Press "Enter" to skip to content

In a First, AlmaLinux Patches a Security Hole That Remains Unpatched in Upstream RHEL

AlmaLinux can now develop and apply security patches and bug fixes ahead of RHEL, because it no longer seeks to be a line-by-line exact copy of Red Hat’s operating system.

AlmaLinux Day, held on March 18, 2024 in Rust, Germany.
AlmaLinux Day, held on March 18, 2024 in Rust, Germany. | Source: AlmaLinux

AlmaLinux, a three year old Linux distribution that started life as a clone of Red Hat Enterprise Linux, on Tuesday announced that it had created a patch to fix CVE-2024-1086, a security vulnerability that Red Hat evidently doesn’t think is important enough to patch in RHEL right away.

“Though this was flagged as something to be fixed in Red Hat Enterprise Linux, Red Hat has only rated this as a moderate impact,” benny Vasquez, chairperson at the AlmaLinux Foundation explained in an article on the distro’s website on Tuesday. “Our users have asked us to patch this more quickly, and as such, we have opted to include patches ourselves. We released this kernel patch to the testing repo last weekend and plan to push it to production on Wednesday, April 3rd.”

Since Vasquez’s post a production ready version of the fix was made available through the distro’s repositories, and Red Hat has re-evaluated the threat from its end and raised the severity level from “moderate” to “important.” There is still no sign of a patch from Red Hat, however, although the company has posted several methods for mitigating the threat.

“This flaw is trivially exploitable on most RHEL-equivalent systems,” Vasquez said. “There are many proof-of-concept posts available now, including one from our Infrastructure team lead, Jonathan Wright (Dealing with CVE-2024-1086). In multi-user scenarios, this flaw is especially problematic.”

Patch Is an AlmaLinux First

Although security vulnerabilities are always news, the issuance of a patch by AlmaLinux ahead of Red Hat would normally not be noteworthy. It’s only important now because until last November’s release of AlmaLinux 9.3 you wouldn’t see AlmaLinux issuing a security patch to fix any hole that remains unpatched in RHEL, just as you would be unlikely to see Rocky Linux — another RHEL clone — issuing a patch for its distro until after Red Hat had fixed the same vulnerability in RHEL.

That’s because before AlmaLinux 9.3 the distro was a line-by-line copy of RHEL, just like Rocky Linux. This meant that by design, nothing went into either of the distros’ software that wasn’t already in RHEL.

That’s still true of Rocky Linux, but with the release of 9.3 AlmaLinux changed its approach from directly copying Red Hat’s code to concentrating on building a distro that has ABI parity with RHEL. That means that although AlmaLinux is no longer a line by line copy of Red Hat’s code, it remains a feature-by-feature copy that offers its users an experience that is exactly the same as working in RHEL.

It remains so close to RHEL, in fact, that it can promise to DevOps teams working in a mixed environment that includes both RHEL and AlmaLinux machines, that anything they’re doing with RHEL will work exactly the same in AlmaLinux. It also opens the door for AlmaLinux’s developers to fix bugs and security holes in their distro that Red Hat might not be addressing.

Actually, AlmaLinux is uniquely qualified to fix RHEL’s security issues and bugs through its relationship with CloudLinux’s TuxCare business, which offers commercial support for a number of Linux distributions, including RHEL. CloudLinux, which develops a security hardened distro based on AlmaLinux for web hosting companies, started AlmaLinux a few years back as a response to Red Hat’s announcement that CentOS was destined to no longer be a downstream clone of RHEL, which it had been since its first release in 2004.

Although AlmaLinux is now owned and maintained by the community owned and operated AlmaLinux Foundation, CloudLinux continues to have close ties with the organization and remains one of the distro’s largest sponsors.

One Comment

  1. Inspector Allen Inspector Allen April 9, 2024

    There are just too many versions of linux. Its like a grocery store selling 25 different brands of “Cola”. None better than the other. Some sweeter, more bubbly, more spicey, some with strange flavors. But they’re all fizzy and wet. It gets almost pointless.

Comments are closed.

Breaking News: