Bug 2061955 - CVE-2022-0847 - include kernel 5.17.0-0.rc7 in Fedora 36 Beta
Summary: CVE-2022-0847 - include kernel 5.17.0-0.rc7 in Fedora 36 Beta
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: kernel
Version: 36
Hardware: All
OS: Linux
unspecified
urgent
Target Milestone: ---
Assignee: Kernel Maintainer List
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: AcceptedFreezeException
Depends On:
Blocks: F36BetaFreezeException
TreeView+ depends on / blocked
 
Reported: 2022-03-08 19:13 UTC by Adam Williamson
Modified: 2022-03-10 07:19 UTC (History)
20 users (show)

Fixed In Version: kernel-5.17.0-0.rc7.116.fc36
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-03-10 07:19:56 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Adam Williamson 2022-03-08 19:13:14 UTC 
The current stable kernel for F36 (that would be shipped in Beta) is kernel-5.17.0-0.rc5.102.fc36 , which doesn't include the fixes for the CVE-2022-0847 ("dirty pipe") local file manpulation / privilege escalation vulnerability.

Practically speaking we'd expect folks to update immediately after installing so the impact of shipping the Beta without this fixed on the installer images is limited, but it looks bad to ship with known vulnerabilities, so I'm proposing this bug as an FE to get a fixed kernel into Beta. https://bodhi.fedoraproject.org/updates/FEDORA-2022-e392889f49 includes kernel-5.17.0-0.rc7.116.fc36 , which has the fixes.
Comment 1 Fedora Update System 2022-03-08 19:14:39 UTC 
FEDORA-2022-e392889f49 has been submitted as an update to Fedora 36. https://bodhi.fedoraproject.org/updates/FEDORA-2022-e392889f49
Comment 2 Adam Williamson 2022-03-10 01:16:29 UTC 
+3 in https://pagure.io/fedora-qa/blocker-review/issue/649 , marking accepted.
Comment 3 Fedora Update System 2022-03-10 07:19:56 UTC 
FEDORA-2022-e392889f49 has been pushed to the Fedora 36 stable repository.
If problem still persists, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.