AlmaLinux OS - CVE-2024-1086 and XZ (AlmaLinux blog)
https://almalinux.org/
updated kernels for AlmaLinux 8 and 9 to address CVE-2024-1086, a
use-after-free vulnerability in the kernel that could be exploited to
gain local privilege escalation. This is notable because the fix
marks a divergence between AlmaLinux and Red Hat Enterprise Linux (RHEL):
In January of this year, a kernel flaw was disclosed and named https://nvd.nist.gov/vuln/detail/CVE-2024-1086
.
This flaw is trivially exploitable on most RHEL-equivalent
systems. There are many proof-of-concept posts available now,
including one from our Infrastructure team lead, Jonathan Wright (<a href="https://jonathanspw.com/posts/2024-03-31-dealing-with-cve-2024-1086/" rel="nofollow">Dealing
with CVE-2024-1086</a>). In multi-user scenarios, this flaw is
especially problematic.
Though this was flagged as something to be fixed in Red Hat
Enterprise Linux, Red Hat has only rated this as a <a href="https://access.redhat.com/security/cve/CVE-2024-1086" rel="nofollow">moderate
impact</a>.
The AlmaLinux project would also like to note that it is not
impacted by the XZ backdoor. "Because enterprise Linux takes a bit
longer to adopt those updates (sometimes to the chagrin of our users),
the version of XZ that had the back door inserted hadn't made it
further than Fedora in our ecosystem."
https://lwn.net/Articles/968299/