On Mon, 8 Jul 2024, Solar Designer wrote: > Hi, > > Today is the coordinated release date to publicly disclose a related > issue I found during review of Qualys' findings, with further analysis > by Qualys. My summary is: > > CVE-2024-6409: OpenSSH: Possible remote code execution in privsep child > due to a race condition in signal handling
As an aside, who wrote the text of https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-6409 ? It's disappointing that this CVE states that this is a vulnerability in OpenSSH sshd, and fails to make clear that this only affects Redhat versions and users of their downstream patch. This follows another critical failure to properly issue CVEs for OpenSSH: CVE-2024-6387 only lists CPEs for Redhat systems as affected (see the JSON dump of the entry: https://cveawg.mitre.org/api/cve/CVE-2024-6387 ) This means that anyone using automation that consumes CVEs for detecting vulnerabilities will be left exposed. Moreover, the explanatory text for CVE-2024-6387 is also extremely lacking. It fails to explain the consequence of the vulnerability (unauth RCE) and just talks about mechanism. I don't know if it's in anyone on this list's ability to get these fixed, but IMO they are serious failures of the CVE process that make it near-useless for consumers of this information. -d
