Security update for cockpit-machines, cockpit

Announcement ID:	SUSE-SU-2026:20576-1
Release Date:	2026-02-17T14:20:44Z
Rating:	important
References:	bsc#1221342 bsc#1236149 bsc#1239759 bsc#1248250 bsc#1249828 bsc#1249830 bsc#1257324 bsc#1257325
Cross-References:	CVE-2025-13465
CVSS scores:	CVE-2025-13465 ( SUSE ): 8.8 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N CVE-2025-13465 ( SUSE ): 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H CVE-2025-13465 ( NVD ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:H/SI:H/SA:H/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVE-2025-13465 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Affected Products:	SUSE Linux Enterprise Server 16.0 SUSE Linux Enterprise Server for SAP Applications 16.0

An update that solves one vulnerability and has seven fixes can now be installed.

Description:

This update for cockpit-machines, cockpit fixes the following issues:

• CVE-2025-13465: Update the lodash dependencie to avoid prototype pollution. (bsc#1257324)

Changes in cockpit-machines:

• Update to 346
• 346
  • Performance improvements
  • Translation updates

• 345

  • New virtual machines don't get SPICE graphics anymore
  • Support for network port forwarding
  • Bug fixes and translation updates

• Update to 344

• 344
  • Port forwarding for user session VMs
  • "Shutdown and restart" action
  • Faster startup

• 343

  • Memory usage now shows numbers reported by the guest (RHEL-116731)

• Update to 342

• 342
  • Bug fixes and translation updates
• 341
  • Improved UX for Disks and Network interface tables
  • Bug fixes and translation updates

• 340

  • Use exclusive VNC connections with "Remote resizing"

• Update to 339

• 339
  • Serial consoles now keep their content and stay alive
  • No longer copies qemu.conf values into VM definitions

• 338

  • Translation and dependency updates
  • Detachable VNC console

• Update to 337

• 337
  • Bug fixes and translation updates
• 336
  • Graphical VNC and serial consoles improvements
  • Control VNC console resizing and scaling
  • Bug fixes and translation updates
• 335
  • Bug fixes and translation updates
• 334
  • Bug fixes and translation updates

Changes in cockpit:

• Update to 354

• changes since 351

  • 354
  • Convert documentation to AsciiDoc
  • Work around Firefox 146/147 bug (rhbz#2422331)
  • Bug fixes
  • 353
  • Networking: Suggest prefix length and gateway address
  • Bug fixes and translation updates
  • 352
  • Shown a warning if the last shutdown/reboot was unclean
  • Bug fixes and translation updates

• Update to 351

• Changes since 349

  • 351
  • Firewall ports can be deleted individually
  • 350
  • networking: fix renaming of bridges and other groups (RHEL-117883)
  • bridge: fix OpenSSH_10.2p1 host key detection

• Update to 349

• Changes since 346

  • 349
  • Package manifests: add any test
  • Bug fixes and translation updates
  • 348
  • Bug fixes and translation updates
  • 347
  • Site-specific branding support

• Update to 346

• Changes since 344

  • 346
  • Support branding Cockpit pages
  • Storage: Support for Stratis "V2" pools
  • 345
  • Translation and dependency updates
  • Shorter IPv6 addresses
  • IPv6 addresses for WireGuard

• Update to 344

• Changes since 340
  • 344
  • Bug fixes and translation updates
  • 343
  • login: Improve error message for unsupported shells
  • cockpit: Handle file access issues with files in machines.d
  • Translation updates
  • 342
  • systemd: ensure update() is called at least once for tuned-dialog
  • Translation updates
  • 341
  • services: show link to podman page for quadlets
  • Bug fixes and translation updates

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Linux Enterprise Server 16.0
  zypper in -t patch SUSE-SLES-16.0-291=1
• SUSE Linux Enterprise Server for SAP Applications 16.0
  zypper in -t patch SUSE-SLES-16.0-291=1

Package List:

• SUSE Linux Enterprise Server 16.0 (noarch)
  • cockpit-system-354-160000.1.1
  • cockpit-doc-354-160000.1.1
  • cockpit-kdump-354-160000.1.1
  • cockpit-machines-346-160000.1.1
  • cockpit-firewalld-354-160000.1.1
  • cockpit-packagekit-354-160000.1.1
  • cockpit-storaged-354-160000.1.1
  • cockpit-selinux-354-160000.1.1
  • cockpit-networkmanager-354-160000.1.1
  • cockpit-bridge-354-160000.1.1
• SUSE Linux Enterprise Server 16.0 (aarch64 ppc64le s390x x86_64)
  • cockpit-ws-debuginfo-354-160000.1.1
  • cockpit-debugsource-354-160000.1.1
  • cockpit-ws-selinux-354-160000.1.1
  • cockpit-devel-354-160000.1.1
  • cockpit-ws-354-160000.1.1
  • cockpit-354-160000.1.1
• SUSE Linux Enterprise Server for SAP Applications 16.0 (noarch)
  • cockpit-system-354-160000.1.1
  • cockpit-doc-354-160000.1.1
  • cockpit-kdump-354-160000.1.1
  • cockpit-machines-346-160000.1.1
  • cockpit-firewalld-354-160000.1.1
  • cockpit-packagekit-354-160000.1.1
  • cockpit-storaged-354-160000.1.1
  • cockpit-selinux-354-160000.1.1
  • cockpit-networkmanager-354-160000.1.1
  • cockpit-bridge-354-160000.1.1
• SUSE Linux Enterprise Server for SAP Applications 16.0 (ppc64le x86_64)
  • cockpit-ws-debuginfo-354-160000.1.1
  • cockpit-debugsource-354-160000.1.1
  • cockpit-ws-selinux-354-160000.1.1
  • cockpit-devel-354-160000.1.1
  • cockpit-ws-354-160000.1.1
  • cockpit-354-160000.1.1

References:

• https://www.suse.com/security/cve/CVE-2025-13465.html
• https://bugzilla.suse.com/show_bug.cgi?id=1221342
• https://bugzilla.suse.com/show_bug.cgi?id=1236149
• https://bugzilla.suse.com/show_bug.cgi?id=1239759
• https://bugzilla.suse.com/show_bug.cgi?id=1248250
• https://bugzilla.suse.com/show_bug.cgi?id=1249828
• https://bugzilla.suse.com/show_bug.cgi?id=1249830
• https://bugzilla.suse.com/show_bug.cgi?id=1257324
• https://bugzilla.suse.com/show_bug.cgi?id=1257325