Bug 29518 - cockpit new security issue CVE-2021-3660
Summary: cockpit new security issue CVE-2021-3660
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2021-10-02 17:10 CEST by David Walser
Modified: 2021-10-06 21:43 CEST (History)
6 users (show)

See Also:
Source RPM: cockpit-232-1.mga8.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2021-10-02 17:10:17 CEST 
Fedora has issued an advisory on October 1:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/XQLK6K2XNAT4GT54IRSTVXU2RMN6V3YB/

Mageia 8 is also affected.
David Walser 2021-10-02 17:10:27 CEST

Whiteboard: (none) => MGA8TOO

Comment 1 Nicolas Lécureuil 2021-10-03 00:43:38 CEST 
new version pushed in mga8/9


src:
    - cockpit-254-1.mga8

Assignee: bugsquad => qa-bugs
Version: Cauldron => 8
Whiteboard: MGA8TOO => (none)
CC: (none) => joequant, mageia

Comment 2 David Walser 2021-10-03 01:29:00 CEST 
cockpit-system-254-1.mga8
cockpit-ws-254-1.mga8
cockpit-tests-254-1.mga8
cockpit-packagekit-254-1.mga8
cockpit-networkmanager-254-1.mga8
cockpit-bridge-254-1.mga8
cockpit-storaged-254-1.mga8
cockpit-sosreport-254-1.mga8
cockpit-254-1.mga8
cockpit-doc-254-1.mga8

from cockpit-254-1.mga8.src.rpm

Source RPM: cockpit-250-1.mga9.src.rpm => cockpit-232-1.mga8.src.rpm

Comment 3 Herman Viaene 2021-10-04 15:33:15 CEST 
MGA8-64 Plasma on Lenovo B50
No installation isues.
Found https://www.unixmen.com/cockpit-a-beginner-friendly-server-administration-tool/ as a help to test this.
At CLI:
# systemctl -l status cockpit
● cockpit.service - Cockpit Web Service
     Loaded: loaded (/usr/lib/systemd/system/cockpit.service; static)
     Active: inactive (dead)
TriggeredBy: ● cockpit.socket
       Docs: man:cockpit-ws(8)

# systemctl  start cockpit

# systemctl -l status cockpit
● cockpit.service - Cockpit Web Service
     Loaded: loaded (/usr/lib/systemd/system/cockpit.service; static)
     Active: active (running) since Mon 2021-10-04 15:20:34 CEST; 5s ago
TriggeredBy: ● cockpit.socket
       Docs: man:cockpit-ws(8)
    Process: 10905 ExecStartPre=/usr/libexec/cockpit-certificate-ensure (code=exited, status=0/SUCCESS)
   Main PID: 10927 (cockpit-tls)
      Tasks: 1 (limit: 9402)
     Memory: 1.4M
        CPU: 155ms
     CGroup: /system.slice/cockpit.service
             └─10927 /usr/libexec/cockpit-tls

okt 04 15:20:34 mach5.hviaene.thuis systemd[1]: Starting Cockpit Web Service...
okt 04 15:20:34 mach5.hviaene.thuis cockpit-certificate-ensure[10916]: /usr/libexec/cockpit-certificate-helper: regel 32: sscg: opdracht niet gevonden
okt 04 15:20:34 mach5.hviaene.thuis cockpit-certificate-ensure[10917]: Generating a RSA private key
okt 04 15:20:34 mach5.hviaene.thuis cockpit-certificate-ensure[10917]: ..........................................+++++
okt 04 15:20:34 mach5.hviaene.thuis cockpit-certificate-ensure[10917]: ...........+++++
okt 04 15:20:34 mach5.hviaene.thuis cockpit-certificate-ensure[10917]: writing new private key to '0-self-signed.key'
okt 04 15:20:34 mach5.hviaene.thuis cockpit-certificate-ensure[10917]: -----
okt 04 15:20:34 mach5.hviaene.thuis systemd[1]: Started Cockpit Web Service.

Then opened port 9090 in firewall and pointed Firefox at http://localhost:9090
Webpage opened and gives a nice overview and statistics of some aspects of the system.
Good to go.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => herman.viaene

Comment 4 Thomas Andrews 2021-10-04 20:01:46 CEST 
Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2021-10-06 20:09:44 CEST

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 5 Mageia Robot 2021-10-06 21:43:30 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0467.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.