rpms/rpm-ostree
5
0
Fork 0
Code Issues Pull Requests Releases Activity

Merge branch 'c9' into a9

Browse Source
This commit is contained in:
eabdullin 2024-10-25 09:51:30 +03:00
commit d1295958ad
7 changed files with 228 additions and 182 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

83
SOURCES/0001-passwd-create-etc-g-shadow-with-mode-0.patch Normal file
View File

@ -0,0 +1,83 @@
From ef2638c1ffd77bc6fd9a80a92c965b06a8f284df Mon Sep 17 00:00:00 2001
From: Jonathan Lebon <jonathan@jlebon.com>
Date: Tue, 19 Mar 2024 15:20:43 -0400
Subject: [PATCH 1/3] passwd: create `/etc/[g]shadow` with mode 0
Because of how our composes work, we need to manually inject
passwd-related things before installing packages. A somewhat recent
regression in that area made it so that the `/etc/shadow` and
`/etc/gshadow` files were created with default permissions (0644), which
meant they were world readable.
Fix this by explicitly setting their modes to 0. Ideally, we would rely
on the canonical permissions set in the `setup` package here, but it's
tricky to fix that without reworking how we install `setup` and handle
`passwd` treefile options.
Fixes fdb879c8 ("passwd: sync `etc/{,g}shadow` according to
`etc/{passwd,group}`").
Fixes #4401
---
rust/src/passwd.rs | 14 ++++++++++++++
tests/compose/libbasic-test.sh | 5 +++++
2 files changed, 19 insertions(+)
diff --git a/rust/src/passwd.rs b/rust/src/passwd.rs
index 821497d8..a64f6468 100644
--- a/rust/src/passwd.rs
+++ b/rust/src/passwd.rs
@@ -418,6 +418,12 @@ fn write_data_from_treefile(
let db = rootfs.open(target_passwd_path).map(BufReader::new)?;
let shadow_name = target.shadow_file();
let target_shadow_path = format!("{}{}", dest_path, shadow_name);
+ // Ideally these permissions come from `setup`, which is the package
+ // that owns these files:
+ // https://src.fedoraproject.org/rpms/setup/blob/c6f58b338bd3/f/setup.spec#_96
+ // But at this point of the compose, the rootfs is completely empty; we
+ // haven't started unpacking things yet. So we need to hardcode it here.
+ let shadow_perms = cap_std::fs::Permissions::from_mode(0);
match target {
PasswdKind::User => {
@@ -427,6 +433,10 @@ fn write_data_from_treefile(
for user in entries {
writeln!(target_shadow, "{}:*::0:99999:7:::", user.name)?;
}
+ target_shadow
+ .get_mut()
+ .as_file_mut()
+ .set_permissions(shadow_perms)?;
Ok(())
})
.with_context(|| format!("Writing {target_shadow_path}"))?;
@@ -438,6 +448,10 @@ fn write_data_from_treefile(
for group in entries {
writeln!(target_shadow, "{}:::", group.name)?;
}
+ target_shadow
+ .get_mut()
+ .as_file_mut()
+ .set_permissions(shadow_perms)?;
Ok(())
})
.with_context(|| format!("Writing {target_shadow_path}"))?;
diff --git a/tests/compose/libbasic-test.sh b/tests/compose/libbasic-test.sh
index 78ad72b1..df790e89 100644
--- a/tests/compose/libbasic-test.sh
+++ b/tests/compose/libbasic-test.sh
@@ -22,6 +22,11 @@ validate_passwd group
ostree --repo=${repo} ls ${treeref} /usr/etc/passwd > passwd.txt
assert_file_has_content_literal passwd.txt '00644 '
+ostree --repo=${repo} ls ${treeref} /usr/etc/shadow > shadow.txt
+assert_file_has_content_literal shadow.txt '00000 '
+ostree --repo=${repo} ls ${treeref} /usr/etc/gshadow > gshadow.txt
+assert_file_has_content_literal gshadow.txt '00000 '
+
ostree --repo=${repo} cat ${treeref} /usr/etc/default/useradd > useradd.txt
assert_file_has_content_literal useradd.txt HOME=/var/home
--
2.44.0

