1y ago

A new flaw in OpenSSH can lead to remote code execution

4 comments

The CVE-2024-6409 vulnerability affects only the sshd server shipped in RHEL 9, while the upstream versions of sshd are not impacted.
Yes, only RHEL based releases affected (source):
Specifically, openssh-7.6p1-audit.patch found in Red Hat's package of OpenSSH adds code to cleanup_exit() that exposes the issue. Relevantly, this patch is found in RHEL 9 (and its rebuild/downstream distributions), where the package is based on OpenSSH 8.7p1.
Debian oldstable is safe from this as well
- Looks like openSUSE Leap is fine, not sure about other SUSE distros.
Flashback xz package in linux getting louder and louder
- xz was a deliberate supply chain attack this is just a bug, accidental, not a rhel backdoor