Flatcar icon indicating copy to clipboard operation
Flatcar copied to clipboard
verified publisher icon flatcar

update: net-misc/openssh

Open tormath1 opened this issue 1 year ago • 1 comments

Name: net-misc/openssh CVEs: CVE-2024-6387 CVSSs: 8.1 Action Needed: Upgrade OpenSSH with correct patch.

Summary: We discovered a vulnerability (a signal handler race condition) in OpenSSH's server (sshd): if a client does not authenticate within LoginGraceTime seconds (120 by default, 600 in old OpenSSH versions), then sshd's SIGALRM handler is called asynchronously, but this signal handler calls various functions that are not async-signal-safe (for example, syslog()). This race condition affects sshd in its default configuration.

refmap.gentoo: https://bugs.gentoo.org/935271

EDIT: :green_circle: Flatcar is now safe against this vulnerability from: Alpha 4012.0.1, Beta 3975.1.1, Stable 3815.2.5 and LTS 3510.3.5

tormath1 avatar Jul 01 '24 10:07 tormath1

Release Tracking issue for the release: https://github.com/flatcar/Flatcar/issues/1488

sayanchowdhury avatar Jul 01 '24 10:07 sayanchowdhury

I kept this open for visibility purposes - now we can close it. 🟢 Flatcar is now safe against this vulnerability from: Alpha 4012.0.1, Beta 3975.1.1, Stable 3815.2.5 and LTS 3510.3.5

tormath1 avatar Jul 05 '24 10:07 tormath1