Linux security roundup

Linux administrators are starting the week with a stack of fresh security fixes, led by a critical Red Hat Cockpit flaw and new Debian and SUSE advisories published on April 11 and April 12. (linuxcompatible.org) Red Hat’s weekly wave centers on Cockpit, the web-based server console, where LinuxCompatible says RHSA-2026:7382 through RHSA-2026:7384 fix an SSH command-line argument injection bug that could let an unauthenticated attacker execute code on newer platforms. Red Hat’s advisory for RHSA-2026:7382 lists CVE-2026-4631 in Cockpit’s web service component. (linuxcompatible.org) (access.redhat.com) Debian’s April 11 advisories hit software that sits close to everyday admin and desktop workflows. Debian LTS advisory DLA-4527-1 says inetutils in Debian 11 Bullseye was fixed in version 2:2.0-1+deb11u4 after flaws in telnet and telnetd exposed information disclosure, privilege escalation, and potential pre-login remote code execution paths. (debian.org) (linuxcompatible.org) Another Debian LTS notice, DLA-4528-1, updated WebKit2GTK in Bullseye to 2.50.6-1~deb11u1 after a web extension tracking issue identified as CVE-2026-20676. Debian also pushed DSA-6206-1 for GDK-Pixbuf, fixing oldstable Bookworm in 2.42.10+dfsg-1+deb12u4 and stable Trixie in 2.42.12+dfsg-4+deb13u1. (debian.org) (lists.debian.org) These packages are not fringe components. Cockpit is a browser front end for Linux servers, WebKit2GTK is the browser engine embedded in Linux apps, GDK-Pixbuf handles image parsing, and inetutils still ships classic network tools such as telnetd. (access.redhat.com) (debian.org 1) (debian.org 2) (lists.debian.org) The same patch cycle reaches the tooling around build and release systems. LinuxCompatible’s SUSE roundup says openSUSE Tumbleweed updates published on April 12 cover crun 1.27-1.1, tekton-cli 0.44.1-1.1, and python315 3.15.0~a8-1.1, alongside other packages on the distribution’s GA media. (linuxcompatible.org) That matters for teams that use Linux hosts to build software for other platforms, including Apple environments. Tekton is a command-line client for Tekton continuous integration and delivery pipelines, and its documentation includes macOS installation through Homebrew and Darwin release tarballs. (github.com) (linuxcompatible.org) SUSE’s April 7 Python advisory, SUSE-SU-2026:1206-1, shows how deep the fixes run into the supporting stack. It patches four issues, including XML parsing that can trigger a C stack overflow, cookie parsing that can bypass input validation, and a webbrowser.open bug that can lead to command-line option injection. (suse.com) Debian’s ClamAV update is less specific in the LinuxCompatible digest, but Debian’s security tracker shows several 2025 and 2026 ClamAV issues fixed in newer Bullseye, Bookworm, and Trixie packages. That puts antivirus, browser, image, container, and pipeline tooling in the same week’s maintenance queue. (linuxcompatible.org) (security-tracker.debian.org) The immediate task is not a single emergency patch but a broad update sweep. Red Hat, Debian, and SUSE all published fixes within days of each other, and the affected software runs from server consoles to CI tools that many shops treat as background plumbing until a security bulletin says otherwise. (linuxcompatible.org) (debian.org) (suse.com)