back to article OpenSSH bug leaves RHEL 9 and the RHELatives vulnerable

The founder of Openwall has discovered a new signal handler race condition in the core sshd daemon used in RHEL 9.x and its various offshoots. The new flaw, tagged as CVE-2024-6409, was found by Openwall's Alexander Peslyak, known in the security world as Solar Designer. It affects the sshd daemon versions 8.7p1 and 8.8p1, …

  1. cyberdemon Silver badge
    Holmes

    > potentially nasty, because it affects a part of OpenSSH that's running with reduced privileges

    Er... Shurely it's less potentially nasty than a bug in root-priveleged code? The snippet from the Debian guy seems to agree ..

    > "although this is a high-severity bug, it's running in a process with separated privilges. This means that the affected code is running like an ordinary user account, not an administrative account, so the potential attack is more limited."

    1. ChoHag Silver badge

      Re: > potentially nasty, because it affects a part of OpenSSH that's running with reduced privileges

      > This means that the affected code is running like an ordinary user account, not an administrative account, so the potential attack is more limited.

      And this is why we do privsep.

    2. Liam Proven (Written by Reg staff) Silver badge

      Re: > potentially nasty, because it affects a part of OpenSSH that's running with reduced privileges

      [Author here]

      You know what? You're right. That was poorly phrased. I think a sentence fragment got lost as I was editing it.

      I would have been better saying something like:

      «

      Although this is a high-severity bug, it's not as nasty as it could have been, because it's running in a process with separated privileges.

      »

  2. Korev Silver badge
    Coat

    Looks like a Rocky road ahead...

  3. Beeblebrox

    EOL

    Fedora 37 was EOLed > 6 months ago.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like