Upstream fixed the following security vulnerability during glibc 2.41 development. There is no upstream advisory because the issue was caught during development. However, we have backported getrandom vDSO acceleration to Fedora 40, so we need downstream security advisories.

commit abeae3c0061c0599ac2f012b270d6b4c8f59c82f
Author: Florian Weimer <fweimer>
Date:   Thu Jan 16 18:45:25 2025 +0100

    Linux: Fixes for getrandom fork handling
    
    Careful updates of grnd_alloc.len are required to ensure that
    after fork, grnd_alloc.states does not contain entries that
    are also encountered by __getrandom_reset_state in TCBs.
    For the same reason, it is necessary to overwrite the TCB state
    pointer with NULL before updating grnd_alloc.states in
    __getrandom_vdso_release.
    
    Before this change, different TCBs could share the same getrandom
    state after multi-threaded fork.  This would be a critical security
    bug (predictable randomness) if not caught during development.
    
    The additional check in stdlib/tst-arc4random-thread makes it more
    likely that the test fails due to the bugs mentioned above.
    
    Both __getrandom_reset_state and __getrandom_vdso_release could
    put reserved NULL pointers into the states array.  This is also
    fixed with this commit.  After these changes, no null pointers were
    observed in the states array during testing.
    
    Reviewed-by: Adhemerval Zanella  <adhemerval.zanella>


Reproducible: Always