'AlmaLinux, a three year old Linux distribution that started life as a clone of Red Hat Enterprise Linux, on Tuesday announced that it had created a patch to fix CVE-2024-1086, a security vulnerability that Red Hat evidently doesn���t think is important enough to patch in RHEL right away.

���Though this was flagged as something to be fixed in Red Hat Enterprise Linux, Red Hat has only rated this as a moderate impact,��� benny Vasquez, chairperson at the AlmaLinux Foundation explained in an article on the distro���s website on Tuesday. ���Our users have asked us to patch this more quickly, and as such, we have opted to include patches ourselves. We released this kernel patch to the testing repo last weekend and plan to push it to production on Wednesday, April 3rd.���

Since Vasquez���s post a production ready version of the fix was made available through the distro���s repositories, and Red Hat has re-evaluated the threat from its end and raised the severity level from ���moderate��� to ���important.��� There is still no sign of a patch from Red Hat, however, although the company has posted several methods for mitigating the threat.

���This flaw is trivially exploitable on most RHEL-equivalent systems,��� Vasquez said. ���There are many proof-of-concept posts available now, including one from our Infrastructure team lead, Jonathan Wright (Dealing with CVE-2024-1086). In multi-user scenarios, this flaw is especially problematic.���'

-- source: https://fossforce.com/2024/04/in-a-first-almalinux-patches-a-security-hole-that-remains-unpatched-in-upstream-rhel/

Cheers, Peter