In January of this year, a kernel flaw was disclosed and named [CVE-2024-1086](https://nvd.nist.gov/vuln/detail/CVE-2024-1086). This flaw is trivially exploitable on most RHEL-equivalent systems. There are many proof-of-concept posts available now, including one from our Infrastructure team lead, Jonathan Wright ([Dealing with CVE-2024-1086](https://jonathanspw.com/posts/2024-03-31-dealing-with-cve-2024-1086/)). In multi-user scenarios, this flaw is especially problematic.
Though this was flagged as something to be fixed in Red Hat Enterprise Linux, Red Hat has only rated this as a [moderate impact](https://access.redhat.com/security/cve/CVE-2024-1086). Our users have asked us to patch this more quickly, and as such, we have opted to include patches ourselves. We released this kernel patch to the [testing repo](https://almalinux.org/blog/new-repositories-for-almalinux-os-synergy-and-testing/) last weekend and plan to push it to production on Wednesday, April 3rd.
Note: We don't recommend that you keep the testing repo enabled after you've updated the kernel, unless you've done this on a truly non-production environment. If this is a production environment, you can disable the repo with this command:
If you encounter problems, please let us know as soon as you can, either in the [AlmaLinux chat](https://chat.almalinux.org), on [bugs.almalinux.org](https://bugs.almalinux.org), or by emailing [packager@almalinux.org](packager@almalinux.org).
The entire open source world exploded last Friday as a [reporter shared that they had identified a backdoor](https://www.openwall.com/lists/oss-security/2024/03/29/4) in the open source data compression utility XZ. Thanks to both the diligence of the reporter, Andres Freund, and the nature of beta and rolling releases being used for testing, this back door was identified much earlier than it might have otherwise been. Because enterprise Linux takes a bit longer to adopt those updates (sometimes to the chagrin of our users), the version of XZ that had the back door inserted hadn't made it further than Fedora in our ecosystem.
Both Fedora 40 beta and Rawhide were potentially impacted, and Red Hat has taken steps to mitigate the problem here (read more in their notice [here](https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users)), but neither CentOS Stream, RHEL, nor AlmaLinux ever included this malicious code.
Security is a priority at AlmaLinux, and once again we're patching something we feel is super important. This is part of the freedom that comes with being a community-powered Red Hat equivalent operating system. We appreciate the members of our community that reported, worked to fix, and have tested our security updates.
If you have any interest in helping us test updates like this in the future, join our [chat](https://chat.almalinux.org), join our [forums](https://forums.almalinux.org/), and keep your eyes open! We'll be looking for contributions to our OpenQA testing later this year, too!
