@Marc, security team: I'd like your opinion/preference/guidance for mantic: It currently has upstream version 300.1. Half a year ago we did two more upstream point releases for critical bug fixes (aimed at and uploaded to RHEL): https://github.com/cockpit- project/cockpit/releases/tag/300.2 and https://github.com/cockpit- project/cockpit/releases/tag/300.3 . These got a lot of field testing now, and would be useful to fix in mantic as well.
So I can either cut a 300.4 on top of 300.3 and cherry-pick that sosreport patch, or if you don't want these, then a 300.1.1 with just the sosreport fix. It's also valid IMHO to just declare it as "wontfix" -- TBH most server users are going to stick to LTS, the sosreport plugin/page is not really that interesting for Ubuntu (there's apport and other support tools for Canonical), the vuln isn't *that* dramatic, and many Cockpit users use the official backports anyway. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2060014 Title: CVE-2024-2947 command injection when deleting a sosreport with a crafted name To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cockpit/+bug/2060014/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs