Your message dated Sun, 03 May 2026 16:32:06 +0000
with message-id <[email protected]>
and subject line Bug#1133022: fixed in cockpit 337-1+deb13u1
has caused the Debian Bug report #1133022,
regarding cockpit: CVE-2026-4631
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1133022: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1133022
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: cockpit
Version: 358-1
Severity: grave
Tags: security upstream
Justification: user security hole
Forwarded: https://github.com/cockpit-project/cockpit/pull/23105
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for cockpit.
CVE-2026-4631[0]:
| Cockpit's remote login feature passes user-supplied hostnames and
| usernames from the web interface to the SSH client without
| validation or sanitization. An attacker with network access to the
| Cockpit web service can craft a single HTTP request to the login
| endpoint that injects malicious SSH options or shell commands,
| achieving code execution on the Cockpit host without valid
| credentials. The injection occurs during the authentication flow
| before any credential verification takes place, meaning no login is
| required to exploit the vulnerability.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-4631
https://www.cve.org/CVERecord?id=CVE-2026-4631
[1] https://github.com/cockpit-project/cockpit/pull/23105
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: cockpit
Source-Version: 337-1+deb13u1
Done: Martin Pitt <[email protected]>
We believe that the bug you reported is fixed in the latest version of
cockpit, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Martin Pitt <[email protected]> (supplier of updated cockpit package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 09 Apr 2026 05:29:56 +0200
Source: cockpit
Architecture: source
Version: 337-1+deb13u1
Distribution: trixie
Urgency: medium
Maintainer: Utopia Maintenance Team
<[email protected]>
Changed-By: Martin Pitt <[email protected]>
Closes: 1133022 1133122
Changes:
cockpit (337-1+deb13u1) trixie; urgency=medium
.
* ws: Be more explicit when handling hostnames on cli.
[CVE-2026-4631] (Closes: #1133022, #1133122)
Checksums-Sha1:
9c7054ef095498027951bf2191eb9f570010644d 3006 cockpit_337-1+deb13u1.dsc
e1ffa80b5d327d1d1cb189435fc81a0c62f64e2e 23776
cockpit_337-1+deb13u1.debian.tar.xz
a37dd4dac9887f34af9b04054a5ff4cbd05f9e19 6276
cockpit_337-1+deb13u1_source.buildinfo
Checksums-Sha256:
78ac930c795aecc06a8237daa47a3f808603ac2c7ca5b7afd22cef99d68fc516 3006
cockpit_337-1+deb13u1.dsc
f4c0903e4a56ac5b1574468972e417579ec5c31ceb49913ad829c1792daed999 23776
cockpit_337-1+deb13u1.debian.tar.xz
ba6327c1c92daa96e8db44b6d344cd37d48c614e1f98e2217bee2a5b423589fb 6276
cockpit_337-1+deb13u1_source.buildinfo
Files:
5f150847ff0a9e9fdd014714ebc99cda 3006 admin optional cockpit_337-1+deb13u1.dsc
8d5d7acf928d535b14dd6aa77b9eec74 23776 admin optional
cockpit_337-1+deb13u1.debian.tar.xz
65c4188e39b30739c51c7efb1391425b 6276 admin optional
cockpit_337-1+deb13u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEbEuHi35jHxYFV8PN7nvd5LhrVxMFAmn3S2kACgkQ7nvd5Lhr
VxP6yxAA0LFa5DJrU/kwQdsMGyb9BbdazzTgg2lUNs8fKSusiY/NJFsYtN8OQOMH
3VrDsEtFR3yU0EcqbntZGXdSLnW+S7HPcJ9LCo8UH48FYgA5N44BJ9FHFmdvFjah
Hphy0M8rmmL9YG2tAsi/chKC2reYVuyoBDx6T4o7UXtSu1KEUtCNrywx/OhEQaOo
BAzVeVKUkcc6VwgltCv0nMrpEFUynQggpFyAwJzD59rsppS6AKCOL6ZgtMafzXDX
iVWBlOPOTWPVR2SeVIkIJhs0WO5s8xhK+Q66zFEdQO0GRypVz6gKtdXrBsdHth7w
KUm8g7Vn8+SNpZyGFCTLpGmPsAF8kUCiRMii3R8puvIp6NzVba9WOwRS6K71l0Rt
55V2tLR669GOkBNUd34KtC0eJlf4vHCk1c8hAi4u8S4hjSph+JEPWVVz9kFLG30Z
uolJCrpDiqwzT8V+u8wIHTN8KGA+7f/71HHdzf0OUPd81+9UTUDYhLwsWWKviZMd
zcMksAPfWbzmufXOOVfxNc0ZlPZ8rbA+JT+Ys8erccplsPOI0zWbS9c1D1bTy3AA
SR6tUfPa+JGtAC4MeVz0+cOPoDWypyN27g2nW312hDBrTO+JhGGHHBDW/QpHx9to
vtvM1i0z1Zc6JcFjGBY28G8Jd4JZ/tTGm49dYwrZN6czcKs/bSM=
=bDUV
-----END PGP SIGNATURE-----
pgp7MmLuGRY1n.pgp
Description: PGP signature
--- End Message ---
_______________________________________________
Pkg-utopia-maintainers mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-utopia-maintainers
