AlmaLinux is turning into the RHEL clone with a difference, by patching RHEL security holes that are given a low priority by Red Hat.
On Tuesday, the folks at AlmaLinux announced that they’ve patched another security hole that Red Hat and CentOS Stream haven’t gotten around to patching yet.
“In fairness to Red Hat, they were just much slower than we were,” benny Vasquez, the chairperson at the AlmaLinux Foundation told me in an email. “We were ready to go on Monday, but were hesitating because we throught RHEL was going to get patched Monday night.”
Red Hat did eventually issue a patch for RHEL and CentOS Stream — on Wednesday, a day after AlmaLinux issued it’s patch.
‘Unofficially’ Patching RHEL Clones
It wasn’t too long ago that the idea of a RHEL lookalike distro patching a security hole before Red Hat issued an official patch would have been out-of-the-question, since RHEL clones have always promised their users that their distributions were line-by-line copies of RHEL’s source. That changed for AlmaLinux after Red Hat announced it was going to restrict access to its source code, specifically to discourage the cloning its operating system.
While the other RHEL clones — Rocky Linux, EuroLinux, Oracle Linux, and the like — pretty much shot Red Hat the finger and found ways around Red Hat’s efforts, AlmaLinux decided to play by Red Hat’s rules and changed its focus from creating a clone of Red Hat’s code to producing a disto with “feature parity.” In other words, they now create a distro with all the same features — and which works in exactly the same way as RHEL — even if its code isn’t always an exact copy.
About a year ago, benny Vasquez told me that the change wouldn’t be noticeable to anyone making the move from RHEL or from any of the other RHEL clones.
“The people who are going to be most impacted are developers and people running really low level sort of stuff,” she said. “If you’re running a website, it’s not going to impact you at all.”
The change also turned out to offer the distro some advantages over the other RHEL lookalikes, as it opened the door for the distro to do things like patching bugs and security holes that Red Hat was choosing to ignore. This first became evident in April, when developers patched a security vulnerability that Red Hat labeled as a moderate risk and was in no big hurry to patch, but which AlmaLinux users wanted fixed sooner rather than later.
“Our users have asked us to patch this more quickly, and as such, we have opted to include patches ourselves,” Vasquez told me at the time.
The same was true with the patch that AlmaLinux issued on Tuesday.
“The patch was requested by users pretty much immediately,” she said in our email exchange.
What’s Been Patched?
The new patch addresses a recently discovered vulnerability — CVE-2024-6409 — in OpenSSH’s server that effects glibc-based Linux systems. This issue, similar to annother vulnerability discovered last week’s — CVE-2024-6387 — impacts glibc-based Linux systems. It involves a signal handler race condition that could expose systems to potential security risks.
According to a blog written by Andrew Lukoshko, the distro’s release engineering lead, AlmaLinux’s users can easily install the patch by running the following command:
sudo dnf --refresh upgrade openssh
After that, users can confirm their system has been updated by running the following command and looking for “openssh-8.7p1-38.el9_4.1.alma.1“:
rpm -q openssh
If you’re wondering about AlmaLinux’s being quick to jump on the patch bandwagon, don’t be. The distro is in a unique position when it comes to patching RHEL-based operating systems. Its founding company, CloudLinux, has a division called TuxCare that earns its keep by keeping selected out-of-date Linux distros patched, so it already knows how to be good at that.
Rocky Linux, the other major player in the RHEL-clone arena, would be similarly well equipped if it were to decide to patch security holes not being handled by Red Hat, which it’s not likely to do as long as it’s selling itself as a line-by-line RHEL clone. CIQ, the commercial company behind the distro, also offers extended support for Enterprise Linux distributions that are no longer officially supported.
With the current status quo, however, it’s clear that AlmaLinux’s newfound ability to flex its security muscles in a way that the other RHEL clones cannot or will not, puts the distro on its way to becoming the Enterprise Linux distribution of choice for workloads that require security to be job one.
Editor’s note: An earlier version indicated that Red Hat had not yet patched this security vulnerability in Red Hat Enterprise Linux, which it has. In addition, this updated article contains additional background information that was not contained in the original version.
Christine Hall has been a journalist since 1971. In 2001, she began writing a weekly consumer computer column and started covering Linux and FOSS in 2002 after making the switch to GNU/Linux. Follow her on Twitter: @BrideOfLinux