157
SOURCES/0001-passwd-create-etc-gshadow-with-mode-0.patch
View File

@ -1,157 +0,0 @@
From b1d88ce602107fa97bb60bc8bcd1460472ddafa0 Mon Sep 17 00:00:00 2001
From: Jonathan Lebon <jonathan@jlebon.com>
Date: Tue, 19 Mar 2024 15:20:43 -0400
Subject: [PATCH 1/2] passwd: create `/etc/[g]shadow` with mode 0
Because of how our composes work, we need to manually inject
passwd-related things before installing packages. A somewhat recent
regression in that area made it so that the `/etc/shadow` and
`/etc/gshadow` files were created with default permissions (0644), which
meant they were world readable.
Fix this by explicitly setting their modes to 0. Ideally, we would rely
on the canonical permissions set in the `setup` package here, but it's
tricky to fix that without reworking how we install `setup` and handle
`passwd` treefile options.
Fixes fdb879c8 ("passwd: sync `etc/{,g}shadow` according to
`etc/{passwd,group}`").
Fixes #4401
---
rust/src/passwd.rs | 14 ++++++++++++++
tests/compose/libbasic-test.sh | 5 +++++
2 files changed, 19 insertions(+)
diff --git a/rust/src/passwd.rs b/rust/src/passwd.rs
index 99004ac4d5..d897da678d 100644
--- a/rust/src/passwd.rs
+++ b/rust/src/passwd.rs
@@ -418,6 +418,12 @@ fn write_data_from_treefile(
let db = rootfs.open(target_passwd_path).map(BufReader::new)?;
let shadow_name = target.shadow_file();
let target_shadow_path = format!("{}{}", dest_path, shadow_name);
+ // Ideally these permissions come from `setup`, which is the package
+ // that owns these files:
+ // https://src.fedoraproject.org/rpms/setup/blob/c6f58b338bd3/f/setup.spec#_96
+ // But at this point of the compose, the rootfs is completely empty; we
+ // haven't started unpacking things yet. So we need to hardcode it here.
+ let shadow_perms = cap_std::fs::Permissions::from_mode(0);
match target {
PasswdKind::User => {
@@ -427,6 +433,10 @@ fn write_data_from_treefile(
for user in entries {
writeln!(target_shadow, "{}:*::0:99999:7:::", user.name)?;
}
+ target_shadow
+ .get_mut()
+ .as_file_mut()
+ .set_permissions(shadow_perms)?;
Ok(())
})
.with_context(|| format!("Writing {target_shadow_path}"))?;
@@ -438,6 +448,10 @@ fn write_data_from_treefile(
for group in entries {
writeln!(target_shadow, "{}:::", group.name)?;
}
+ target_shadow
+ .get_mut()
+ .as_file_mut()
+ .set_permissions(shadow_perms)?;
Ok(())
})
.with_context(|| format!("Writing {target_shadow_path}"))?;
diff --git a/tests/compose/libbasic-test.sh b/tests/compose/libbasic-test.sh
index 0a7517608f..3f7c6d8ae5 100644
--- a/tests/compose/libbasic-test.sh
+++ b/tests/compose/libbasic-test.sh
@@ -22,6 +22,11 @@ validate_passwd group
ostree --repo=${repo} ls ${treeref} /usr/etc/passwd > passwd.txt
assert_file_has_content_literal passwd.txt '00644 '
+ostree --repo=${repo} ls ${treeref} /usr/etc/shadow > shadow.txt
+assert_file_has_content_literal shadow.txt '00000 '
+ostree --repo=${repo} ls ${treeref} /usr/etc/gshadow > gshadow.txt
+assert_file_has_content_literal gshadow.txt '00000 '
+
ostree --repo=${repo} cat ${treeref} /usr/etc/default/useradd > useradd.txt
assert_file_has_content_literal useradd.txt HOME=/var/home
