[El-errata] ELSA-2026-7384 Critical: Oracle Linux 9 cockpit: Unauthenticated remote code execution due to SSH command-line argument injection

[Errata Announcements for Oracle Linux]

Oracle Linux Security Advisory ELSA-2026-7384

http://linux.oracle.com/errata/ELSA-2026-7384.html

The following updated rpms for Oracle Linux 9 have been uploaded to the Unbreakable Linux Network:

x86_64:
cockpit-344-2.0.1.el9_7.x86_64.rpm
cockpit-bridge-344-2.0.1.el9_7.noarch.rpm
cockpit-doc-344-2.0.1.el9_7.noarch.rpm
cockpit-packagekit-344-2.0.1.el9_7.noarch.rpm
cockpit-storaged-344-2.0.1.el9_7.noarch.rpm
cockpit-system-344-2.0.1.el9_7.noarch.rpm
cockpit-ws-344-2.0.1.el9_7.x86_64.rpm
cockpit-ws-selinux-344-2.0.1.el9_7.x86_64.rpm

aarch64:
cockpit-344-2.0.1.el9_7.aarch64.rpm
cockpit-bridge-344-2.0.1.el9_7.noarch.rpm
cockpit-doc-344-2.0.1.el9_7.noarch.rpm
cockpit-packagekit-344-2.0.1.el9_7.noarch.rpm
cockpit-storaged-344-2.0.1.el9_7.noarch.rpm
cockpit-system-344-2.0.1.el9_7.noarch.rpm
cockpit-ws-344-2.0.1.el9_7.aarch64.rpm
cockpit-ws-selinux-344-2.0.1.el9_7.aarch64.rpm


SRPMS:
http://oss.oracle.com/ol9/SRPMS-updates/cockpit-344-2.0.1.el9_7.src.rpm

Related CVEs:

CVE-2026-4631




Description of changes:

[344-2.0.1]
- Storage: Enable btrfs support [Orabug: 37464632]
- Replaced upstream urls in documentation with oracle links [Orabug: 36528753]
- Drop subscription-manager-cockpit requirement for ol [Orabug: 34681110]
- Remove duplicate reference to server in cockpit [Orabug: 34030494]
- Update documentation links [Orabug: 30271413], [Orabug: 32013095],
  [Orabug: 32795691], [Orabug: 34398512], [Orabug: 34742876], [Orabug: 37253273]
- Update spec file for new release

[344]
- Remove recommends on subscription-manager-cockpit if applicable

* Fri Mar 27 2026 Jelle van der Waa <jvanderw at redhat.com - 344-2
- ws: be more explicit when handling hostnames on cli (CVE-2026-4631)