giacomo
(Giacomo Sanchietti)
March 25, 2019, 9:55am
1
Summary
A security flaw was found in NethServer Cockpit.
Affected version
All NethServer 7 machines with nethserver-cockpit
package installed.
NethServer 6 milestone is not affected.
All NethServer 7 machines where nethserver-cockpit
is not installed, are not affected.
Solution
Make sure to have installed latest release of nethserver-cockpit
: nethserver-cockpit-0.4.2-1.ns7.noarch .
Updates will be released to master mirror on Tuesday, March 26 2019 at 9:00 CET.
To install the update:
yum clean all && yum update nethserver-cockpit
Bug
https://github.com/NethServer/dev/issues/5738
Further details will be available from the link above on Wednesday, March 27 2019.
Disclosure process
The disclosure process has been already discussed in this thread .
4 Likes
pagaille
(Matthieu Gaillet)
March 25, 2019, 10:08am
3
Thanks for reporting. I’m afraid yum update nethserver-cockpit
installs 0.4.1-1.ns7. Should we use the testing repo ?
davidep
(Davide Principi)
March 25, 2019, 11:27am
4
That package is still not released:
pike
(Michael Kicks)
March 25, 2019, 3:17pm
7
There will be a specific instruction ? Or a common yum update
will roll the process as usual?
giacomo
(Giacomo Sanchietti)
March 25, 2019, 3:52pm
8
I will update the instructions as soon as the package has been released, but a simple `yum update’ should do the job
1 Like
pike
(Michael Kicks)
March 26, 2019, 10:27am
9
Sad to see that this “Important NethServer Cockpit security update” be unpinned in few hours.
Two packages were downloaded during the update, only available in mirrors (for my installation) few minutes ago.
If it was worth pinning, why has been unpinned so fast? Not even 48 hours…
davidep
(Davide Principi)
March 26, 2019, 11:27am
10
Discourse platform feature: once you’ve read a globally-pinned topic it becomes unpinned by your side only!
If you don’t believe me, open community.nethserver.org in a private browser tab
flatspin
(Ralf Jeckel)
March 26, 2019, 11:56am
11
Opened in a privat tab and you’re right. You’re completely innocent. Complete exonaration!
BTW: updated cockpit to 0.4.2-1 without issue.
davidep
(Davide Principi)
March 26, 2019, 12:02pm
12
Did you update a subscription?
It’s worth noting that the fix has been released also for #subscription and Enterprise versions!
1 Like
flatspin
(Ralf Jeckel)
March 26, 2019, 12:36pm
13
No, only a test-vm. Sorry. I don’t want to install cockpit on my production machine as long as it’s a testing-version. Is nethserver-cockpit-0.4.2-1 stable and save enough for production?
pike
(Michael Kicks)
March 26, 2019, 12:47pm
14
It’s not a feature: it’s a BUG!
I won’t suggest use it on a production machine. Development model of the projects seems quite safe for me (but i am no expert) but i won’t use Cockpit on production until few months after release.
1 Like
danb35
(Dan)
March 26, 2019, 12:58pm
15
Not at all, it’s perfectly sensible. If you’ve already read it, why does it need to be at the top of your list?
2 Likes
You’re right, it’s not a normal forum but a smart one. Discourse is sure that you already read that.