From 26a3922979dc2c18a479d9b9b7b51c8af4e5da47 Mon Sep 17 00:00:00 2001
From: jbtrystram <jbtrystram@redhat.com>
Date: Thu, 21 Mar 2024 17:27:21 +0100
Subject: [PATCH 2/2] unit: chmod /etc/[g]shadow[-] to 0000
fdb879c introduced a regression where /etc/[g]shadow[-] files where
created with default permissions: 0644
This unit chmods /etc/shadow, /etc/gshadow and backup copies to 0000
before interactive login is allowed on a system.
This will fix the systems that were deployed with the above issue.
We keep the stamp in /etc to account for the case where a deployment
with this unit is rolled back. If we used /var, the stamp would have
stayed but the fix would not be re-applied on the next update.
---
Makefile-daemon.am | 1 +
packaging/rpm-ostree.spec.in | 5 +++++
src/daemon/rpm-ostree-fix-shadow-mode.service | 19 +++++++++++++++++++
3 files changed, 25 insertions(+)
create mode 100644 src/daemon/rpm-ostree-fix-shadow-mode.service
diff --git a/Makefile-daemon.am b/Makefile-daemon.am
index 4233d90db1..f96f49a952 100644
--- a/Makefile-daemon.am
+++ b/Makefile-daemon.am
@@ -60,6 +60,7 @@ systemdunit_service_file_names = \
rpm-ostreed-automatic.service \
rpm-ostree-bootstatus.service \
rpm-ostree-countme.service \
+ rpm-ostree-fix-shadow-mode.service \
$(NULL)
systemdunit_service_files = $(addprefix $(srcdir)/src/daemon/,$(systemdunit_service_file_names))
diff --git a/packaging/rpm-ostree.spec.in b/packaging/rpm-ostree.spec.in
index 8aa9afaaa7..f734f676c3 100644
--- a/packaging/rpm-ostree.spec.in
+++ b/packaging/rpm-ostree.spec.in
@@ -237,6 +237,11 @@ $PYTHON autofiles.py > files.devel \
# Setup rpm-ostree-countme.timer according to presets
%post
%systemd_post rpm-ostree-countme.timer
+# Only enable on rpm-ostree based systems and manually force unit enablement to
+# explicitly ignore presets for this security fix
+if [ -e /run/ostree-booted ]; then
+ ln -snf /usr/lib/systemd/system/rpm-ostree-fix-shadow-mode.service /usr/lib/systemd/system/multi-user.target.wants/
+fi
%preun
%systemd_preun rpm-ostree-countme.timer
diff --git a/src/daemon/rpm-ostree-fix-shadow-mode.service b/src/daemon/rpm-ostree-fix-shadow-mode.service
new file mode 100644
index 0000000000..4aea7462ec
--- /dev/null
+++ b/src/daemon/rpm-ostree-fix-shadow-mode.service
@@ -0,0 +1,19 @@
+[Unit]
+# rpm-ostree v2023.6 introduced a permission issue on `/etc/[g]shadow[-]`.
+# This makes sure to fix permissions on systems that were deployed with the wrong permissions.
+Description=Update permissions for /etc/shadow
+Documentation=https://github.com/coreos/rpm-ostree-ghsa-2m76-cwhg-7wv6
+ConditionPathExists=!/etc/.rpm-ostree-shadow-mode-fixed.stamp
+ConditionPathExists=/run/ostree-booted
+# Make sure this is started before any unprivileged (interactive) user has access to the system.
+Before=systemd-user-sessions.service
+
+[Service]
+Type=oneshot
+ExecStart=chmod --verbose 0000 /etc/shadow /etc/gshadow
+ExecStart=-chmod --verbose 0000 /etc/shadow- /etc/gshadow-
+ExecStart=touch /etc/.rpm-ostree-shadow-mode-fixed.stamp
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target

79
SOURCES/0002-unit-chmod-etc-g-shadow-to-0000.patch Normal file
View File

@ -0,0 +1,79 @@
From 715298d909551b7d6b42ee6f9c38675f22034dde Mon Sep 17 00:00:00 2001
From: jbtrystram <jbtrystram@redhat.com>
Date: Thu, 21 Mar 2024 17:27:21 +0100
Subject: [PATCH 2/3] unit: chmod /etc/[g]shadow[-] to 0000
fdb879c introduced a regression where /etc/[g]shadow[-] files where
created with default permissions: 0644
This unit chmods /etc/shadow, /etc/gshadow and backup copies to 0000
before interactive login is allowed on a system.
This will fix the systems that were deployed with the above issue.
We keep the stamp in /etc to account for the case where a deployment
with this unit is rolled back. If we used /var, the stamp would have
stayed but the fix would not be re-applied on the next update.
---
Makefile-daemon.am | 1 +
packaging/rpm-ostree.spec.in | 5 +++++
src/daemon/rpm-ostree-fix-shadow-mode.service | 19 +++++++++++++++++++
3 files changed, 25 insertions(+)
create mode 100644 src/daemon/rpm-ostree-fix-shadow-mode.service
diff --git a/Makefile-daemon.am b/Makefile-daemon.am
index 4233d90d..f96f49a9 100644
--- a/Makefile-daemon.am
+++ b/Makefile-daemon.am
@@ -60,6 +60,7 @@ systemdunit_service_file_names = \
rpm-ostreed-automatic.service \
rpm-ostree-bootstatus.service \
rpm-ostree-countme.service \
+ rpm-ostree-fix-shadow-mode.service \
$(NULL)
systemdunit_service_files = $(addprefix $(srcdir)/src/daemon/,$(systemdunit_service_file_names))
diff --git a/packaging/rpm-ostree.spec.in b/packaging/rpm-ostree.spec.in
index e83db7f3..cbe3e031 100644
--- a/packaging/rpm-ostree.spec.in
+++ b/packaging/rpm-ostree.spec.in
@@ -237,6 +237,11 @@ $PYTHON autofiles.py > files.devel \
# Setup rpm-ostree-countme.timer according to presets
%post
%systemd_post rpm-ostree-countme.timer
+# Only enable on rpm-ostree based systems and manually force unit enablement to
+# explicitly ignore presets for this security fix
+if [ -e /run/ostree-booted ]; then
+ ln -snf /usr/lib/systemd/system/rpm-ostree-fix-shadow-mode.service /usr/lib/systemd/system/multi-user.target.wants/
+fi
%preun
%systemd_preun rpm-ostree-countme.timer
diff --git a/src/daemon/rpm-ostree-fix-shadow-mode.service b/src/daemon/rpm-ostree-fix-shadow-mode.service
new file mode 100644
index 00000000..4aea7462
--- /dev/null
+++ b/src/daemon/rpm-ostree-fix-shadow-mode.service
@@ -0,0 +1,19 @@
+[Unit]
+# rpm-ostree v2023.6 introduced a permission issue on `/etc/[g]shadow[-]`.
+# This makes sure to fix permissions on systems that were deployed with the wrong permissions.
+Description=Update permissions for /etc/shadow
+Documentation=https://github.com/coreos/rpm-ostree-ghsa-2m76-cwhg-7wv6
+ConditionPathExists=!/etc/.rpm-ostree-shadow-mode-fixed.stamp
+ConditionPathExists=/run/ostree-booted
+# Make sure this is started before any unprivileged (interactive) user has access to the system.
+Before=systemd-user-sessions.service
+
+[Service]
+Type=oneshot
+ExecStart=chmod --verbose 0000 /etc/shadow /etc/gshadow
+ExecStart=-chmod --verbose 0000 /etc/shadow- /etc/gshadow-
+ExecStart=touch /etc/.rpm-ostree-shadow-mode-fixed.stamp
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target
--
2.44.0

