Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

update: net-misc/openssh #1487

Closed
tormath1 opened this issue Jul 1, 2024 · 2 comments
Closed

update: net-misc/openssh #1487

tormath1 opened this issue Jul 1, 2024 · 2 comments
Labels
advisory security advisory cvss/HIGH > 7 && < 9 assessed CVSS security security concerns

Comments

@tormath1
Copy link
Contributor

tormath1 commented Jul 1, 2024
edited by dongsupark
Loading

Name: net-misc/openssh
CVEs: CVE-2024-6387
CVSSs: 8.1
Action Needed: Upgrade OpenSSH with correct patch.

Summary: We discovered a vulnerability (a signal handler race condition) in
OpenSSH's server (sshd): if a client does not authenticate within
LoginGraceTime seconds (120 by default, 600 in old OpenSSH versions),
then sshd's SIGALRM handler is called asynchronously, but this signal
handler calls various functions that are not async-signal-safe (for
example, syslog()). This race condition affects sshd in its default
configuration.

refmap.gentoo: https://bugs.gentoo.org/935271

EDIT: 🟢 Flatcar is now safe against this vulnerability from: Alpha 4012.0.1, Beta 3975.1.1, Stable 3815.2.5 and LTS 3510.3.5
@tormath1 tormath1 added security security concerns advisory security advisory labels Jul 1, 2024
@tormath1 tormath1 pinned this issue Jul 1, 2024
@sayanchowdhury
Copy link
Member

Release Tracking issue for the release: #1488

@sayanchowdhury sayanchowdhury unpinned this issue Jul 1, 2024
@sayanchowdhury sayanchowdhury pinned this issue Jul 1, 2024
This was referenced Jul 1, 2024
Merged
Merged
@T-Kukawka T-Kukawka mentioned this issue Jul 3, 2024
Closed
2 tasks
@ader1990 ader1990 unpinned this issue Jul 3, 2024
@dongsupark dongsupark added the cvss/HIGH > 7 && < 9 assessed CVSS label Jul 3, 2024
@tormath1
Copy link
Contributor Author

tormath1 commented Jul 5, 2024

I kept this open for visibility purposes - now we can close it.
🟢 Flatcar is now safe against this vulnerability from: Alpha 4012.0.1, Beta 3975.1.1, Stable 3815.2.5 and LTS 3510.3.5

@tormath1 tormath1 closed this as completed Jul 5, 2024
@github-actions github-actions bot mentioned this issue Jul 22, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
advisory security advisory cvss/HIGH > 7 && < 9 assessed CVSS security security concerns
Projects
Flatcar tactical, release planning, and roadmap
Status: Implemented
Milestone
No milestone
Development

No branches or pull requests
3 participants
@sayanchowdhury @dongsupark @tormath1