RedHat: RHSA-2022-2008:01 Moderate: cockpit security, bug fix, | Li...
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: cockpit security, bug fix, and enhancement update
Advisory ID:       RHSA-2022:2008-01
Product:           Red Hat Enterprise Linux
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:2008
Issue date:        2022-05-10
CVE Names:         CVE-2021-3660 CVE-2021-3698 
=====================================================================

1. Summary:

An update for cockpit is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux BaseOS (v. 8) - aarch64, noarch, ppc64le, s390x, x86_64

3. Description:

Cockpit enables users to administer GNU/Linux servers using a web browser.
It offers network configuration, log inspection, diagnostic reports,
SELinux troubleshooting, interactive command-line sessions, and more.

The following packages have been upgraded to a later upstream version:
cockpit (264.1). (BZ#1984902, BZ#1992620, BZ#2004041, BZ#2008208)

Security Fix(es):

* cockpit: authenticates with revoked certificates (CVE-2021-3698)

* cockpit: pages vulnerable to clickjacking (CVE-2021-3660)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat
Enterprise Linux 8.6 Release Notes linked from the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1792270 - [RFE] Display "User Services" tab in Services panel
1980688 - CVE-2021-3660 cockpit: pages vulnerable to clickjacking
1992149 - CVE-2021-3698 cockpit: authenticates with revoked certificates
2004041 - kdump configuration wizard must ask for path for NFS
2008208 - TestServices.testLogs is failing on retries, breaks reverse dependencies gating tests
2016998 - [cockpit] RHEL 8.6 Tier 0 Localization
2018382 - [cockpit 8.5] [ja_JP] Few strings not localized on Overview page
2018384 - [cockpit 8.5] [ja_JP, zh_CN] Few strings not localized on Networking Page
2018417 - [cockpit 8.5] [zh_CN] Few strings not localized on Diagnostic Reports Page
2029982 - Cockpit 251 Administrative Access MFA Prompt Window Broken
2056386 - Failed to configure IPv4 and IPv6 types in Bond: NM always rolls back to previous checkpoint

6. Package List:

Red Hat Enterprise Linux BaseOS (v. 8):

Source:
cockpit-264.1-1.el8.src.rpm

aarch64:
cockpit-264.1-1.el8.aarch64.rpm
cockpit-bridge-264.1-1.el8.aarch64.rpm
cockpit-debuginfo-264.1-1.el8.aarch64.rpm
cockpit-debugsource-264.1-1.el8.aarch64.rpm
cockpit-ws-264.1-1.el8.aarch64.rpm

noarch:
cockpit-doc-264.1-1.el8.noarch.rpm
cockpit-system-264.1-1.el8.noarch.rpm

ppc64le:
cockpit-264.1-1.el8.ppc64le.rpm
cockpit-bridge-264.1-1.el8.ppc64le.rpm
cockpit-debuginfo-264.1-1.el8.ppc64le.rpm
cockpit-debugsource-264.1-1.el8.ppc64le.rpm
cockpit-ws-264.1-1.el8.ppc64le.rpm

s390x:
cockpit-264.1-1.el8.s390x.rpm
cockpit-bridge-264.1-1.el8.s390x.rpm
cockpit-debuginfo-264.1-1.el8.s390x.rpm
cockpit-debugsource-264.1-1.el8.s390x.rpm
cockpit-ws-264.1-1.el8.s390x.rpm

x86_64:
cockpit-264.1-1.el8.x86_64.rpm
cockpit-bridge-264.1-1.el8.x86_64.rpm
cockpit-debuginfo-264.1-1.el8.x86_64.rpm
cockpit-debugsource-264.1-1.el8.x86_64.rpm
cockpit-ws-264.1-1.el8.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2021-3660
https://access.redhat.com/security/cve/CVE-2021-3698
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.6_release_notes/

8. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYnqRftzjgjWX9erEAQg2jRAAm7yYG4KqfiUO6qdgdKsb7Dl2wUQvxEa/
rPyn8BA+JdL/6qkA6ZS4yFKUbJ2frI+lElqDtK71yRKBZRqe7AET55Q+/O+1hWFF
I1HncxgmDHVjTXGxbbpMeQ3x5hoHTW8gYAvAH0i7ndhPBhRHlpOuyvUpc0bXbTsA
jmNpXX2tM0pmHtAJrY/3EKQODBsK4zKMsMxvQKNKlYgMekp3UQ0YPokSoHUIww1N
yoIjF0DqnB8drNBlDu/Zm6WM8G+5lGeVXLOKUEmFfQaOEz2HcFOSH8ffQRarfrel
hUGEmsYrU+f1LmkXheq92m3eRI0lcd18SxwrHHaj8YM0/hSeBYRUfP8RwhdsdNSQ
QBSqRonfG22z+GnhGk3d7yQZPBTtPxWPmx/dU1S1ovpif9v5Ywc8PTvyBsOegPol
mmujUJVgaPpABFTWBOrt6iCHKkYkrI4+EwKbo/3WMy9GJmnM16mE1jwUCmLsscjz
AKyPYfqoi9dlB7kFpiYn9Qkis9YJFTz9DZh6C/0Mtc37BjJCJnFC08PDw4vbnE3R
/8pxyEd7/gvup9vVUxnCYMNZmGfQZnQ1Xxx0eMr5agCrdQcVfeGSYGezsgkDiH7J
R30moE5emMp1bgCkL93of17gPyUMgHQSqKBBU+mo3FE5qrF0z0uG6t7jrbgZOJrp
QoEX1eTPZZk=
=6N9c
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
[email protected]
https://listman.redhat.com/mailman/listinfo/rhsa-announce

