hi Martin, On Thu, Apr 09, 2026 at 05:37:16AM +0200, Martin Pitt wrote: > Hello Salvatore, > > Salvatore Bonaccorso [2026-04-08 22:20 +0200]: > > The following vulnerability was published for cockpit. > > > > CVE-2026-4631 [...]: > > I uploaded the new upstream version 360 to unstable, which includes the fix. > > For trixie, I prepared a backport. Debdiff attached, happy to upload on your > mark. Please double-check the version number, I'm not that experienced in > security updates.
Thanks for preparing the update. Whe had a closer look and think we can just have this batched in the next trixie point release instead. This is because in Debian trixie OpenSSH contains already https://github.com/openssh/openssh-portable/commit/7ef3787) (which is the fix for CVE-2023-51385). https://bugzilla.redhat.com/show_bug.cgi?id=2450246 contains some notes about the combination. Given that we marked the issue as no-dsa for trixie. A note on the update: > +++ cockpit-337/debian/changelog 2026-04-09 05:29:56.000000000 +0200 > @@ -1,3 +1,10 @@ > +cockpit (337-1+deb13u1) unstable; urgency=medium > + > + * ws: Be more explicit when handling hostnames on cli. > + [CVE-2026-4631] (Closes: #1133022) > + > + -- Martin Pitt <[email protected]> Thu, 09 Apr 2026 05:29:56 +0200 Version is correct, but the target distribution should be trixie (for the point release, and would have been trixie-security for a security update). Can you approach the stable release managers to make an update via the point release by filling a release.debian.org bug? > > Please adjust the affected versions in the BTS as needed. > > I am not yet sure if this affects bookworm/bullseye at all, as this does not > yet have cockpit-beiboot, but the older cockpit-ssh program. I asked Allison > in > https://github.com/cockpit-project/cockpit/pull/23105#issuecomment-4211122656 > > I'll find out about the test case situation and will mark > oldstable/oldoldstable as affected or not appropriately. So my understanding is we can mark it [bookworm] - cockpit <not-affected> (beiboot helper only used since 326) or do we still consider it affected in earlier versions? In which case it still would be no-dsa as we have the OpenSSH mitigation as well in this version. Do you agree? Regards, Salvatore
