Linux

7782 readers

12 users here now

Welcome to c/linux!

Welcome to our thriving Linux community! Whether you're a seasoned Linux enthusiast or just starting your journey, we're excited to have you here. Explore, learn, and collaborate with like-minded individuals who share a passion for open-source software and the endless possibilities it offers. Together, let's dive into the world of Linux and embrace the power of freedom, customization, and innovation. Enjoy your stay and feel free to join the vibrant discussions that await you!

Rules:

Stay on topic: Posts and discussions should be related to Linux, open source software, and related technologies.
Be respectful: Treat fellow community members with respect and courtesy.
Quality over quantity: Share informative and thought-provoking content.
No spam or self-promotion: Avoid excessive self-promotion or spamming.
No NSFW adult content
Follow general lemmy guidelines.

founded 1 year ago

MODERATORS

MigratingtoLemmy@lemmy.world

CVE-2024-6387 OpenSSH Server Authentication Bypass (cve.mitre.org)

submitted 2 months ago by ricdeh@lemmy.world to c/linux@lemmy.world

2 comments fedilink hide all child comments

A signal handler race condition was found in OpenSSH's server (sshd), where a client does not authenticate within LoginGraceTime seconds (120 by default, 600 in old OpenSSH versions), then sshd's SIGALRM handler is called asynchronously. However, this signal handler calls various functions that are not async-signal-safe, for example, syslog().

all 3 comments

sorted by: hot top controversial new old

[–] catloaf@lemm.ee 2 points 2 months ago (1 children)

I'm not familiar with this exploit vector. How does this bypass authentication? What's the race you're trying to win when the prompt times out?

[–] lambalicious@lemmy.sdf.org 1 points 2 months ago

And this is the reason I run infra on Debian Stable, or Oldstable, rather than eg.: Sid.