggs, hdegoede, jarodwilson, jeremy, jglisse, jonathan, josef, kernel-maint, lgoncalv, linville, masami256, mchehab, ptalbert, steved, tim, zulinx86
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: AcceptedFreezeException
Fixed In Version: kernel-5.17.0-0.rc7.116.fc36 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-03-10 07:19:56 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1953784    

Description Adam Williamson 2022-03-08 19:13:14 UTC 
The current stable kernel for F36 (that would be shipped in Beta) is kernel-5.17.0-0.rc5.102.fc36 , which doesn't include the fixes for the CVE-2022-0847 ("dirty pipe") local file manpulation / privilege escalation vulnerability.

Practically speaking we'd expect folks to update immediately after installing so the impact of shipping the Beta without this fixed on the installer images is limited, but it looks bad to ship with known vulnerabilities, so I'm proposing this bug as an FE to get a fixed kernel into Beta. https://bodhi.fedoraproject.org/updates/FEDORA-2022-e392889f49 includes kernel-5.17.0-0.rc7.116.fc36 , which has the fixes.
Comment 1 Fedora Update System 2022-03-08 19:14:39 UTC 
FEDORA-2022-e392889f49 has been submitted as an update to Fedora 36. https://bodhi.fedoraproject.org/updates/FEDORA-2022-e392889f49
Comment 2 Adam Williamson 2022-03-10 01:16:29 UTC 
+3 in https://pagure.io/fedora-qa/blocker-review/issue/649 , marking accepted.
Comment 3 Fedora Update System 2022-03-10 07:19:56 UTC 
FEDORA-2022-e392889f49 has been pushed to the Fedora 36 stable repository.
If problem still persists, please make note of it in this bug report.