Groups | Search | Server Info | Login | Register

Groups > linux.debian.bugs.dist > #1289028

Bug#1133122: trixie-pu: package cockpit/337-1+deb13u1

From Martin Pitt <mpitt@debian.org>
Newsgroups linux.debian.bugs.dist, linux.debian.devel.release
Subject Bug#1133122: trixie-pu: package cockpit/337-1+deb13u1
Date 2026-04-10 07:40 +0200
Message-ID <MIcKZ-e0Pm-3@gated-at.bofh.it> (permalink)
Organization linux.* mail to news gateway

Cross-posted to 2 groups.

Show all headers | View raw

[Multipart message — attachments visible in raw view] - view raw

Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: cockpit@packages.debian.org
Control: affects -1 + src:cockpit
User: release.debian.org@packages.debian.org
Usertags: pu

[ Reason ]
Cockpit recently did a security fix for CVE-2026-4631 for defending against
injecting ssh options for remote host logins, potentially leading to remote
code execution [1]. This was also reported against Debian [2] but Salvatore
from the security team pointed out that our openssh already mitigates this [3]
so this cannot actually be reproduced/exploited on Debian.

I'd still like to apply the fix, for "defense in depth", and frankly also just
to quiesce security scanners and afraid users.

[1] https://github.com/cockpit-project/cockpit/security/advisories/GHSA-m4gv-x78h-3427
[2] https://bugs.debian.org/1133022
[3] https://github.com/openssh/openssh-portable/commit/7ef3787

[ Impact ]
Calling ssh with an explicit `--` before the host name stops command line
injection attempts at the source. Since host names don't start with `-`, there
is no impact for real systems.

[ Tests ]
I built athe package locally and ran its autopkgtests in a trixie container.
Moreoveer, I ran the cockpit binaries on my trixie server and tried to connect
to a remote ssh host.

[ Risks ]

Very low. The change was thoroughly tested upstream with its very extensive
test suite, as well as manually against good (localhost and piware.de:659,
works) and "exploit-y" (piware.de.659 -foo, fails with "authentication not
available") hostnames.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
Targeted backport of the upstream fix which calls `ssh` with `--` before the
host name.

[ Other info ]
Nothing I can think of.

Best regards,

Pitti

Back to linux.debian.bugs.dist | Previous | Next | Find similar

Thread

Bug#1133122: trixie-pu: package cockpit/337-1+deb13u1 Martin Pitt <mpitt@debian.org> - 2026-04-10 07:40 +0200

csiph-web