import OL rpm-ostree-2024.3-3.el9_4

2024-06-13 12:30:55 +00:00 · 2024-06-13 12:30:55 +00:00 · 4dcd5a37f9
parent 90d969dfc9
commit 4dcd5a37f9
4 changed files with 495 additions and 1 deletions
--- a/SOURCES/0001-passwd-create-etc-g-shadow-with-mode-0.patch
+++ b/SOURCES/0001-passwd-create-etc-g-shadow-with-mode-0.patch
@ -0,0 +1,83 @@
+From ef2638c1ffd77bc6fd9a80a92c965b06a8f284df Mon Sep 17 00:00:00 2001
+From: Jonathan Lebon <jonathan@jlebon.com>
+Date: Tue, 19 Mar 2024 15:20:43 -0400
+Subject: [PATCH 1/3] passwd: create `/etc/[g]shadow` with mode 0
+
+Because of how our composes work, we need to manually inject
+passwd-related things before installing packages. A somewhat recent
+regression in that area made it so that the `/etc/shadow` and
+`/etc/gshadow` files were created with default permissions (0644), which
+meant they were world readable.
+
+Fix this by explicitly setting their modes to 0. Ideally, we would rely
+on the canonical permissions set in the `setup` package here, but it's
+tricky to fix that without reworking how we install `setup` and handle
+`passwd` treefile options.
+
+Fixes fdb879c8 ("passwd: sync `etc/{,g}shadow` according to
+`etc/{passwd,group}`").
+
+Fixes #4401
+---
+ rust/src/passwd.rs             | 14 ++++++++++++++
+ tests/compose/libbasic-test.sh |  5 +++++
+ 2 files changed, 19 insertions(+)
+
+diff --git a/rust/src/passwd.rs b/rust/src/passwd.rs
+index 821497d8..a64f6468 100644
+--- a/rust/src/passwd.rs
+++ b/rust/src/passwd.rs
+@@ -418,6 +418,12 @@ fn write_data_from_treefile(
+     let db = rootfs.open(target_passwd_path).map(BufReader::new)?;
+     let shadow_name = target.shadow_file();
+     let target_shadow_path = format!("{}{}", dest_path, shadow_name);
+    // Ideally these permissions come from `setup`, which is the package
+    // that owns these files:
+    // https://src.fedoraproject.org/rpms/setup/blob/c6f58b338bd3/f/setup.spec#_96
+    // But at this point of the compose, the rootfs is completely empty; we
+    // haven't started unpacking things yet. So we need to hardcode it here.
+    let shadow_perms = cap_std::fs::Permissions::from_mode(0);
+ 
+     match target {
+         PasswdKind::User => {
+@@ -427,6 +433,10 @@ fn write_data_from_treefile(
+                     for user in entries {
+                         writeln!(target_shadow, "{}:*::0:99999:7:::", user.name)?;
+                     }
+                    target_shadow
+                        .get_mut()
+                        .as_file_mut()
+                        .set_permissions(shadow_perms)?;
+                     Ok(())
+                 })
+                 .with_context(|| format!("Writing {target_shadow_path}"))?;
+@@ -438,6 +448,10 @@ fn write_data_from_treefile(
+                     for group in entries {
+                         writeln!(target_shadow, "{}:::", group.name)?;
+                     }
+                    target_shadow
+                        .get_mut()
+                        .as_file_mut()
+                        .set_permissions(shadow_perms)?;
+                     Ok(())
+                 })
+                 .with_context(|| format!("Writing {target_shadow_path}"))?;
+diff --git a/tests/compose/libbasic-test.sh b/tests/compose/libbasic-test.sh
+index 78ad72b1..df790e89 100644
+--- a/tests/compose/libbasic-test.sh
+++ b/tests/compose/libbasic-test.sh
+@@ -22,6 +22,11 @@ validate_passwd group
+ ostree --repo=${repo} ls ${treeref} /usr/etc/passwd > passwd.txt
+ assert_file_has_content_literal passwd.txt '00644 '
+ 
+ostree --repo=${repo} ls ${treeref} /usr/etc/shadow > shadow.txt
+assert_file_has_content_literal shadow.txt '00000 '
+ostree --repo=${repo} ls ${treeref} /usr/etc/gshadow > gshadow.txt
+assert_file_has_content_literal gshadow.txt '00000 '
+
+ ostree --repo=${repo} cat ${treeref} /usr/etc/default/useradd > useradd.txt
+ assert_file_has_content_literal useradd.txt HOME=/var/home
+ 
+-- 
+2.44.0
+
--- a/SOURCES/0002-unit-chmod-etc-g-shadow-to-0000.patch
+++ b/SOURCES/0002-unit-chmod-etc-g-shadow-to-0000.patch
@ -0,0 +1,79 @@
+From 715298d909551b7d6b42ee6f9c38675f22034dde Mon Sep 17 00:00:00 2001
+From: jbtrystram <jbtrystram@redhat.com>
+Date: Thu, 21 Mar 2024 17:27:21 +0100
+Subject: [PATCH 2/3] unit: chmod /etc/[g]shadow[-] to 0000
+
+fdb879c introduced a regression where /etc/[g]shadow[-] files where
+created with default permissions: 0644
+
+This unit chmods /etc/shadow, /etc/gshadow and backup copies to 0000
+before interactive login is allowed on a system.
+
+This will fix the systems that were deployed with the above issue.
+
+We keep the stamp in /etc to account for the case where a deployment
+with this unit is rolled back. If we used /var, the stamp would have
+stayed but the fix would not be re-applied on the next update.
+---
+ Makefile-daemon.am                            |  1 +
+ packaging/rpm-ostree.spec.in                  |  5 +++++
+ src/daemon/rpm-ostree-fix-shadow-mode.service | 19 +++++++++++++++++++
+ 3 files changed, 25 insertions(+)
+ create mode 100644 src/daemon/rpm-ostree-fix-shadow-mode.service
+
+diff --git a/Makefile-daemon.am b/Makefile-daemon.am
+index 4233d90d..f96f49a9 100644
+--- a/Makefile-daemon.am
+++ b/Makefile-daemon.am
+@@ -60,6 +60,7 @@ systemdunit_service_file_names = \
+ 	rpm-ostreed-automatic.service \
+ 	rpm-ostree-bootstatus.service \
+ 	rpm-ostree-countme.service \
+	rpm-ostree-fix-shadow-mode.service \
+ 	$(NULL)
+ 
+ systemdunit_service_files = $(addprefix $(srcdir)/src/daemon/,$(systemdunit_service_file_names))
+diff --git a/packaging/rpm-ostree.spec.in b/packaging/rpm-ostree.spec.in
+index e83db7f3..cbe3e031 100644
+--- a/packaging/rpm-ostree.spec.in
+++ b/packaging/rpm-ostree.spec.in
+@@ -237,6 +237,11 @@ $PYTHON autofiles.py > files.devel \
+ # Setup rpm-ostree-countme.timer according to presets
+ %post
+ %systemd_post rpm-ostree-countme.timer
+# Only enable on rpm-ostree based systems and manually force unit enablement to
+# explicitly ignore presets for this security fix
+if [ -e /run/ostree-booted ]; then
+    ln -snf /usr/lib/systemd/system/rpm-ostree-fix-shadow-mode.service  /usr/lib/systemd/system/multi-user.target.wants/
+fi
+ 
+ %preun
+ %systemd_preun rpm-ostree-countme.timer
+diff --git a/src/daemon/rpm-ostree-fix-shadow-mode.service b/src/daemon/rpm-ostree-fix-shadow-mode.service
+new file mode 100644
+index 00000000..4aea7462
+--- /dev/null
+++ b/src/daemon/rpm-ostree-fix-shadow-mode.service
+@@ -0,0 +1,19 @@
+[Unit]
+# rpm-ostree v2023.6 introduced a permission issue on `/etc/[g]shadow[-]`.
+# This makes sure to fix permissions on systems that were deployed with the wrong permissions.
+Description=Update permissions for /etc/shadow
+Documentation=https://github.com/coreos/rpm-ostree-ghsa-2m76-cwhg-7wv6
+ConditionPathExists=!/etc/.rpm-ostree-shadow-mode-fixed.stamp
+ConditionPathExists=/run/ostree-booted
+# Make sure this is started before any unprivileged (interactive) user has access to the system.