RedHat: RHSA-2022-2008:01 Moderate: cockpit security, bug fix,

An update for cockpit is now available for Red Hat Enterprise Linux 8

Summary

Cockpit enables users to administer GNU/Linux servers using a web browser. It offers network configuration, log inspection, diagnostic reports, SELinux troubleshooting, interactive command-line sessions, and more.
The following packages have been upgraded to a later upstream version: cockpit (264.1). (BZ#1984902, BZ#1992620, BZ#2004041, BZ#2008208)
Security Fix(es):
* cockpit: authenticates with revoked certificates (CVE-2021-3698)
* cockpit: pages vulnerable to clickjacking (CVE-2021-3660)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.6 Release Notes linked from the References section.

Solution

For details on how to apply this update, which includes the changesdescribed in this advisory, refer to:https://access.redhat.com/articles/11258

References

https://access.redhat.com/security/cve/CVE-2021-3660 https://access.redhat.com/security/cve/CVE-2021-3698 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.6_release_notes/

Package List

Red Hat Enterprise Linux BaseOS (v. 8):
Source: cockpit-264.1-1.el8.src.rpm
aarch64: cockpit-264.1-1.el8.aarch64.rpm cockpit-bridge-264.1-1.el8.aarch64.rpm cockpit-debuginfo-264.1-1.el8.aarch64.rpm cockpit-debugsource-264.1-1.el8.aarch64.rpm cockpit-ws-264.1-1.el8.aarch64.rpm
noarch: cockpit-doc-264.1-1.el8.noarch.rpm cockpit-system-264.1-1.el8.noarch.rpm
ppc64le: cockpit-264.1-1.el8.ppc64le.rpm cockpit-bridge-264.1-1.el8.ppc64le.rpm cockpit-debuginfo-264.1-1.el8.ppc64le.rpm cockpit-debugsource-264.1-1.el8.ppc64le.rpm cockpit-ws-264.1-1.el8.ppc64le.rpm
s390x: cockpit-264.1-1.el8.s390x.rpm cockpit-bridge-264.1-1.el8.s390x.rpm cockpit-debuginfo-264.1-1.el8.s390x.rpm cockpit-debugsource-264.1-1.el8.s390x.rpm cockpit-ws-264.1-1.el8.s390x.rpm
x86_64: cockpit-264.1-1.el8.x86_64.rpm cockpit-bridge-264.1-1.el8.x86_64.rpm cockpit-debuginfo-264.1-1.el8.x86_64.rpm cockpit-debugsource-264.1-1.el8.x86_64.rpm cockpit-ws-264.1-1.el8.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/

Severity
Advisory ID: RHSA-2022:2008-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2022:2008
Issued Date: : 2022-05-10
CVE Names: CVE-2021-3660 CVE-2021-3698

Topic

An update for cockpit is now available for Red Hat Enterprise Linux 8.Red Hat Product Security has rated this update as having a security impactof Moderate. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.

Relevant Releases Architectures

Red Hat Enterprise Linux BaseOS (v. 8) - aarch64, noarch, ppc64le, s390x, x86_64

Bugs Fixed

1792270 - [RFE] Display "User Services" tab in Services panel

1980688 - CVE-2021-3660 cockpit: pages vulnerable to clickjacking

1992149 - CVE-2021-3698 cockpit: authenticates with revoked certificates

2004041 - kdump configuration wizard must ask for path for NFS

2008208 - TestServices.testLogs is failing on retries, breaks reverse dependencies gating tests

2016998 - [cockpit] RHEL 8.6 Tier 0 Localization

2018382 - [cockpit 8.5] [ja_JP] Few strings not localized on Overview page

2018384 - [cockpit 8.5] [ja_JP, zh_CN] Few strings not localized on Networking Page

2018417 - [cockpit 8.5] [zh_CN] Few strings not localized on Diagnostic Reports Page

2029982 - Cockpit 251 Administrative Access MFA Prompt Window Broken

2056386 - Failed to configure IPv4 and IPv6 types in Bond: NM always rolls back to previous checkpoint

We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.