benny Vasquez
1 year ago
2 changed files with 46 additions and 0 deletions
@ -0,0 +1,46 @@ |
|||
--- |
|||
title: "AlmaLinux OS - CVE-2024-1086 and XZ" |
|||
type: blog |
|||
author: |
|||
name: "benny Vasquez" |
|||
bio: "Chair, AlmaLinux OS Foundation" |
|||
image: /users/benny.jpeg |
|||
date: 2024-04-02 |
|||
images: |
|||
- /blog-images/2024-04-02-xz-and-cve-2024-1086.png |
|||
post: |
|||
title: "AlmaLinux OS - CVE-2024-1086 and XZ" |
|||
image: /blog-images/2024-04-02-xz-and-cve-2024-1086.png |
|||
--- |
|||
|
|||
|
|||
|
|||
## CVE-2024-1086 - call for testing |
|||
|
|||
In January of this year a kernel flaw was disclosed and named named [CVE-2024-1086](https://nvd.nist.gov/vuln/detail/CVE-2024-1086). This flaw is trivially exploitable on most RHEL-equivelent systems. There are many proof-of-concept posts available now, including one from our Infrastructure team lead, Jonathan Wright ([Dealing with CVE-2024-1086](https://jonathanspw.com/posts/2024-03-31-dealing-with-cve-2024-1086/)). In multi-user scenarios, this flaw is especially problematic. |
|||
|
|||
Though this was flagged as something to be fixed in Red Hat Enterprise Linux, Red Hat has only rated this as a [moderate impact](https://access.redhat.com/security/cve/CVE-2024-1086). Our users have asked us to patch this more quickly, and as such we have opted to include patches ourselves. We released this kernel patch to the [testing repo](https://almalinux.org/blog/new-repositories-for-almalinux-os-synergy-and-testing/) last weekend, and plan to push to production on Wednesday, April 3rd. |
|||
|
|||
If you'd like to test the updates before they're in production, it's super simple. Just install the testing repo: |
|||
|
|||
```bash |
|||
dnf install -y almalinux-release-testing |
|||
``` |
|||
|
|||
Then update your kernel: |
|||
|
|||
```bash |
|||
dnf update kernel* |
|||
``` |
|||
|
|||
If you encounter problems, please let us know as soon as you can, either in the AlmaLinux chat, on bugs.almalinux.org, or by emailing [packager@almalinux.org](packager@almalinux.org). |
|||
|
|||
## AlmaLinux is NOT impacted by the XZ backdoor |
|||
|
|||
The entire open source world exploded a little over a week ago as a [reporter shared that they had identified a backdoor](https://www.openwall.com/lists/oss-security/2024/03/29/4) in the open source data compression utility XZ. Thanks to the diligence of the reporter, Andres Freund, this back door was identified much earlier than it might have otherwise been. Due to the aim at stability for enterprise linux, the version of XZ that had the back door inserted hadn't made it further than Fedora. Both Fedora 40 beta and Rawhide were potentially impacted, and Red Hat has taken steps to mitigate the problem here (read more in their notice [here](https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users)), but neither CentOS Stream, Red Hat, nor AlmaLinux ever included this malicious code. |
|||
|
|||
## Thanks to our community |
|||
|
|||
Security is a priority at AlmaLinux, and once again we're patching something we feel is super important. This is part of the freedom that comes with being a community-powered Red Hat equivalent operating system. We appreciate the members of our community that reported, worked to fix, and have tested our security updates. |
|||
|
|||
If you have any interest in helping us test updates like this in the future, join our [chat](https:chat.almalinux.org), join our [forums](https://almalinux.discourse.group/), and keep your eyes open! We'll be looking for contributions to our OpenQA testing later this year, too! |
|||
|
After Width: | Height: | Size: 2.7 MiB |
Loading…
Reference in new issue