+Before=systemd-user-sessions.service
+
+[Service]
+Type=oneshot
+ExecStart=chmod --verbose 0000 /etc/shadow /etc/gshadow
+ExecStart=-chmod --verbose 0000 /etc/shadow- /etc/gshadow-
+ExecStart=touch /etc/.rpm-ostree-shadow-mode-fixed.stamp
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target
+-- 
+2.44.0
+
--- a/SOURCES/0003-shadow-Adjust-all-deployments.patch
+++ b/SOURCES/0003-shadow-Adjust-all-deployments.patch
@ -0,0 +1,314 @@
+From 1ec5618144e2d5e76caedba9cdcddb2d7ca1d8f7 Mon Sep 17 00:00:00 2001
+From: Colin Walters <walters@verbum.org>
+Date: Fri, 12 Apr 2024 12:59:54 -0400
+Subject: [PATCH 3/3] shadow: Adjust all deployments
+
+It was pointed out that in the previous change here we missed
+the fact that the previous deployments were accessible.
+
+- Move the logic into Rust, adding unit tests
+- Change the code to iterate over all deployments
+- Add an integration test too
+
+Note: A likely future enhancement here will be to finally
+deny unprivileged access to non-default roots; cc
+https://github.com/ostreedev/ostree/issues/3211
+---
+ rust/src/lib.rs                               |   2 +-
+ rust/src/main.rs                              |   1 +
+ rust/src/passwd.rs                            | 124 ++++++++++++++++++
+ src/daemon/rpm-ostree-fix-shadow-mode.service |  12 +-
+ tests/kolainst/destructive/shadow             |  80 +++++++++++
+ 5 files changed, 214 insertions(+), 5 deletions(-)
+ create mode 100755 tests/kolainst/destructive/shadow
+
+diff --git a/rust/src/lib.rs b/rust/src/lib.rs
+index e244158b..a65e669b 100644
+--- a/rust/src/lib.rs
+++ b/rust/src/lib.rs
+@@ -979,7 +979,7 @@ mod normalization;
+ mod origin;
+ mod ostree_prepareroot;
+ pub(crate) use self::origin::*;
+-mod passwd;
+pub mod passwd;
+ use passwd::*;
+ mod console_progress;
+ pub(crate) use self::console_progress::*;
+diff --git a/rust/src/main.rs b/rust/src/main.rs
+index 5a3c04d0..bf10d45d 100644
+--- a/rust/src/main.rs
+++ b/rust/src/main.rs
+@@ -28,6 +28,7 @@ async fn inner_async_main(args: Vec<String>) -> Result<i32> {
+             match *arg {
+                 // Add custom Rust commands here, and also in `libmain.cxx` if user-visible.
+                 "countme" => rpmostree_rust::countme::entrypoint(args).map(|_| 0),
+                "fix-shadow-perms" => rpmostree_rust::passwd::fix_shadow_perms_entrypoint(args).map(|_| 0),
+                 "cliwrap" => rpmostree_rust::cliwrap::entrypoint(args).map(|_| 0),
+                 // A hidden wrapper to intercept some binaries in RPM scriptlets.
+                 "scriptlet-intercept" => builtins::scriptlet_intercept::entrypoint(args).map(|_| 0),
+diff --git a/rust/src/passwd.rs b/rust/src/passwd.rs
+index a64f6468..f0a6da31 100644
+--- a/rust/src/passwd.rs
+++ b/rust/src/passwd.rs
+@@ -30,6 +30,10 @@ const DEFAULT_MODE: u32 = 0o644;
+ static DEFAULT_PERMS: Lazy<Permissions> = Lazy::new(|| Permissions::from_mode(DEFAULT_MODE));
+ static PWGRP_SHADOW_FILES: &[&str] = &["shadow", "gshadow", "subuid", "subgid"];
+ static USRLIB_PWGRP_FILES: &[&str] = &["passwd", "group"];
+// This stamp file signals the original fix which only changed the booted deployment
+const SHADOW_MODE_FIXED_STAMP_OLD: &str = "etc/.rpm-ostree-shadow-mode-fixed.stamp";
+// And this one is written by the newer logic that changes all deployments
+const SHADOW_MODE_FIXED_STAMP: &str = "etc/.rpm-ostree-shadow-mode-fixed2.stamp";
+ 
+ // Lock/backup files that should not be in the base commit (TODO fix).
