Your message dated Thu, 09 Apr 2026 03:04:13 +0000
with message-id <[email protected]>
and subject line Bug#1133022: fixed in cockpit 360-1
has caused the Debian Bug report #1133022,
regarding cockpit: CVE-2026-4631
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1133022: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1133022
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: cockpit
Version: 358-1
Severity: grave
Tags: security upstream
Justification: user security hole
Forwarded: https://github.com/cockpit-project/cockpit/pull/23105
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for cockpit.
CVE-2026-4631[0]:
| Cockpit's remote login feature passes user-supplied hostnames and
| usernames from the web interface to the SSH client without
| validation or sanitization. An attacker with network access to the
| Cockpit web service can craft a single HTTP request to the login
| endpoint that injects malicious SSH options or shell commands,
| achieving code execution on the Cockpit host without valid
| credentials. The injection occurs during the authentication flow
| before any credential verification takes place, meaning no login is
| required to exploit the vulnerability.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-4631
https://www.cve.org/CVERecord?id=CVE-2026-4631
[1] https://github.com/cockpit-project/cockpit/pull/23105
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: cockpit
Source-Version: 360-1
Done: Martin Pitt <[email protected]>
We believe that the bug you reported is fixed in the latest version of
cockpit, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Martin Pitt <[email protected]> (supplier of updated cockpit package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 09 Apr 2026 04:47:43 +0200
Source: cockpit
Architecture: source
Version: 360-1
Distribution: unstable
Urgency: medium
Maintainer: Utopia Maintenance Team
<[email protected]>
Changed-By: Martin Pitt <[email protected]>
Closes: 1133022
Changes:
cockpit (360-1) unstable; urgency=medium
.
* New upstream security release:
- ws: be more explicit when handling hostnames on cli [CVE-2026-4631]
(Closes: #1133022)
- ws: support loading a custom login page
Checksums-Sha1:
604bb3f1a0f1edd1936c8b4ab8085708526c8af0 3250 cockpit_360-1.dsc
6f9b20ceed7cac1fe5a0bf1f839fbf93abcf10c4 11245028 cockpit_360.orig-node.tar.xz
2449cefde4513c3d3172b0c3cb0b06522f01ff58 15499768 cockpit_360.orig.tar.xz
58e2f4281fb2107690aa6472b709027f9c3c0ef1 25860 cockpit_360-1.debian.tar.xz
340cf44161451323a11f22a4803b25f3218a8c06 6192 cockpit_360-1_source.buildinfo
Checksums-Sha256:
a52acd352b6cd22484a1bb092c7052884f4ca7588fea7ba171262ec4f63fc59b 3250
cockpit_360-1.dsc
9c3d0bcf8259bc3f7d75336d37ed8d974459f3b70c6d3f5b3284b3325bf1e400 11245028
cockpit_360.orig-node.tar.xz
0fab2934843d8cdb0586fa8bd5fc60bec0bcb893cf59e30bf24122817cc42d42 15499768
cockpit_360.orig.tar.xz
0b9ac10e21120780c1488a01b4c3421eff1dbf0dab31a5937288e77e278df912 25860
cockpit_360-1.debian.tar.xz
954f0bcebc74e0b2886ad6c2e78e8377f93c9a24b6459d53cf23edaa8ba67abf 6192
cockpit_360-1_source.buildinfo
Files:
9745201beda2b6d6205bbe9915272acd 3250 admin optional cockpit_360-1.dsc
e0343d220c39fd00f0ddaa15aec29b20 11245028 admin optional
cockpit_360.orig-node.tar.xz
a5188fc7c2928b027e92bde96d0558e8 15499768 admin optional
cockpit_360.orig.tar.xz
d28f7a446edebde043e5fcd6f30571c9 25860 admin optional
cockpit_360-1.debian.tar.xz
1cdc21eee59b02b95c26d550fcb23603 6192 admin optional
cockpit_360-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEbEuHi35jHxYFV8PN7nvd5LhrVxMFAmnXFDoACgkQ7nvd5Lhr
VxPy9g//eJH3AP/IDF9icDQ4Sd8iRDs3Yi/JYE1oalIvlxYcPim+JgnghQ/vWDdC
rD/KvJO+j9T7LerFkVdLjqGes/Nw8UH/B5qR1sYSXFYZwP7n+3X9sf+u/a/OaroK
DwWR+QpsU8ILIPjCTL0u8dw7sNFN/1JJpdedpNHU9vLeFvi9jATND719SKJwFUwU
xWE0xGQPL9Bvwjaj3Ultyp6kpo16Jdqo0j7yFm1EPdsE5iuzK/GDKfYGDMA3iqLj
XFnI5KDpmtWnLplGPZhBJSNDGr2Ci6EyYe5fjSQStEm8suXbXyw73KMyhBppSd7Z
/BahkDnSm6Dt0n2jR3+ZG6PjS5gVXVYn6c/n8X0DU/LFw20/2xTcbyhM6fwa/tXJ
oy0lH7PVaCsiB41Xx+YyZLmsOznW+VGWj3xvGB/ymDLbYHIXvNe6wvOscibyA6/l
TM9OYIxp/S1qZHgikBPekmc2EoVvJ31CGfy8EC6cf40bSXN2fBQj6MIzDsLsW+Iu
b4jvHzkQO39VKCVHmGnBuXuHeHhDpMnXR/N2XRoVTNtJok8quEwcxF9n6aXTkCDG
iWSVrJyZAB89ddG5r10OPJMixBqszx+1fwnVd8MwhnCB6FBkIaw63CYRtFtehDjC
abFgGSGWJGy4yMxPwHDRd0o0nlgHM9JKF8OGNglACyAGR7iI8s4=
=2X6b
-----END PGP SIGNATURE-----
pgpaSmR9BweNR.pgp
Description: PGP signature
--- End Message ---
_______________________________________________
Pkg-utopia-maintainers mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-utopia-maintainers
