Cockpit 314

Cockpit is the modern Linux admin interface. We release regularly.

Here are the release notes from Cockpit 314 and cockpit-ostree 201:

Diagnostic reports: Fix command injection vulnerability with crafted report names

Cockpit 270 introduced a possible local privilege escalation vulnerability with deleting diagnostic reports (sosreport). Files in /var/tmp/ are controllable by any user. In particular, an unprivileged user could create an sosreport* file containing a ' and a shell command, which would then run with root privileges when the admin Cockpit user tried to delete the report.

This Cockpit version fixes the problem by removing the files with direct system calls instead of a shell command.

This is tracked as CVE-2024-2947. If you need to backport this to older cockpit versions, you can apply the upstream patch.

If you cannot update or patch, then check the displayed report file names for non-standard characters, in particular ', $, ( and `, and don’t use Cockpit’s Diagnostic reports page to delete them.

Storage: Improvements to read-only encrypted filesystems

Cockpit now unlocks encrypted filesystems with a “read-only” encryption layer when the filesystem itself is mounted read-only.

Ostree: Show OCI container origin

cockpit-ostree now detects and shows the origin, repository, and branch name of native container repositories in both the “OSTree source” card and the deployment list:

screenshot of show oci container origin

screenshot of show oci container origin

Try it out

Cockpit 314 and cockpit-ostree 201 are available now: