The founder of Openwall has discovered a new breed of signal handler state in the core sshd daemon used in RHEL 9.x and its various offshoots.
Step-by-step SSH server configuration in Red Hat 9: Secure remote access made easy #rhcsa #sshd #ssh
The new flaw, tagged as CVE-2024-6409, was found by Openwall's Alexander Peslyak, known in the security world as Solar Designer. It affects the sshd daemon versions 8.7p1 and 8.8p1, which were used in Fedora 36 and 37 as well as Red Hat Enterprise Linux 9 – and of course the various RHELatives as well.
The bug was announced earlier this week on the oss-security mailing list, and the AlmaLinux team has already released a fix – beat the bigger players. As AlmaLinux's Andrew Lukoshko said:
The decision to build the update and push the package to production without waiting for a CentOS Stream or RHEL update was made by our newly formed Technical Steering Committee, ALESCo.