+ static PWGRP_LOCK_AND_BACKUP_FILES: &[&str] = &[
+@@ -363,6 +367,86 @@ impl PasswdKind {
+     }
+ }
+ 
+/// Due to a prior bug, the build system had some deployments with a world-readable
+/// shadow file.  This fixes a given deployment.
+#[context("Fixing shadow permissions")]
+pub(crate) fn fix_shadow_perms_in_root(root: &Dir) -> Result<bool> {
+    let zero_perms = Permissions::from_mode(0);
+    let mut changed = false;
+    for path in ["etc/shadow", "etc/shadow-", "etc/gshadow", "etc/gshadow-"] {
+        let metadata = if let Some(meta) = root
+            .symlink_metadata_optional(path)
+            .context("Querying metadata")?
+        {
+            meta
+        } else {
+            tracing::debug!("No path {path}");
+            continue;
+        };
+        let mode = metadata.mode() & !libc::S_IFMT;
+        // Don't touch the file if it's already correct
+        if mode == 0 {
+            continue;
+        }
+        let f = root.open(path).with_context(|| format!("Opening {path}"))?;
+        f.set_permissions(zero_perms.clone())
+            .with_context(|| format!("chmod: {path}"))?;
+        println!("Adjusted mode for {path}");
+        changed = true;
+    }
+    // Write our stamp file
+    root.write(SHADOW_MODE_FIXED_STAMP, "")
+        .context(SHADOW_MODE_FIXED_STAMP)?;
+    // And clean up the old one
+    root.remove_file_optional(SHADOW_MODE_FIXED_STAMP_OLD)
+        .with_context(|| format!("Removing old {SHADOW_MODE_FIXED_STAMP_OLD}"))?;
+    Ok(changed)
+}
+
+/// Due to a prior bug, the build system had some deployments with a world-readable
+/// shadow file.  This fixes all deployments.
+pub(crate) fn fix_shadow_perms_in_sysroot(sysroot: &ostree::Sysroot) -> Result<bool> {
+    let deployments = sysroot.deployments();
+    // TODO add a nicer api for this to ostree-rs
+    let sysroot_fd =
+        Dir::reopen_dir(unsafe { &std::os::fd::BorrowedFd::borrow_raw(sysroot.fd()) })?;
+    let mut changed = false;
+    for deployment in deployments {
+        let path = sysroot.deployment_dirpath(&deployment);
+        let dir = sysroot_fd.open_dir(&path)?;
+        if fix_shadow_perms_in_root(&dir)
+            .with_context(|| format!("Deployment index={}", deployment.index()))?
+        {
+            println!(
+                "Adjusted shadow files in deployment index={} {}.{}",
+                deployment.index(),
+                deployment.csum(),
+                deployment.bootserial()
+            );
+            changed = true;
+        }
+    }
+    Ok(changed)
+}
+
+/// The main entrypoint for updating /etc/{,g}shadow permissions across
+/// all deployments.
+pub fn fix_shadow_perms_entrypoint(_args: &[&str]) -> Result<()> {
+    let cancellable = gio::Cancellable::NONE;
+    let sysroot = ostree::Sysroot::new_default();
+    sysroot.set_mount_namespace_in_use();
+    sysroot.lock()?;
+    sysroot.load(cancellable)?;
+    let changed = fix_shadow_perms_in_sysroot(&sysroot)?;
+    if changed {
+        // We already printed per deployment, so this one is just
+        // a debug-level log.
+        tracing::debug!("Updated shadow/gshadow permissions");
+    }
+    sysroot.unlock();
+    Ok(())
+}
+
+ // This function writes the static passwd/group data from the treefile to the
+ // target root filesystem.
+ fn write_data_from_treefile(
+@@ -1070,3 +1154,43 @@ impl PasswdEntries {
+         Ok(())
+     }
+ }
+
+#[test]
+fn test_shadow_perms() -> Result<()> {
+    let root = &cap_tempfile::tempdir(cap_std::ambient_authority())?;
+    root.create_dir("etc")?;
+    root.write("etc/shadow", "some shadow")?;
+    root.write("etc/gshadow", "some gshadow")?;
+    root.set_permissions("etc/gshadow", Permissions::from_mode(0))?;
+
+    assert!(fix_shadow_perms_in_root(root)?);
+    assert!(!root.try_exists(SHADOW_MODE_FIXED_STAMP_OLD)?);
+    assert!(root.try_exists(SHADOW_MODE_FIXED_STAMP)?);
+    // Verify idempotence
+    assert!(!fix_shadow_perms_in_root(root)?);
+    assert!(!root.try_exists(SHADOW_MODE_FIXED_STAMP_OLD)?);
+    assert!(root.try_exists(SHADOW_MODE_FIXED_STAMP)?);
+
+    Ok(())
+}
+
+#[test]
+/// Verify the scenario of updating from a previously fixed root
+fn test_shadow_perms_from_orig_fix() -> Result<()> {
+    let root = &cap_tempfile::tempdir(cap_std::ambient_authority())?;
+    root.create_dir("etc")?;
+    root.write("etc/shadow", "some shadow")?;
+    root.set_permissions("etc/shadow", Permissions::from_mode(0))?;
+    root.write("etc/gshadow", "some gshadow")?;
+    root.set_permissions("etc/gshadow", Permissions::from_mode(0))?;
+    // Write the original stamp file
+    root.write(SHADOW_MODE_FIXED_STAMP_OLD, "")?;
+
+    // No changes
+    assert!(!fix_shadow_perms_in_root(root)?);
+    // Except we should have updated to the new stamp file
+    assert!(!root.try_exists(SHADOW_MODE_FIXED_STAMP_OLD)?);
+    assert!(root.try_exists(SHADOW_MODE_FIXED_STAMP)?);
+
+    Ok(())
+}
+diff --git a/src/daemon/rpm-ostree-fix-shadow-mode.service b/src/daemon/rpm-ostree-fix-shadow-mode.service
+index 4aea7462..121bc74e 100644
+--- a/src/daemon/rpm-ostree-fix-shadow-mode.service
+++ b/src/daemon/rpm-ostree-fix-shadow-mode.service
+@@ -3,17 +3,21 @@
+ # This makes sure to fix permissions on systems that were deployed with the wrong permissions.
+ Description=Update permissions for /etc/shadow
+ Documentation=https://github.com/coreos/rpm-ostree-ghsa-2m76-cwhg-7wv6
+-ConditionPathExists=!/etc/.rpm-ostree-shadow-mode-fixed.stamp
+# This new stamp file is written by the Rust code, and obsoletes
+# the old /etc/.rpm-ostree-shadow-mode-fixed.stamp
+ConditionPathExists=!/etc/.rpm-ostree-shadow-mode-fixed2.stamp
+ ConditionPathExists=/run/ostree-booted
+# Because we read the sysroot
+RequiresMountsFor=/boot
+ # Make sure this is started before any unprivileged (interactive) user has access to the system.
+ Before=systemd-user-sessions.service
+ 
+ [Service]
+ Type=oneshot
+-ExecStart=chmod --verbose 0000 /etc/shadow /etc/gshadow
+-ExecStart=-chmod --verbose 0000 /etc/shadow- /etc/gshadow-
+-ExecStart=touch /etc/.rpm-ostree-shadow-mode-fixed.stamp
+ExecStart=rpm-ostree fix-shadow-perms
+ RemainAfterExit=yes
+# So we can remount /sysroot writable in our own namespace
+MountFlags=slave
+ 
+ [Install]
+ WantedBy=multi-user.target
+diff --git a/tests/kolainst/destructive/shadow b/tests/kolainst/destructive/shadow
+new file mode 100755
+index 00000000..7caf84c0
+--- /dev/null
+++ b/tests/kolainst/destructive/shadow
+@@ -0,0 +1,80 @@
+#!/bin/bash
+#
+# Copyright (C) 2024 Red Hat Inc.
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public
+# License along with this library; if not, write to the
+# Free Software Foundation, Inc., 59 Temple Place - Suite 330,
+# Boston, MA 02111-1307, USA.
+
+set -euo pipefail
+
+. ${KOLA_EXT_DATA}/libtest.sh
+
+set -x
+
+cd $(mktemp -d)
+
+service=rpm-ostree-fix-shadow-mode.service
+stamp=/etc/.rpm-ostree-shadow-mode-fixed2.stamp
+
+case "${AUTOPKGTEST_REBOOT_MARK:-}" in
+"")
+
+libtest_prepare_fully_offline
+libtest_enable_repover 0
+
+systemctl status ${service} || true
+rm -vf /etc/.rpm-ostree-shadow-mode*
+chmod 0644 /etc/gshadow
+
+# Verify running the service once fixes things
+systemctl restart $service
+assert_has_file "${stamp}"
+assert_streq "$(stat -c '%f' /etc/gshadow)" 8000
+
+# Now *undo* the fix, so that the current (then old) deployment
+# is broken still, and ensure after reboot that it's fixed
+# in both.
