The big news this week was that OpenSSH has an unauthorized Remote Code Execution exploit. Or more precisely, it had one that was fixed in 2006, that was unintentionally re-introduced in version 8.5p1 from 2021. The flaw is a signal handler race condition, where async-unsafe code gets called from within the SIGALARM handler. What does that mean?
This is a companion discussion topic for the original entry at https://hackaday.com/2024/07/05/this-week-in-security-hide-yo-ssh-polyfill-and-packing-it-up/