The CVE-2024-6409 vulnerability affects only the sshd server shipped in RHEL 9, while the upstream versions of sshd are not impacted.

Yes, only RHEL based releases affected (source):

Specifically, openssh-7.6p1-audit.patch found in Red Hat’s package of OpenSSH adds code to cleanup_exit() that exposes the issue. Relevantly, this patch is found in RHEL 9 (and its rebuild/downstream distributions), where the package is based on OpenSSH 8.7p1.

Debian oldstable is safe from this as well