Amazon Linux 2023 Security Advisory: ALAS-2024-651
Advisory Release Date: 2024-07-18 01:24 Pacific
Advisory Updated Date: 2024-07-22 16:00 Pacific
Severity:
Important
Issue Overview:
A signal handler race condition vulnerability was found in OpenSSH's server (sshd), where a client does not authenticate within LoginGraceTime seconds (120 by default, 600 in old OpenSSH versions), then sshd's SIGALRM handler is called asynchronously. However, this signal handler calls various functions that are not async-signal-safe, for example, syslog(). This issue leaves it vulnerable to a signal handler race condition on the cleanup_exit() function, which introduces the same vulnerability as CVE-2024-6387 in the unprivileged child of the SSHD server. (CVE-2024-6409)
Affected Packages:
openssh
Issue Correction:
Run dnf update openssh --releasever 2023.5.20240722 to update your system.
New Packages:
aarch64:
openssh-clients-debuginfo-8.7p1-8.amzn2023.0.12.aarch64
openssh-keycat-8.7p1-8.amzn2023.0.12.aarch64
openssh-server-debuginfo-8.7p1-8.amzn2023.0.12.aarch64
openssh-debuginfo-8.7p1-8.amzn2023.0.12.aarch64
pam_ssh_agent_auth-debuginfo-0.10.4-4.8.amzn2023.0.12.aarch64
openssh-server-8.7p1-8.amzn2023.0.12.aarch64
openssh-8.7p1-8.amzn2023.0.12.aarch64
openssh-clients-8.7p1-8.amzn2023.0.12.aarch64
pam_ssh_agent_auth-0.10.4-4.8.amzn2023.0.12.aarch64
openssh-keycat-debuginfo-8.7p1-8.amzn2023.0.12.aarch64
openssh-debugsource-8.7p1-8.amzn2023.0.12.aarch64
src:
openssh-8.7p1-8.amzn2023.0.12.src
x86_64:
openssh-server-debuginfo-8.7p1-8.amzn2023.0.12.x86_64
openssh-clients-debuginfo-8.7p1-8.amzn2023.0.12.x86_64
openssh-keycat-debuginfo-8.7p1-8.amzn2023.0.12.x86_64
openssh-keycat-8.7p1-8.amzn2023.0.12.x86_64
openssh-debuginfo-8.7p1-8.amzn2023.0.12.x86_64
pam_ssh_agent_auth-0.10.4-4.8.amzn2023.0.12.x86_64
openssh-server-8.7p1-8.amzn2023.0.12.x86_64
pam_ssh_agent_auth-debuginfo-0.10.4-4.8.amzn2023.0.12.x86_64
openssh-8.7p1-8.amzn2023.0.12.x86_64
openssh-clients-8.7p1-8.amzn2023.0.12.x86_64
openssh-debugsource-8.7p1-8.amzn2023.0.12.x86_64