Cockpit 314
Cockpit is the modern Linux admin interface. We release regularly.
Here are the release notes from Cockpit 314 and cockpit-ostree 201:
Diagnostic reports: Fix command injection vulnerability with crafted report names
Cockpit 270
introduced a possible local privilege escalation vulnerability with
deleting diagnostic reports (sosreport). Files in /var/tmp/ are
controllable by any user. In particular, an unprivileged user could
create an sosreport* file containing a '
and a shell command, which
would then run with root privileges when the admin Cockpit user tried
to delete the report.
This Cockpit version fixes the problem by removing the files with direct system calls instead of a shell command.
This is tracked as CVE-2024-2947. If you need to backport this to older cockpit versions, you can apply the upstream patch.
If you cannot update or patch, then check the displayed report file
names for non-standard characters, in particular '
, $
, (
and `,
and don’t use Cockpit’s Diagnostic reports page to delete them.
Storage: Improvements to read-only encrypted filesystems
Cockpit now unlocks encrypted filesystems with a “read-only” encryption layer when the filesystem itself is mounted read-only.
Ostree: Show OCI container origin
cockpit-ostree now detects and shows the origin, repository, and branch name of native container repositories in both the “OSTree source” card and the deployment list:
Try it out
Cockpit 314 and cockpit-ostree 201 are available now: