AlmaLinux, a Linux project that maintains compatibility with RedHat Enterprise Linux (RHEL), released a patch for CVE-2024-6409, a vulnerability in OpenSSH that could potentially allow hackers to execute code on the target machine.
In normal circumstances, downstream projects that use code from RHEL like AlmaLinux or RockyLinux typically have to wait for code from RHEL to compile into binaries for distribution. However, in this particular bug, AlmaLinux released the patch one day ahead of RHEL.
The decision to release this patch relied on the AlmaLinux Engineering Steering Committee (ALESCo), a newly established engineering committee for AlmaLinux this year, as releasing patches that differ from RHEL could result in different functionalities.
CVE-2024-6409 is a vulnerability that was analyzed by a researcher named Solar Designer, who identified a flaw called regreSSHion and found another exploit point in the child process where the function cleanup_exit() is called unsafely for async-signals. This vulnerability has a lesser impact than the original regreSSHion because the child process has low privileges. Although vulnerabilities were found within close timeframes, Red Hat is not prepared to merge the two patches together.
CVE-2024-6409 has a CVSS3.1 score of 7.0 and is rated with a moderate impact by Red Hat. Even though AlmaLinux released the patch earlier, the difference in timing is only a single day.
TLDR: AlmaLinux released a patch for a critical vulnerability in OpenSSH ahead of RedHat, potentially providing different functionalities.
Leave a Comment