SUSE alert SUSE-SU-2026:20538-1 (cockpit-machines, cockpit)

From:
             
 
SLE-SECURITY-UPDATES <null@suse.de>
To:
             
 
sle-security-updates@lists.suse.com
Subject:
             
 
SUSE-SU-2026:20538-1: important: Security update for cockpit-machines, cockpit
Date:
             
 
Thu, 05 Mar 2026 13:35:03 -0000
Message-ID:
             
 
<177271770312.1901.15431788593843984969@13ea24840d99>


# Security update for cockpit-machines, cockpit

Announcement ID: SUSE-SU-2026:20538-1  
Release Date: 2026-02-17T14:06:44Z  
Rating: important  
References:

  * bsc#1221342
  * bsc#1236149
  * bsc#1239759
  * bsc#1248250
  * bsc#1249828
  * bsc#1249830
  * bsc#1257324
  * bsc#1257325

  
Cross-References:

  * CVE-2025-13465

  
CVSS scores:

  * CVE-2025-13465 ( SUSE ):  8.8
    CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N
  * CVE-2025-13465 ( SUSE ):  8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
  * CVE-2025-13465 ( NVD ):  6.9

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:H/SI:H/SA:H/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  * CVE-2025-13465 ( NVD ):  5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

  
Affected Products:

  * SUSE Linux Micro 6.2

  
  
An update that solves one vulnerability and has seven fixes can now be
installed.

## Description:

This update for cockpit-machines, cockpit fixes the following issues:

  * CVE-2025-13465: Update the lodash dependencie to avoid prototype pollution.
    (bsc#1257324)

Changes in cockpit-machines:

  * Update to 346
  * 346
    * Performance improvements
    * Translation updates
  * 345

    * New virtual machines don't get SPICE graphics anymore
    * Support for network port forwarding
    * Bug fixes and translation updates
  * Update to 344

  * 344
    * Port forwarding for user session VMs
    * "Shutdown and restart" action
    * Faster startup
  * 343

    * Memory usage now shows numbers reported by the guest (RHEL-116731)
  * Update to 342

  * 342
    * Bug fixes and translation updates
  * 341
    * Improved UX for Disks and Network interface tables
    * Bug fixes and translation updates
  * 340

    * Use exclusive VNC connections with "Remote resizing"
  * Update to 339

  * 339
    * Serial consoles now keep their content and stay alive
    * No longer copies qemu.conf values into VM definitions
  * 338

    * Translation and dependency updates
    * Detachable VNC console
  * Update to 337

  * 337
    * Bug fixes and translation updates
  * 336
    * Graphical VNC and serial consoles improvements
    * Control VNC console resizing and scaling
    * Bug fixes and translation updates
  * 335
    * Bug fixes and translation updates
  * 334
    * Bug fixes and translation updates

Changes in cockpit:

  * Update to 354
  * changes since 351

    * 354
    * Convert documentation to AsciiDoc
    * Work around Firefox 146/147 bug (rhbz#2422331)
    * Bug fixes
    * 353
    * Networking: Suggest prefix length and gateway address
    * Bug fixes and translation updates
    * 352
    * Shown a warning if the last shutdown/reboot was unclean
    * Bug fixes and translation updates
  * Update to 351

  * Changes since 349

    * 351
    * Firewall ports can be deleted individually
    * 350
    * networking: fix renaming of bridges and other groups (RHEL-117883)
    * bridge: fix OpenSSH_10.2p1 host key detection
  * Update to 349

  * Changes since 346

    * 349
    * Package manifests: add any test
    * Bug fixes and translation updates
    * 348
    * Bug fixes and translation updates
    * 347
    * Site-specific branding support
  * Update to 346

  * Changes since 344

    * 346
    * Support branding Cockpit pages
    * Storage: Support for Stratis "V2" pools
    * 345
    * Translation and dependency updates
    * Shorter IPv6 addresses
    * IPv6 addresses for WireGuard
  * Update to 344

  * Changes since 340
    * 344
    * Bug fixes and translation updates
    * 343
    * login: Improve error message for unsupported shells
    * cockpit: Handle file access issues with files in machines.d
    * Translation updates
    * 342
    * systemd: ensure update() is called at least once for tuned-dialog
    * Translation updates
    * 341
    * services: show link to podman page for quadlets
    * Bug fixes and translation updates

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".  
Alternatively you can run the command listed for your product:

  * SUSE Linux Micro 6.2  
    zypper in -t patch SUSE-SL-Micro-6.2-291=1

## Package List:

  * SUSE Linux Micro 6.2 (noarch)
    * cockpit-kdump-354-160000.1.1
    * cockpit-system-354-160000.1.1
    * cockpit-machines-346-160000.1.1
    * cockpit-networkmanager-354-160000.1.1
    * cockpit-selinux-354-160000.1.1
    * cockpit-storaged-354-160000.1.1
    * cockpit-bridge-354-160000.1.1
    * cockpit-firewalld-354-160000.1.1
  * SUSE Linux Micro 6.2 (aarch64 ppc64le s390x x86_64)
    * cockpit-ws-debuginfo-354-160000.1.1
    * cockpit-debugsource-354-160000.1.1
    * cockpit-ws-selinux-354-160000.1.1
    * cockpit-ws-354-160000.1.1
    * cockpit-354-160000.1.1

## References:

  * https://www.suse.com/security/cve/CVE-2025-13465.html
  * https://bugzilla.suse.com/show_bug.cgi?id=1221342
  * https://bugzilla.suse.com/show_bug.cgi?id=1236149
  * https://bugzilla.suse.com/show_bug.cgi?id=1239759
  * https://bugzilla.suse.com/show_bug.cgi?id=1248250
  * https://bugzilla.suse.com/show_bug.cgi?id=1249828
  * https://bugzilla.suse.com/show_bug.cgi?id=1249830
  * https://bugzilla.suse.com/show_bug.cgi?id=1257324
  * https://bugzilla.suse.com/show_bug.cgi?id=1257325



Attachment: None (type=text/html)
(HTML attachment elided)