Hello,
I would like to know whether the CVE-2024-6387 vulnerability in OpenSSH has been backported/fixed in the OpenSSH package for Rocky Linux 9.7. If it hasn’t, are there any alternative repositories that provide the source RPM or patch so we can build it ourselves?
Thanks
You can easily check this for yourself:
rpm -q –changelog openssh | grep 2024-6387
As you can see, it’s listed there as fixed.
Although the CVE-2024-6387 fix is listed in the changelog for the previous version (openssh-8.7p1-45.el9.rocky.0.1.x86_64), the vulnerability still appears to be present.
Can you elaborate on this in more detail?
Most likely the vulnerability scanner you are using is reporting incorrect information by just looking at the version number without actually checking it correctly.
If the changelog is there for the fix, then the fix is there. It’s that simple.
I can see the change log. I will request my security team to rescan.
rpm -q -changelog openssh-clients-8.7p1-47.el9_7.rocky.0.1.x86_64 | grep 2024-6387
- Possible remote code execution due to a race condition (CVE-2024-6387)
@aplha02 I went through this with CentOS at my old $day_job years ago. You need to specifically note to the security team that it is a backported fix. Sometimes you even need to show the command used to verify, etc.
What are the commands you used to verify? I tried `rpm -q -changelog openssh-clients-8.7p1-47.el9_7.rocky.0.1.x86_64 | grep 2024-6387`.
[nazu@router ansible]$ rpm -q openssh --changelog | grep 2024-6387
- Possible remote code execution due to a race condition (CVE-2024-6387)
[nazu@router ansible]$ rpm -q openssh --changelog | grep 2024-6387 -B1 -A1
* Thu Jul 04 2024 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.7p1-42
- Possible remote code execution due to a race condition (CVE-2024-6387)
Resolves: RHEL-45348