Keep CVE-2021-20271 workaround on Fedora 32 and older

Instead of refusing to update. While Fedora 32 is EOL already, do not break updates, as that's the first recommended step when upgrating to newer version. QubesOS/qubes-issues#6955
marmarek · Oct 11, 2021 · 4819df8 · 4819df8
1 parent 55bde4b
commit 4819df8
Showing 1 changed file with 8 additions and 0 deletions.
diff --git a/update/qubes-vm.sls b/update/qubes-vm.sls
@@ -1,4 +1,11 @@
 {% if grains['os_family'] == 'RedHat' %}
+{% if grains['os'] == 'Fedora' and grains['osmajorrelease'] < 33 %}
+/usr/lib/rpm/macros.d/macros.qubes:
+  file.managed:
+    - contents: |
+        # CVE-2021-20271 mitigation
+        %_pkgverify_level all
+{% else %}
 dnf-and-rpm:
   pkg.installed:
     - pkgs:
@@ -10,6 +17,7 @@ dnf-and-rpm:
     - require:
       - pkg: dnf-and-rpm
 {% endif %}
+{% endif %}
 
 {% if grains['os_family'] == 'RedHat' %}
 dnf-makecache: