Bug 29890 - cockpit new security issue CVE-2021-3698
Summary: cockpit new security issue CVE-2021-3698
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2022-01-15 00:53 CET by David Walser
Modified: 2022-05-25 20:47 CEST (History)
5 users (show)

See Also:
Source RPM: cockpit-254-1.mga9.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2022-01-15 00:53:35 CET
Fedora has issued an advisory on January 13:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/EQMXNPLHTVOJTHN77TVX6PJKES73UN4F/

Mageia 8 is also affected.
David Walser 2022-01-15 00:53:51 CET

Whiteboard: (none) => MGA8TOO

Comment 1 Lewis Smith 2022-01-15 20:49:13 CET
Assigning to joequant, by far the main committer of this SRPM.

Assignee: bugsquad => joequant

Comment 2 David Walser 2022-05-10 16:17:00 CEST
RedHat has issued an advisory for this today (May 10):
https://access.redhat.com/errata/RHSA-2022:2008

CC: (none) => mageia

Comment 3 David Walser 2022-05-18 19:15:38 CEST
Updated packages submitted for Mageia 8 and Cauldron by papoteur.

cockpit-system-269-1.mga8
cockpit-ws-269-1.mga8
cockpit-storaged-269-1.mga8
cockpit-bridge-269-1.mga8
cockpit-packagekit-269-1.mga8
cockpit-networkmanager-269-1.mga8
cockpit-tests-269-1.mga8
cockpit-sosreport-269-1.mga8
cockpit-269-1.mga8
cockpit-doc-269-1.mga8

from cockpit-269-1.mga8.src.rpm

Sysadmins, accidentally submitted Mageia 8 tainted build needs to be removed.

Assignee: joequant => qa-bugs
Whiteboard: MGA8TOO => (none)
CC: (none) => sysadmin-bugs, yves.brungard_mageia
Version: Cauldron => 8

Comment 4 Thomas Andrews 2022-05-24 02:50:40 CEST
Tested in VirtualBox. No installation issues. Referenced Bug 29518 for testing procedure:

[root@localhost ~]# systemctl -l status cockpit
● cockpit.service - Cockpit Web Service
     Loaded: loaded (/usr/lib/systemd/system/cockpit.service; static)
     Active: inactive (dead)
TriggeredBy: ● cockpit.socket
       Docs: man:cockpit-ws(8)
[root@localhost ~]# systemctl start cockpit
[root@localhost ~]# systemctl -l status cockpit
● cockpit.service - Cockpit Web Service
     Loaded: loaded (/usr/lib/systemd/system/cockpit.service; static)
     Active: active (running) since Mon 2022-05-23 20:35:00 EDT; 7s ago
TriggeredBy: ● cockpit.socket
       Docs: man:cockpit-ws(8)
    Process: 19334 ExecStartPre=/usr/libexec/cockpit-certificate-ensure --for-cockpit-tls (code=exited, status=0/SUCCESS)
   Main PID: 19354 (cockpit-tls)
      Tasks: 1 (limit: 4695)
     Memory: 1.4M
        CPU: 236ms
     CGroup: /system.slice/cockpit.service
             └─19354 /usr/libexec/cockpit-tls

May 23 20:35:00 localhost.localdomain systemd[1]: Starting Cockpit Web Service...
May 23 20:35:00 localhost.localdomain cockpit-certificate-ensure[19346]: /usr/libexec/cockpit-certificate-helper: line 32: sscg: command not found
May 23 20:35:00 localhost.localdomain cockpit-certificate-ensure[19347]: Generating a RSA private key
May 23 20:35:00 localhost.localdomain cockpit-certificate-ensure[19347]: ...................................................+++++
May 23 20:35:00 localhost.localdomain cockpit-certificate-ensure[19347]: .................................................................+++++
May 23 20:35:00 localhost.localdomain cockpit-certificate-ensure[19347]: writing new private key to '0-self-signed.key'
May 23 20:35:00 localhost.localdomain cockpit-certificate-ensure[19347]: -----
May 23 20:35:00 localhost.localdomain systemd[1]: Started Cockpit Web Service.

Opened port 9090, and pointed Firefox to http://localhost:9090/ Logged in, and saw a web page with system information. Explored around a bit, but did not try to change or open anything. No issues noted.

That was good enough for Herman last time, so it's good enough for me now. Validating.

Keywords: (none) => validated_update
Whiteboard: (none) => MGA8-64-OK
CC: (none) => andrewsfarm

Dave Hodgins 2022-05-25 02:30:18 CEST

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 5 Mageia Robot 2022-05-25 20:47:29 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0202.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.