Important NethServer Cockpit security update

Summary

A security flaw was found in NethServer Cockpit.

Affected version

All NethServer 7 machines with nethserver-cockpit package installed.

NethServer 6 milestone is not affected.
All NethServer 7 machines where nethserver-cockpit is not installed, are not affected.

Solution

Make sure to have installed latest release of nethserver-cockpit: nethserver-cockpit-0.4.2-1.ns7.noarch.

Updates will be released to master mirror on Tuesday, March 26 2019 at 9:00 CET.

To install the update:

yum clean all && yum update nethserver-cockpit

Bug

https://github.com/NethServer/dev/issues/5738

Further details will be available from the link above on Wednesday, March 27 2019.

Disclosure process

The disclosure process has been already discussed in this thread.

4 Likes

Thanks for reporting. I’m afraid yum update nethserver-cockpit installs 0.4.1-1.ns7. Should we use the testing repo ?

That package is still not released:

There will be a specific instruction ? Or a common yum update will roll the process as usual?

I will update the instructions as soon as the package has been released, but a simple `yum update’ should do the job :slight_smile:

1 Like

Sad to see that this “Important NethServer Cockpit security update” be unpinned in few hours.
Two packages were downloaded during the update, only available in mirrors (for my installation) few minutes ago.

If it was worth pinning, why has been unpinned so fast? Not even 48 hours…

Discourse platform feature: once you’ve read a globally-pinned topic it becomes unpinned by your side only!

If you don’t believe me, open community.nethserver.org in a private browser tab :innocent:

Opened in a privat tab and you’re right. You’re completely innocent. Complete exonaration! :joy:

BTW: updated cockpit to 0.4.2-1 without issue. :+1:

Did you update a subscription?

It’s worth noting that the fix has been released also for #subscription and Enterprise versions!

1 Like

No, only a test-vm. Sorry. I don’t want to install cockpit on my production machine as long as it’s a testing-version. Is nethserver-cockpit-0.4.2-1 stable and save enough for production?

It’s not a feature: it’s a BUG! :rofl::rofl::rofl:

I won’t suggest use it on a production machine. Development model of the projects seems quite safe for me (but i am no expert) but i won’t use Cockpit on production until few months after release.

1 Like

Not at all, it’s perfectly sensible. If you’ve already read it, why does it need to be at the top of your list?

2 Likes

You’re right, it’s not a normal forum but a smart one. Discourse is sure that you already read that.