# Summary A security vulnerability has been discovered within rpm-ostree. Affected versions created the /etc/shadow and /etc/gshadow files with the world-readable bit enabled. With permissions set at a higher than recommended level, sensitive authentication data may be exposed to unauthorized access. # Impact This issue occurs only on systems which were installed from Fedora 39 installers (this includes Silverblue, Kinoite, Sericea, Bluefin, Bazzite; any upstream Fedora Atomic installer or Universal Blue installer). If you installed from Fedora 38 and upgraded to a Fedora 39 based image, you are not affected. # Resolution The Universal Blue Team is actively working on updating our images to include the fix that is provided by the fixed version of rpm-ostree. ## Solution 1 Update your system as soon as the fix is confirmed in our base images. This will patch all any existing downstream installation: Bazzite, Bluefin, Aurora, or Universal Blue main images. ## Solution 2 If you do not wish to wait for an update in our base images, you may manually implement the fix as recommended in: https://github.com/coreos/rpm-ostree/security/advisories/GHSA-2m76-cwhg-7wv6 . ``` sudo chmod --verbose 0000 /etc/shadow /etc/gshadow /etc/shadow- /etc/gshadow- ``` # Additional Information Official CVE from Red Hat: https://access.redhat.com/security/cve/CVE-2024-2905 Advisory from CoreOS: https://github.com/coreos/rpm-ostree/security/advisories/GHSA-2m76-cwhg-7wv6