+
+chmod 0644 /etc/gshadow
+rm -vf /etc/.rpm-ostree*
+
+booted_commit=$(rpm-ostree status --json | jq -r '.deployments[0].checksum')
+ostree refs ${booted_commit} --create vmcheck2
+rpm-ostree rebase :vmcheck2
+
+/tmp/autopkgtest-reboot "1"
+;;
+"1")
+
+systemctl status $service
+assert_has_file "${stamp}"
+
+verified=0
+for f in $(ls /ostree/deploy/*/deploy/*/etc/{,g}shadow{,-}); do
+    verified=$(($verified + 1))
+    assert_streq "$(stat -c '%f' $f)" 8000
+    echo "ok ${f}"
+done
+assert_streq "$verified" 8
+
+journalctl -b -u $service --grep="Adjusted shadow files in deployment" | tee out.txt
+assert_streq "$(wc -l < out.txt)" 2
+
+echo "ok shadow"
+
+;;
+*) echo "unexpected mark: ${AUTOPKGTEST_REBOOT_MARK}"; exit 1;;
+
+esac
+-- 
+2.44.0
+
--- a/SPECS/rpm-ostree.spec
+++ b/SPECS/rpm-ostree.spec
@ -4,7 +4,7 @@
 Summary: Hybrid image/package system
 Name: rpm-ostree
 Version: 2024.3
-Release: 1%{?dist}
+Release: 3%{?dist}
 License: LGPLv2+
 URL: https://github.com/coreos/rpm-ostree
 # This tarball is generated via "cd packaging && make -f Makefile.dist-packaging dist-snapshot"
@ -12,6 +12,9 @@ URL: https://github.com/coreos/rpm-ostree
 Source0: https://github.com/coreos/rpm-ostree/releases/download/v%{version}/rpm-ostree-%{version}.tar.xz

 Patch0: 0001-cliwrap-rpm-mark-eval-E-as-safe.patch
+Patch1: 0001-passwd-create-etc-g-shadow-with-mode-0.patch
+Patch2: 0002-unit-chmod-etc-g-shadow-to-0000.patch
+Patch3: 0003-shadow-Adjust-all-deployments.patch

 ExclusiveArch: %{rust_arches}

@ -231,6 +234,13 @@ $PYTHON autofiles.py > files.devel \
  '%{_datadir}/gtk-doc/html/*' \
  '%{_datadir}/gir-1.0/*-1.0.gir'

+%post
+# Only enable on rpm-ostree based systems and manually force unit enablement to
+# explicitly ignore presets for this security fix
+if [ -e /run/ostree-booted ]; then
+    ln -snf /usr/lib/systemd/system/rpm-ostree-fix-shadow-mode.service  /usr/lib/systemd/system/multi-user.target.wants/
+fi
+
 %files -f files
 %doc COPYING.GPL COPYING.LGPL LICENSE README.md

@ -239,6 +249,14 @@ $PYTHON autofiles.py > files.devel \
 %files devel -f files.devel

 %changelog
+* Tue Apr 16 2024 Joseph Marrero <jmarrero@fedoraproject.org> - 2024.3-3
+- Backport https://github.com/coreos/rpm-ostree/security/advisories/GHSA-2m76-cwhg-7wv6
+  Resolves: #RHEL-31852
+
+* Fri Apr 05 2024 Joseph Marrero <jmarrero@fedoraproject.org> - 2024.3-2
+- Backport https://github.com/coreos/rpm-ostree/security/advisories/GHSA-2m76-cwhg-7wv6
+  Resolves: #RHEL-31852
+
 * Sun Feb 25 2024 Joseph Marrero <jmarrero@fedoraproject.org> - 2024.3-1
 - https://github.com/coreos/rpm-ostree/releases/tag/v2024.3
  Backport https://github.com/coreos/rpm-ostree/commit/fe586621e5014d14f92b913338171a02ed29e6cc