Join us December 14th for AlmaLinux Day: Tokyo! Read More

AlmaLinux OS - CVE-2024-1086 and XZ

profile
benny Vasquez

Chair, AlmaLinux OS Foundation

Update, April 3rd, 2024

The patches for CVE-2024-1086 are now available in production repos.

For AlmaLinux 8, you are looking for kernel-4.18.0-513.18.2.el8_9 or higher.

[root@host ~]# rpm -qa kernel
kernel-4.18.0-513.18.2.el8_9.x86_64
[root@host ~]# 

For Almalinux 9, you are looking for kernel-5.14.0-362.24.2.el9_3 or higher

[root@host ~]# rpm -qa kernel
kernel-5.14.0-362.24.2.el9_3.x86_64
[root@host ~]# 

Thank you to everyone who tested these patches!

=========

CVE-2024-1086 - call for testing

In January of this year, a kernel flaw was disclosed and named CVE-2024-1086. This flaw is trivially exploitable on most RHEL-equivalent systems. There are many proof-of-concept posts available now, including one from our Infrastructure team lead, Jonathan Wright (Dealing with CVE-2024-1086). In multi-user scenarios, this flaw is especially problematic.

Though this was flagged as something to be fixed in Red Hat Enterprise Linux, Red Hat has only rated this as a moderate impact. Our users have asked us to patch this more quickly, and as such, we have opted to include patches ourselves. We released this kernel patch to the testing repo last weekend and plan to push it to production on Wednesday, April 3rd.

If you’d like to test the updates before they’re in production, it’s super simple. Just install the testing repo:

dnf install -y almalinux-release-testing

Then update your kernel:

dnf update kernel

Note: We don’t recommend that you keep the testing repo enabled after you’ve updated the kernel, unless you’ve done this on a truely non-production environment. If this is a production environment, you can disable the repo with this command:

dnf config-manager --disable almalinux-testing

If you encounter problems, please let us know as soon as you can, either in the AlmaLinux chat, on bugs.almalinux.org, or by emailing packager@almalinux.org.

AlmaLinux is NOT impacted by the XZ backdoor

The entire open source world exploded last Friday as a reporter shared that they had identified a backdoor in the open source data compression utility XZ. Thanks to both the diligence of the reporter, Andres Freund, and the nature of beta and rolling releases being used for testing, this back door was identified much earlier than it might have otherwise been. Because enterprise Linux takes a bit longer to adopt those updates (sometimes to the chagrin of our users), the version of XZ that had the back door inserted hadn’t made it further than Fedora in our ecosystem.

Both Fedora 40 beta and Rawhide were potentially impacted, and Red Hat has taken steps to mitigate the problem here (read more in their notice here), but neither CentOS Stream, RHEL, nor AlmaLinux ever included this malicious code.

Thanks to our community

Security is a priority at AlmaLinux, and once again we’re patching something we feel is super important. This is part of the freedom that comes with being a community-powered Red Hat equivalent operating system. We appreciate the members of our community that reported, worked to fix, and have tested our security updates.

If you have any interest in helping us test updates like this in the future, join our chat, join our forums, and keep your eyes open! We’ll be looking for contributions to our OpenQA testing later this year, too!

Pysy ajan tasalla!