Bug details: ** https://bugzilla.redhat.com/show_bug.cgi?id=2073312 ** Information from BlockerBugs App:
Commented but haven't voted yet: rjones
The votes have been last counted at 2022-05-02 12:35 UTC and the last processed comment was #comment-795175
To learn how to vote, see: https://pagure.io/fedora-qa/blocker-review A quick example: BetaBlocker +1 (where the tracker name is one of BetaBlocker/FinalBlocker/BetaFE/FinalFE/0Day/PreviousRelease and the vote is one of +1/0/-1)
BetaBlocker +1
BetaBlocker
FinalBlocker
BetaFE
FinalFE
0Day
PreviousRelease
+1
0
-1
FinalFE +1
For the record, there is a case for making this a blocker: the criterion says "The release must contain no known security bugs of 'important' or higher impact according to the Red Hat severity classification scale which cannot be satisfactorily resolved by a package update (e.g. issues during installation).", and this vuln is rated Important. However, I think we could say this one can "be satisfactorily resolved by a package update". It seems like it would be a pretty tricky attack to convince someone to use zgrep on a live image or installer image, after mounting some important filesystem that's present on the machine. So for plausible cases, I think an update is probably OK.
AGREED AcceptedFinalFE
The following votes have been closed:
There's also an update to xz (see https://bugzilla.redhat.com/show_bug.cgi?id=2073312#c4). They are for some reason sharing the same BZ because it seems no separate BZ was filed for xz, or maybe only one CVE covers both issues. The problem is basically the same thing as gzip.
I filed https://bugzilla.redhat.com/show_bug.cgi?id=2080938 and #800 for xz.
Metadata Update from @blockerbot: - Issue status updated to: Closed (was: Open)
Release F36 is no longer tracked by BlockerBugs, closing this ticket.
Log in to comment on this ticket.