AlmaLinux has patched a moderate security vulnerability before Red Hat Enterprise Linux (RHEL), a first for the RHEL clone distro.
AlmaLinux began its life as a 1:1 RHEL-compatible Linux distro, giving organizations a less expensive alternative to RHEL. When Red Hat announced its controversial decision to restrict access to RHEL’s source code, AlmaLinux pivoted to become Application Binary Interface (ABI) compatible.
A major benefit of this approach is that AlmaLinux no longer needs to wait for RHEL to patch a vulnerability, a point the distro has just proven. AlmaLinux OS Foundation Chair benny Vasquez announced the fix for CVE-2024-1086 on the organization’s website.
In January of this year, a kernel flaw was disclosed and named CVE-2024-1086. This flaw is trivially exploitable on most RHEL-equivalent systems. There are many proof-of-concept posts available now, including one from our Infrastructure team lead, Jonathan Wright (Dealing with CVE-2024-1086). In multi-user scenarios, this flaw is especially problematic.
Though this was flagged as something to be fixed in Red Hat Enterprise Linux, Red Hat has only rated this as a moderate impact. Our users have asked us to patch this more quickly, and as such, we have opted to include patches ourselves. We released this kernel patch to the testing repo last weekend and plan to push it to production on Wednesday, April 3rd.
Vasquez also took the opportunity to assure users that AlmaLinux was not impacted by the recent XZ backdoor.
The entire open source world exploded last Friday as a reporter shared that they had identified a backdoor in the open source data compression utility XZ. Thanks to both the diligence of the reporter, Andres Freund, and the nature of beta and rolling releases being used for testing, this back door was identified much earlier than it might have otherwise been. Because enterprise Linux takes a bit longer to adopt those updates (sometimes to the chagrin of our users), the version of XZ that had the back door inserted hadn’t made it further than Fedora in our ecosystem.
Vasquez concluded by emphasizing the newfound freedom that comes with being a “Red Had equivalent operating system,” rather than a 1:1 compatible one.
Security is a priority at AlmaLinux, and once again we’re patching something we feel is super important. This is part of the freedom that comes with being a community-powered Red Hat equivalent operating system. We appreciate the members of our community that reported, worked to fix, and have tested our security updates.