0.28.6 fixes two low severity CVEs, but the last bodhi upgrade have a nasty regression https://bodhi.fedoraproject.org/updates/FEDORA-2025-1edba49b51 so...

BetaFE +1

BetaFE +1

BetaFE +1

This feels to me like it could be fixed in a 0-day update, but perhaps I'm misunderstanding the severity of the CVEs.

BetaFE 0

exiv2 seems to be present on the Workstation Live image, so

BetaFE +1

(Is there an easier way to find out outside of booting the Live image?)

@kparal you can find the Koji task from the compose logs and there's a log in the Koji task which shows the included packages. See e.g. https://kojipkgs.fedoraproject.org/compose/rawhide/Fedora-Rawhide-20250901.n.0/logs/global/kiwibuild/ (for current Rawhide).

For Workstation it's easy to find as there are only two. For spins or labs it can be a pain, you have to click through till you find the one you want. I should poke @ngompa about making that better...

The fact that the 'silent API breakage' happened worries me rather a lot. OK, the case we know about was fixed, but what if there's some other lurking? Is the benefit of fixing two low severity CVEs on live images and first install worth the risk?

The fact that the 'silent API breakage' happened worries me rather a lot. OK, the case we know about was fixed, but what if there's some other lurking? Is the benefit of fixing two low severity CVEs on live images and first install worth the risk?

So we would block an update because of the risk of it having more bugs? I understand the sentiment but I don't think that's the right way to proceed here...

@kparal you can find the Koji task from the compose logs and there's a log in the Koji task which shows the included packages. See e.g. https://kojipkgs.fedoraproject.org/compose/rawhide/Fedora-Rawhide-20250901.n.0/logs/global/kiwibuild/ (for current Rawhide).

Awesome, thanks

So we would block an update because of the risk of it having more bugs? I understand the sentiment but I don't think that's the right way to proceed here...

That's exactly how we consider freeze exceptions :-D The benefit/risk ratio. Our goal is to publish the image more or less on time with reasonable quality. If we try to have it perfect, we'll be stuck in a never-ending loop of fixing one thing just to have a regression elsewhere.

From yesterdays meeting:

!agreed 2391935 - punt (delay decision) - the vote on this is now split (+3 / -5). we'll punt it for further voting on ticket

I read the rationale on the last meeting. Ok I will revert my vote.

BetaFE -1

BetaFE -1

BetaFE 0

Known breakage versus fixing two known low risk CVEs. I guess if pressed I prefer the CVEs.

BetaFE -1

BetaFE -1

BetaFE -1

(I just read up on this bug, the CVEs involved, and the silent ABI breakage that is now fixed.)

The fact that the 'silent API breakage' happened worries me rather a lot. OK, the case we know about was fixed, but what if there's some other lurking? Is the benefit of fixing two low severity CVEs on live images and first install worth the risk?

To add to your point: it's an ABI breakage[1], which is a bit worse than API breakage, as it affects already compiled code. One of the CVE fixes caused the said silent ABI breakage, which is now fixed in version 0.26.7[2], but this build is not yet in Rawhide as of this writing.

I understand, and share your concern for "potential lurking silent ABI breakages". Out of curiosity, I went to dig a little bit. Exiv2 has a small regression test suite[3], and they did add a regression[3] test that was caused by the CVE fix.

Overall, I'm a bit torn here. Yes, the silent ABI breakage was nasty (now it is fixed). The CVE fixes are low severity (the explots require tricking the user into running Exiv2 on a "crafted image file"), so you can argue to not take the risk and aim for reasonable quality + stability. But given that the regression is fixed, and Fedora's "risk-seeking nature" of staying on the bleeding-edge, I slightly lean towards including the build 0.28.7 that comes with the regression fix. I'm assuming it is "not too much work" to do this.

[1] https://github.com/Exiv2/exiv2/issues/3376
[2] https://github.com/Exiv2/exiv2/issues/3379 (Release version 0.28.7)
[3] https://github.com/Exiv2/exiv2/blob/main/tests/regression_tests/test_regression_allfiles.py
[4] https://github.com/Exiv2/exiv2/commit/cfd2856969a43b ("Regression test for GHSA-496f-x7cq-cq39" - CVE-2025-54080)

BetaFE +1

PS: I know, the majority are -1, I gave a +1 here based on my rationale above.

Discussed at the 2025-09-08 (blocker / freeze exception) review meeting:

AGREED RejectedBetaFreezeException

We consider it still risky to pull in due to the previous ABI breakage, and the CVEs are low-risk, so we will keep this as an update only.

The following votes have been closed:

• Rejected BetaFreezeException (+2, 1, -5)
  • +1 by ngompa, kashyapc
  • 0 by derekenz
  • -1 by geraldosimiao, nielsenb, kparal, adamwill, boniboyblue

Release F43 is no longer tracked by BlockerBugs, closing this ticket.