Control: notfound -1 287.1-0+deb12u2 Control: notfound -1 239-1 Hello Salvatore,
Salvatore Bonaccorso [2026-04-09 20:24 +0200]: > Thanks for preparing the update. Whe had a closer look and think we > can just have this batched in the next trixie point release instead. > This is because in Debian trixie OpenSSH contains already > https://github.com/openssh/openssh-portable/commit/7ef3787) (which is > the fix for CVE-2023-51385). Ah nice! > > +cockpit (337-1+deb13u1) unstable; urgency=medium > Version is correct, but the target distribution should be trixie (for > the point release, and would have been trixie-security for a security > update). Ugh 🙈 sorry! > Can you approach the stable release managers to make an update via the > point release by filling a release.debian.org bug? Sure! I filed https://bugs.debian.org/1133122 and attached a debdiff there with correct release. > > I am not yet sure if this affects bookworm/bullseye at all, as this does not > > yet have cockpit-beiboot, but the older cockpit-ssh program. I asked Allison > > in > > https://github.com/cockpit-project/cockpit/pull/23105#issuecomment-4211122656 > > > > I'll find out about the test case situation and will mark > > oldstable/oldoldstable as affected or not appropriately. > > So my understanding is we can mark it > > [bookworm] - cockpit <not-affected> (beiboot helper only used since 326) > > or do we still consider it affected in earlier versions? In which case > it still would be no-dsa as we have the OpenSSH mitigation as well in > this version. Correct. I also confirmed that the issue doesn't affect the old `cockpit-ssh` program at all, i.e. bookworm and bullseye are ok. Marking accordingly, I hope I got that right. Thanks, Pitti
