• infeeeee@lemm.ee
    link
    fedilink
    English
    arrow-up
    9
    ·
    edit-2
    4 months ago

    The CVE-2024-6409 vulnerability affects only the sshd server shipped in RHEL 9, while the upstream versions of sshd are not impacted.

    Yes, only RHEL based releases affected (source):

    Specifically, openssh-7.6p1-audit.patch found in Red Hat’s package of OpenSSH adds code to cleanup_exit() that exposes the issue. Relevantly, this patch is found in RHEL 9 (and its rebuild/downstream distributions), where the package is based on OpenSSH 8.7p1.

    Debian oldstable is safe from this as well

    • infeeeee@lemm.ee
      link
      fedilink
      English
      arrow-up
      8
      ·
      4 months ago

      xz was a deliberate supply chain attack this is just a bug, accidental, not a rhel backdoor