17
SOURCES/0002-shadow-adjust-all-deployments.patch → SOURCES/0003-shadow-Adjust-all-deployments.patch
View File

@ -1,7 +1,7 @@
From d40ba771b80c4e9fd86e3f4b8a438112dcaf9393 Mon Sep 17 00:00:00 2001
From 1ec5618144e2d5e76caedba9cdcddb2d7ca1d8f7 Mon Sep 17 00:00:00 2001
From: Colin Walters <walters@verbum.org>
Date: Fri, 12 Apr 2024 12:59:54 -0400
Subject: [PATCH] shadow: Adjust all deployments
Subject: [PATCH 3/3] shadow: Adjust all deployments
It was pointed out that in the previous change here we missed
the fact that the previous deployments were accessible.
@ -23,7 +23,7 @@ https://github.com/ostreedev/ostree/issues/3211
create mode 100755 tests/kolainst/destructive/shadow
diff --git a/rust/src/lib.rs b/rust/src/lib.rs
index 0255b1e3ab..f1d971762a 100644
index e244158b..a65e669b 100644
--- a/rust/src/lib.rs
+++ b/rust/src/lib.rs
@@ -979,7 +979,7 @@ mod normalization;
@ -36,7 +36,7 @@ index 0255b1e3ab..f1d971762a 100644
mod console_progress;
pub(crate) use self::console_progress::*;
diff --git a/rust/src/main.rs b/rust/src/main.rs
index 5a3c04d0e0..bf10d45dcc 100644
index 5a3c04d0..bf10d45d 100644
--- a/rust/src/main.rs
+++ b/rust/src/main.rs
@@ -28,6 +28,7 @@ async fn inner_async_main(args: Vec<String>) -> Result<i32> {
@ -48,7 +48,7 @@ index 5a3c04d0e0..bf10d45dcc 100644
// A hidden wrapper to intercept some binaries in RPM scriptlets.
"scriptlet-intercept" => builtins::scriptlet_intercept::entrypoint(args).map(|_| 0),
diff --git a/rust/src/passwd.rs b/rust/src/passwd.rs
index d897da678d..213c271c7e 100644
index a64f6468..f0a6da31 100644
--- a/rust/src/passwd.rs
+++ b/rust/src/passwd.rs
@@ -30,6 +30,10 @@ const DEFAULT_MODE: u32 = 0o644;
@ -194,7 +194,7 @@ index d897da678d..213c271c7e 100644
+ Ok(())
+}
diff --git a/src/daemon/rpm-ostree-fix-shadow-mode.service b/src/daemon/rpm-ostree-fix-shadow-mode.service
index 4aea7462ec..121bc74ef6 100644
index 4aea7462..121bc74e 100644
--- a/src/daemon/rpm-ostree-fix-shadow-mode.service
+++ b/src/daemon/rpm-ostree-fix-shadow-mode.service
@@ -3,17 +3,21 @@
@ -225,7 +225,7 @@ index 4aea7462ec..121bc74ef6 100644
WantedBy=multi-user.target
diff --git a/tests/kolainst/destructive/shadow b/tests/kolainst/destructive/shadow
new file mode 100755
index 0000000000..7caf84c051
index 00000000..7caf84c0
--- /dev/null
+++ b/tests/kolainst/destructive/shadow
@@ -0,0 +1,80 @@
@ -309,3 +309,6 @@ index 0000000000..7caf84c051
+*) echo "unexpected mark: ${AUTOPKGTEST_REBOOT_MARK}"; exit 1;;
+
+esac
--
2.44.0

11
SOURCES/0003-citest-container-move-URL-definitions-to-the-top.patch → SOURCES/0004-core-also-wrap-kernel-install-for-scriptlets.patch
View File

@ -1,7 +1,7 @@
From 2a8017c3e1fb24d42520df21eab3f157e8469312 Mon Sep 17 00:00:00 2001
From 6714c34bae041c036277ddb509af2b4135b759d5 Mon Sep 17 00:00:00 2001
From: Jonathan Lebon <jonathan@jlebon.com>
Date: Tue, 7 May 2024 10:05:03 -0400
Subject: [PATCH] core: also wrap `kernel-install` for scriptlets
Subject: [PATCH 1/1] core: also wrap `kernel-install` for scriptlets
It's confusing right now how specifically for the kernel, one has to use
this obscure `rpm-ostree cliwrap install-to-root /` command to make it
@ -22,7 +22,7 @@ Closes: #4949
create mode 100644 src/libpriv/kernel-install-wrapper.sh
diff --git a/rust/src/core.rs b/rust/src/core.rs
index 11c2d9822a..02255a8481 100644
index 8cd1ee03..ec24ed99 100644
--- a/rust/src/core.rs
+++ b/rust/src/core.rs
@@ -44,6 +44,8 @@ const USERADD_PATH: &str = "usr/sbin/useradd";
@ -73,7 +73,7 @@ index 11c2d9822a..02255a8481 100644
diff --git a/src/libpriv/kernel-install-wrapper.sh b/src/libpriv/kernel-install-wrapper.sh
new file mode 100644
index 0000000000..4cfb605b2b
index 00000000..4cfb605b
--- /dev/null
+++ b/src/libpriv/kernel-install-wrapper.sh
@@ -0,0 +1,9 @@
@ -86,3 +86,6 @@ index 0000000000..4cfb605b2b
+# See also https://github.com/coreos/rpm-ostree/issues/4949
+
+exec /usr/bin/rpm-ostree cliwrap kernel-install "$@"
--
2.45.0

