Bug 33390

Summary: openssh: new security issue
Product: Mageia Reporter: Marc Krämer <mageia>
Component: SecurityAssignee: Mageia Bug Squad <bugsquad>
Status: RESOLVED INVALID QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: jani.valimaa, nicolas.salguero
Version: 9   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: openssh CVE: CVE-2024-6409
Status comment:

Description Marc Krämer 2024-07-10 12:19:54 CEST 
introduced security issue due to 
"openssh-7.6p1-audit.patch"

https://lwn.net/ml/all/20240708162106.GA4920@openwall.com/ (CVE-2024-6409)

(german news):
https://www.heise.de/news/OpenSSH-Weitere-RegreSSHion-artige-Luecke-entdeckt-9795874.html


Cauldron already dropped many patches, including this one....
Marc Krämer 2024-07-10 12:20:08 CEST

CVE: (none) => CVE-2024-6409

Comment 1 Marc Krämer 2024-07-10 12:21:44 CEST 
@wally: looks like we should backport the fix, we made in cauldron; I guess audit patch is really not needed by mga.

CC: (none) => jani.valimaa

Comment 2 Nicolas Salguero 2024-07-10 13:49:59 CEST 
Hi,

That CVE does not affect Mageia 9. From https://lwn.net/ml/all/20240708162106.GA4920@openwall.com/:
"""
The audit patch is also found in Fedora, so the package versions that
were based on 8.7p1 and 8.8p1 are affected.  Per change log, it appears
that out of Fedora releases only 36 and 37 were affected, as well as
some updates maybe starting with those for 35 and until those for 37.
These versions are now end-of-life, and Fedora 38+ has moved to newer
upstream OpenSSH that doesn't make the problematic cleanup_exit() call.
"""

I checked and I confirm that the code of the function grace_alarm_handler() (in sshd.c) does not call cleanup_exit().

Best regards,

Nico.

Resolution: (none) => INVALID
Status: NEW => RESOLVED
CC: (none) => nicolas.salguero