TL;DR: as with most security issues, end users should update their systems.

I think you may be caught in some news exaggeration. Don't get me wrong, this hack was a huge thing, but it was discovered early enough that most (i'd guess almost all) fedora users wont' have to do anything.

For Fedora, the problem package was only in Fedora 40 Beta and Fedora Rawhide. If you are not running these packages, this isn't more than a "wow, that was a near miss" for the end user. If you are running either version, the xz maintainer has already rolled back the problem update, so if you use "dnf update" you are safe.

Because of a stroke of luck (finding this as early as we did) its as simple as that, we have an assumed good version that users can 'update' to, and beyond that, us developers need to verify that the assumed good version is actually good, and if it isn't, issue new updates.

That was simply explained without burying it. Thanks.

Someone again in private complained at me for "I should have read" the Fedora Magazine.

Somehow I am supposed to know that Fedora *Magazine* is the official info source for FedoraProject, not the front page or even "News & Announcements".

I guess I do now.

Now read what is written at https://fedoramagazine.org/cve-2024-3094-security-alert-f40-rawhide/.

Let me say I wish I had found your comment written in your way sooner! Even when you suspect it may be the case it's harder to evade any news exaggeration when it's not clear where to look or the places you do look are written in ways you can't clearly understand. So one more time, Thanks.

Cheers!

Arnie