[Pkg-utopia-maintainers] Bug#1133022: cockpit: CVE-2026-4631

Salvatore Bonaccorso carnil at debian.org
Thu Apr 9 19:24:24 BST 2026 

hi Martin,

On Thu, Apr 09, 2026 at 05:37:16AM +0200, Martin Pitt wrote:
> Hello Salvatore,
> 
> Salvatore Bonaccorso [2026-04-08 22:20 +0200]:
> > The following vulnerability was published for cockpit.
> > 
> > CVE-2026-4631 [...]:
> 
> I uploaded the new upstream version 360 to unstable, which includes the fix.
> 
> For trixie, I prepared a backport. Debdiff attached, happy to upload on your
> mark. Please double-check the version number, I'm not that experienced in
> security updates.

Thanks for preparing the update. Whe had a closer look and think we
can just have this batched in the next trixie point release instead.
This is because in Debian trixie OpenSSH contains already
https://github.com/openssh/openssh-portable/commit/7ef3787) (which is
the fix for CVE-2023-51385).

https://bugzilla.redhat.com/show_bug.cgi?id=2450246 contains some
notes about the combination.

Given that we marked the issue as no-dsa for trixie. A note on the
update:

> +++ cockpit-337/debian/changelog	2026-04-09 05:29:56.000000000 +0200
> @@ -1,3 +1,10 @@
> +cockpit (337-1+deb13u1) unstable; urgency=medium
> +
> +  * ws: Be more explicit when handling hostnames on cli.
> +    [CVE-2026-4631] (Closes: #1133022)
> +
> + -- Martin Pitt <mpitt at debian.org>  Thu, 09 Apr 2026 05:29:56 +0200

Version is correct, but the target distribution should be trixie (for
the point release, and would have been trixie-security for a security
update).

Can you approach the stable release managers to make an update via the
point release by filling a release.debian.org bug?

> > Please adjust the affected versions in the BTS as needed.
> 
> I am not yet sure if this affects bookworm/bullseye at all, as this does not
> yet have cockpit-beiboot, but the older cockpit-ssh program. I asked Allison
> in https://github.com/cockpit-project/cockpit/pull/23105#issuecomment-4211122656
> 
> I'll find out about the test case situation and will mark
> oldstable/oldoldstable as affected or not appropriately.

So my understanding is we can mark it

[bookworm] - cockpit <not-affected> (beiboot helper only used since 326)

or do we still consider it affected in earlier versions? In which case
it still would be no-dsa as we have the OpenSSH mitigation as well in
this version.

Do you agree?

Regards,
Salvatore

More information about the Pkg-utopia-maintainers mailing list