Skip to content

cockpit: Fix CVE-2026-4631#3

Merged
Zeno-sole merged 1 commit into
masterfrom
fix/CVE-2026-4631
Apr 20, 2026
Merged

cockpit: Fix CVE-2026-4631#3
Zeno-sole merged 1 commit into
masterfrom
fix/CVE-2026-4631

Conversation

@deepin-ci-robot
Copy link
Copy Markdown
Contributor

@deepin-ci-robot deepin-ci-robot commented Apr 15, 2026

Security Update

  • Fix CVE-2026-4631: SSH injection vulnerability in remote login
  • Package: cockpit

Description

Cockpit's remote login feature passes user-supplied hostnames and usernames
from the web interface to the SSH client without validation or sanitization.
An attacker with network access to the Cockpit web service can craft a single
HTTP request to the login endpoint that injects malicious SSH options or shell
commands, achieving code execution on the Cockpit host without valid credentials.

Changes

  • Added -- to SSH command invocations in src/cockpit/beiboot.py
  • Added -- to SSH command invocations in src/ws/cockpitauth.c
  • Updated debian/changelog

Upstream

cockpit-project/cockpit@9d06956

Testing

  • Build verification recommended
  • Verify SSH connection functionality after patch

@deepin-ci-robot
cockpit: Fix CVE-2026-4631
36e7a91 
CVE-2026-4631: Cockpit's remote login feature passes user-supplied hostnames
and usernames from the web interface to the SSH client without validation or
sanitization. An attacker with network access to the Cockpit web service can
craft a single HTTP request to the login endpoint that injects malicious SSH
options or shell commands, achieving code execution on the Cockpit host without
valid credentials.

This patch adds `--` to SSH command invocations to ensure hostnames are
interpreted correctly and cannot be treated as command-line options.

Upstream: cockpit-project/cockpit@9d06956
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Apr 15, 2026

TAG Bot

TAG: 328-1deepin2
EXISTED: no
DISTRIBUTION: unstable

@deepin-ci-robot
Copy link
Copy Markdown
Contributor Author

deepin-ci-robot commented Apr 15, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign zccrs for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@Zeno-sole
Copy link
Copy Markdown

Zeno-sole commented Apr 15, 2026

/integrate

@github-actions
Copy link
Copy Markdown

github-actions Bot commented Apr 15, 2026

AutoIntegrationPr Bot
auto integrate with pr url: deepin-community/Repository-Integration#3830
PrNumber: 3830
PrBranch: auto-integration-24442864997

@deepin-community-ci-bot deepin-community-ci-bot Bot mentioned this pull request Apr 15, 2026
Open
@Zeno-sole Zeno-sole merged commit 1390400 into master Apr 20, 2026
7 of 9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@justforlxz justforlxz Awaiting requested review from justforlxz

@myml myml Awaiting requested review from myml

Assignees

No one assigned

Labels

generated-by-ai

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@deepin-ci-robot @Zeno-sole @UTsweetyfish