27
SOURCES/0005-rpm-ostree-fix-shadow-mode.service-don-t-run-if-OS-i.patch Normal file
View File

@ -0,0 +1,27 @@
From 82cfc5491b3c670dd3d0abc0b30758622c958299 Mon Sep 17 00:00:00 2001
From: Joseph Marrero Corchado <jmarrero@redhat.com>
Date: Thu, 2 May 2024 08:57:45 -0400
Subject: [PATCH] rpm-ostree-fix-shadow-mode.service: don't run if OS is not
installed
Co-authored-by: Jonathan Lebon <jonathan@jlebon.com>
---
src/daemon/rpm-ostree-fix-shadow-mode.service | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/daemon/rpm-ostree-fix-shadow-mode.service b/src/daemon/rpm-ostree-fix-shadow-mode.service
index 121bc74e..f2983032 100644
--- a/src/daemon/rpm-ostree-fix-shadow-mode.service
+++ b/src/daemon/rpm-ostree-fix-shadow-mode.service
@@ -7,6 +7,8 @@ Documentation=https://github.com/coreos/rpm-ostree-ghsa-2m76-cwhg-7wv6
# the old /etc/.rpm-ostree-shadow-mode-fixed.stamp
ConditionPathExists=!/etc/.rpm-ostree-shadow-mode-fixed2.stamp
ConditionPathExists=/run/ostree-booted
+# Filter out non-traditional ostree setups (e.g. live boots)
+ConditionKernelCommandLine=ostree
# Because we read the sysroot
RequiresMountsFor=/boot
# Make sure this is started before any unprivileged (interactive) user has access to the system.
--
2.45.2

36
SPECS/rpm-ostree.spec
View File

@ -4,7 +4,7 @@
Summary: Hybrid image/package system
Name: rpm-ostree
Version: 2024.3
Release: 4%{?dist}.alma.1
Release: 5%{?dist}
License: LGPLv2+
URL: https://github.com/coreos/rpm-ostree
# This tarball is generated via "cd packaging && make -f Makefile.dist-packaging dist-snapshot"
@ -12,14 +12,11 @@ URL: https://github.com/coreos/rpm-ostree
Source0: https://github.com/coreos/rpm-ostree/releases/download/v%{version}/rpm-ostree-%{version}.tar.xz
Patch0: 0001-cliwrap-rpm-mark-eval-E-as-safe.patch
# Patches were taken from:
# https://github.com/coreos/rpm-ostree/pull/4911
Patch1: 0001-passwd-create-etc-gshadow-with-mode-0.patch
# https://github.com/coreos/rpm-ostree/pull/4913
Patch2: 0002-shadow-adjust-all-deployments.patch
# https://github.com/coreos/rpm-ostree/pull/4950
Patch3: 0003-citest-container-move-URL-definitions-to-the-top.patch
Patch1: 0001-passwd-create-etc-g-shadow-with-mode-0.patch
Patch2: 0002-unit-chmod-etc-g-shadow-to-0000.patch
Patch3: 0003-shadow-Adjust-all-deployments.patch
Patch4: 0004-core-also-wrap-kernel-install-for-scriptlets.patch
Patch5: 0005-rpm-ostree-fix-shadow-mode.service-don-t-run-if-OS-i.patch
ExclusiveArch: %{rust_arches}
@ -254,11 +251,21 @@ fi
%files devel -f files.devel
%changelog
* Sun Feb 25 2024 Joseph Marrero <jmarrero@fedoraproject.org> - 2024.3-4.alma.1
- passwd: create `/etc/[g]shadow` with mode 0
- unit: chmod /etc/[g]shadow[-] to 0000
- shadow: Adjust all deployments
- ci/test-container: move URL definitions to the top
* Tue Aug 20 2024 Huijing Hei <hhei@fedoraproject.org> - 2024.3-5
- Backport https://github.com/coreos/rpm-ostree/pull/4944
Resolves: #RHEL-55249
* Fri May 10 2024 Joseph Marrero <jmarrero@fedoraproject.org> - 2024.3-4
- Backport https://github.com/coreos/rpm-ostree/pull/4950
Resolves: #RHEL-36085
* Tue Apr 16 2024 Joseph Marrero <jmarrero@fedoraproject.org> - 2024.3-3
- Backport https://github.com/coreos/rpm-ostree/security/advisories/GHSA-2m76-cwhg-7wv6
Resolves: #RHEL-31852
* Fri Apr 05 2024 Joseph Marrero <jmarrero@fedoraproject.org> - 2024.3-2
- Backport https://github.com/coreos/rpm-ostree/security/advisories/GHSA-2m76-cwhg-7wv6
Resolves: #RHEL-31852
* Sun Feb 25 2024 Joseph Marrero <jmarrero@fedoraproject.org> - 2024.3-1
- https://github.com/coreos/rpm-ostree/releases/tag/v2024.3
@ -993,3 +1000,4 @@ fi
* Fri Mar 07 2014 Colin Walters <walters@verbum.org> - 2014.5-1
- Initial package