[El-errata] ELSA-2026-7383 Critical: Oracle Linux 10 cockpit: Unauthenticated remote code execution due to SSH command-line argument injection

[Errata Announcements for Oracle Linux]

Oracle Linux Security Advisory ELSA-2026-7383

http://linux.oracle.com/errata/ELSA-2026-7383.html

The following updated rpms for Oracle Linux 10 have been uploaded to the Unbreakable Linux Network:

x86_64:
cockpit-344-3.0.1.el10_1.x86_64.rpm
cockpit-bridge-344-3.0.1.el10_1.noarch.rpm
cockpit-doc-344-3.0.1.el10_1.noarch.rpm
cockpit-packagekit-344-3.0.1.el10_1.noarch.rpm
cockpit-storaged-344-3.0.1.el10_1.noarch.rpm
cockpit-system-344-3.0.1.el10_1.noarch.rpm
cockpit-ws-344-3.0.1.el10_1.x86_64.rpm
cockpit-ws-selinux-344-3.0.1.el10_1.x86_64.rpm

aarch64:
cockpit-344-3.0.1.el10_1.aarch64.rpm
cockpit-bridge-344-3.0.1.el10_1.noarch.rpm
cockpit-doc-344-3.0.1.el10_1.noarch.rpm
cockpit-packagekit-344-3.0.1.el10_1.noarch.rpm
cockpit-storaged-344-3.0.1.el10_1.noarch.rpm
cockpit-system-344-3.0.1.el10_1.noarch.rpm
cockpit-ws-344-3.0.1.el10_1.aarch64.rpm
cockpit-ws-selinux-344-3.0.1.el10_1.aarch64.rpm


SRPMS:
http://oss.oracle.com/ol10/SRPMS-updates/cockpit-344-3.0.1.el10_1.src.rpm

Related CVEs:

CVE-2026-4631




Description of changes:

[344-3.0.1]
- Storage: Enable btrfs support [Orabug: 37464632]
- Replaced upstream urls in documentation with oracle links [Orabug: 36528753]
- Drop subscription-manager-cockpit requirement for ol [Orabug: 34681110]
- Remove duplicate reference to server in cockpit [Orabug: 34030494]
- Update documentation links [Orabug: 30271413], [Orabug: 32013095],
  [Orabug: 32795691], [Orabug: 34398512], [Orabug: 34742876], [Orabug: 37253273]
- Update spec file for new release

[344-3]
- correctly apply CVE patches (CVE-2026-4631)

* Wed Mar 25 2026 Jelle van der Waa <jvanderw at redhat.com - 344-3
- ws: be more explicit when handling hostnames on cli (CVE-2026-4631)