AlmaLinux OS - CVE-2024-1086 and XZ (AlmaLinux blog)

by
jzb
from LWN.net on (#6KTHZ)

AlmaLinux has announcedupdated kernels for AlmaLinux 8 and 9 to address CVE-2024-1086, ause-after-free vulnerability in the kernel that could be exploited togain local privilege escalation. This is notable because the fixmarks a divergence between AlmaLinux and Red Hat Enterprise Linux (RHEL):

In January of this year, a kernel flaw was disclosed and named CVE-2024-1086.This flaw is trivially exploitable on most RHEL-equivalentsystems. There are many proof-of-concept posts available now,including one from our Infrastructure team lead, Jonathan Wright (Dealingwith CVE-2024-1086). In multi-user scenarios, this flaw isespecially problematic.

Though this was flagged as something to be fixed in Red HatEnterprise Linux, Red Hat has only rated this as a moderateimpact.

The AlmaLinux project would also like to note that it is notimpacted by the XZ backdoor. "Because enterprise Linux takes a bitlonger to adopt those updates (sometimes to the chagrin of our users),the version of XZ that had the back door inserted hadn't made itfurther than Fedora in our ecosystem."

External Content
Source RSS or Atom Feed
Feed Location http://lwn.net/headlines/rss
Feed Title LWN.net
Feed Link https://lwn.net/
Reply 0 comments