ALAS-2024-649

Amazon Linux 2023 Security Advisory: ALAS-2024-649
Advisory Release Date: 2024-06-26 21:55 Pacific
Advisory Updated Date: 2024-07-01 12:30 Pacific
Severity: Important
Issue Overview:

A signal handler race condition was found in OpenSSH's server (sshd), where a client does not authenticate within LoginGraceTime seconds (120 by default, 600 in old OpenSSH versions), then sshd's SIGALRM handler is called asynchronously. However, this signal handler calls various functions that are not async-signal-safe, for example, syslog().


Affected Packages:

openssh


Issue Correction:
Run dnf update openssh --releasever 2023.5.20240701 to update your system.

New Packages:
aarch64:
    openssh-keycat-debuginfo-8.7p1-8.amzn2023.0.11.aarch64
    openssh-server-debuginfo-8.7p1-8.amzn2023.0.11.aarch64
    openssh-debuginfo-8.7p1-8.amzn2023.0.11.aarch64
    openssh-server-8.7p1-8.amzn2023.0.11.aarch64
    openssh-keycat-8.7p1-8.amzn2023.0.11.aarch64
    pam_ssh_agent_auth-debuginfo-0.10.4-4.8.amzn2023.0.11.aarch64
    openssh-8.7p1-8.amzn2023.0.11.aarch64
    pam_ssh_agent_auth-0.10.4-4.8.amzn2023.0.11.aarch64
    openssh-clients-8.7p1-8.amzn2023.0.11.aarch64
    openssh-clients-debuginfo-8.7p1-8.amzn2023.0.11.aarch64
    openssh-debugsource-8.7p1-8.amzn2023.0.11.aarch64

src:
    openssh-8.7p1-8.amzn2023.0.11.src

x86_64:
    openssh-clients-debuginfo-8.7p1-8.amzn2023.0.11.x86_64
    openssh-debuginfo-8.7p1-8.amzn2023.0.11.x86_64
    openssh-server-8.7p1-8.amzn2023.0.11.x86_64
    openssh-server-debuginfo-8.7p1-8.amzn2023.0.11.x86_64
    pam_ssh_agent_auth-debuginfo-0.10.4-4.8.amzn2023.0.11.x86_64
    pam_ssh_agent_auth-0.10.4-4.8.amzn2023.0.11.x86_64
    openssh-keycat-debuginfo-8.7p1-8.amzn2023.0.11.x86_64
    openssh-keycat-8.7p1-8.amzn2023.0.11.x86_64
    openssh-8.7p1-8.amzn2023.0.11.x86_64
    openssh-clients-8.7p1-8.amzn2023.0.11.x86_64
    openssh-debugsource-8.7p1-8.amzn2023.0.11.x86_64

Additional References

Red Hat: CVE-2024-6387

Mitre: CVE-2024-6387