You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Summary: We discovered a vulnerability (a signal handler race condition) in
OpenSSH's server (sshd): if a client does not authenticate within
LoginGraceTime seconds (120 by default, 600 in old OpenSSH versions),
then sshd's SIGALRM handler is called asynchronously, but this signal
handler calls various functions that are not async-signal-safe (for
example, syslog()). This race condition affects sshd in its default
configuration.
I kept this open for visibility purposes - now we can close it.
🟢 Flatcar is now safe against this vulnerability from: Alpha 4012.0.1, Beta 3975.1.1, Stable 3815.2.5 and LTS 3510.3.5
Name: net-misc/openssh
CVEs: CVE-2024-6387
CVSSs: 8.1
Action Needed: Upgrade OpenSSH with correct patch.
Summary: We discovered a vulnerability (a signal handler race condition) in
OpenSSH's server (sshd): if a client does not authenticate within
LoginGraceTime seconds (120 by default, 600 in old OpenSSH versions),
then sshd's SIGALRM handler is called asynchronously, but this signal
handler calls various functions that are not async-signal-safe (for
example, syslog()). This race condition affects sshd in its default
configuration.
refmap.gentoo: https://bugs.gentoo.org/935271
EDIT: 🟢 Flatcar is now safe against this vulnerability from: Alpha 4012.0.1, Beta 3975.1.1, Stable 3815.2.5 and LTS 3510.3.5
The text was updated successfully, but these errors were encountered: