That's not the RCE fix, this is the RCE fix https://news.ycombinator.com/item?id=40843865

That's a previously-announced feature for dealing with junk connections that also happens to mitigate this vulnerability because it makes it harder to win the race. Discussed previously https://news.ycombinator.com/item?id=40610621

The ones you link are the "minimal patches for those can't/don't want to upgrade". The commit I am linking to is taken straight from the advisory.

    On June 6, 2024, this signal handler race condition was fixed by commit
    81c1099 ("Add a facility to sshd(8) to penalise particular problematic
    client behaviours"), which moved the async-signal-unsafe code from
    sshd's SIGALRM handler to sshd's listener process, where it can be
    handled synchronously:

      https://github.com/openssh/openssh-portable/commit/81c1099d22b81ebfd20a334ce986c4f753b0db29

    Because this fix is part of a large commit (81c1099), on top of an even
    larger defense-in-depth commit (03e3de4, "Start the process of splitting
    sshd into separate binaries"), it might prove difficult to backport. In
    that case, the signal handler race condition itself can be fixed by
    removing or commenting out the async-signal-unsafe code from the
    sshsigdie() function

The cleverness here is that this commit is both "a previously-announced feature for dealing with junk connections", and a mitigation for the exploit class against similar but unknown vulnerabilities, and a patch for the specific vulnerability because it "moved the async-signal-unsafe code from sshd's SIGALRM handler to sshd's listener process, where it can be handled synchronously".

The cleverness is that it fixes the vulnerability as part of doing something that makes sense on its own, so you wouldn't know it's the patch even looking at it.

No, it's a fix. It completely removes the signal race as well as introducing a mitigation for similar future bugs

These lines from the diff linked above are the fix:

    - /\* Log error and exit. \*/
    - sigdie("Timeout before authentication for %s port %d",
    -     ssh_remote_ipaddr(the_active_state),
    -     ssh_remote_port(the_active_state));
    + _exit(EXIT_LOGIN_GRACE);

Has this fix been pushed to / pulled by distributions yet?

It's fixed in Debian 12[1]. Debian 11 and earlier's SSH version was not vulnerable.

[1] https://security-tracker.debian.org/tracker/source-package/o...

Fedora: not yet.

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2024-6387 (tracking task)

https://bugzilla.redhat.com/show_bug.cgi?id=2294905 (Fedora 39 issue)

And https://bugzilla.redhat.com/show_bug.cgi?id=2294904 (Fedora 40 issue)

EL 9 is also affected, but not yet released. The tracking task will update as things move along.

Fix pushed in openssh-9.3p1-11.fc39 and (in progress) openssh-9.6p1-1.fc40.4.

Ubuntu's also got patches out for 22.04 LTS, 23.10, and 24.04 LTS. See https://ubuntu.com/security/notices/USN-6859-1.

Amazon Linux 2023 is affected; Amazon Linux 1 & 2 are not. Status updates will be posted to https://explore.alas.aws.amazon.com/CVE-2024-6387.html

Gentoo: update to "net-misc/openssh-9.7_p1-r6" available since ~Mon 1.Jul.2024.

GLSA 202407-09: https://glsa.gentoo.org/glsa/202407-09

Package metadata & log: https://packages.gentoo.org/packages/net-misc/openssh

SUSE has the fixes under testing. I assume you could install them directly from OBS. I have not tried because I have no exposed system. https://www.suse.com/security/cve/CVE-2024-6387.html

Interesting that this comment has remained the topmost one for 2 days despite being incorrect and being corrected in the message right below it. I wonder if people are only reading the first message in the thread and upvoting and then leaving with the wrong impression.

It appears you’ve not read past the topmost reply to the topmost comment, and left with the wrong impression.

So it seems!