Urgent openSUSE Leap 16.0 security update SLE-WU-2026-38129-5 addresses critical Cockpit remote access vulnerabilities. Patch CVE-2025-13465 (prototype pollution) and CVE-2025-64718 (js-yaml RCE risk) now. Includes cockpit-repos 4.7 with critical dependency fixes and translation updates. Apply via zypper.
Is your Linux server's remote management interface a hidden backdoor for attackers? For system administrators and DevOps engineers managing openSUSE Leap 16.0 environments, the recently released patch SLE-WU-2026-38129-5 is not a routine update. It is a critical intervention targeting two high-severity vulnerabilities in the Cockpit remote access framework.
This update, which advances cockpit-repos to version 4.7, neutralizes specific prototype pollution flaws in core JavaScript dependencies that could allow attackers to execute arbitrary code or destabilize your system.
Failing to apply this patch immediately could expose your infrastructure to remote code execution (RCE) and denial-of-service (DoS) attacks. This analysis breaks down the technical impact of these CVEs, the contents of the patch, and the precise commands required to harden your instance against active exploitation.
Executive Summary: The SLE-WU-2026-38129-5 Patch
This official openSUSE security patch addresses two distinct Common Vulnerabilities and Exposures (CVEs) alongside critical bug fixes that enhance the stability of the Cockpit web console.
The update transitions the cockpit-repos package from version 4.4 to 4.7, incorporating upstream dependency changes that are vital for maintaining a secure and efficient server management stack.
Distribution: openSUSE Leap 16.0
Package:
cockpit-reposPatched Version:
4.7-160000.1.1Severity: Critical (Remote Code Execution Potential)
Deep Dive: The Vulnerabilities Patched
The core of this update lies in resolving two significant security flaws originating from third-party JavaScript libraries used by Cockpit. Understanding these vulnerabilities is the first step in appreciating the urgency of this patch.
CVE-2025-13465: Prototype Pollution in Core Utility Functions
This vulnerability resides in the _.unset and _.omit functions, commonly found in utility libraries like Lodash or similar toolkits. Prototype pollution is a sophisticated attack vector where a malicious actor manipulates the __proto__ property of a JavaScript object.
Technical Impact:
By polluting the prototype, an attacker can inject arbitrary properties into all objects within the application. In the context ofcockpit-repos, this could lead to:Deletion of Global Methods: As noted in the official changelog (bsc#1257325), an attacker could delete essential methods, causing the application to throw uncaught exceptions and crash (Denial of Service).
Property Injection: Modifying the behavior of existing objects, potentially bypassing authentication checks or altering application logic.
CVE-2025-64718: Js-YAML Merge Exploit
YAML parsing is critical for configuration management in Linux environments. This CVE identifies a prototype pollution vulnerability within the js-yaml library, specifically in how it handles the merge key (bsc#1255425).
Technical Impact:
If Cockpit or its repositories process a maliciously crafted YAML file, the parser could be tricked into polluting the object prototype. This can lead to:Remote Code Execution (RCE): In specific contexts, prototype pollution can be chained with other gadget attacks to execute arbitrary commands on the host system.
Configuration Hijacking: An attacker could modify the structure of configuration objects as they are loaded, leading to unpredictable system behavior.
Patch Instructions: How to Secure Your openSUSE Leap 16.0 Instance
For production environments, minimizing downtime while ensuring security is paramount. SUSE and openSUSE recommend using the standard update tooling. Here are the precise commands to remediate these vulnerabilities:
Method 1: Using Zypper (Recommended for CLI)
SSH into your server and execute the following command to apply the specific patch:
zypper in -t patch openSUSE-Leap-16.0-296=1
This command tells Zypper to install patch openSUSE-Leap-16.0-296, which explicitly contains the security fixes and bug resolutions for cockpit-repos.
Method 2: Using YaST (Graphical Interface)
For administrators who prefer a graphical interface:
Open YaST.
Navigate to Software > Online Update.
Accept the patch
openSUSE-Leap-16.0-296or simply apply all available security updates.
Verification
After the update, verify the installation by checking the package version:
rpm -q cockpit-repos
The output should read: cockpit-repos-4.7-160000.1.1
Bug Fixes and Enhancements in Cockpit 4.7
Beyond security, this update streamlines the Cockpit experience. The incremental updates from version 4.4 to 4.7 include several quality-of-life improvements that reduce technical debt and improve user experience.
Version 4.5: Focused on dependency updates, ensuring the underlying libraries are current and free of non-critical bugs.
Version 4.6: Addressed a critical internationalization (i18n) workflow issue by fixing the translations POT file generation, ensuring non-English locales display correctly. Dependency updates continued.
Version 4.7: Brings the latest translation updates and finalizes the dependency refresh, culminating in a stable and secure release.
Nenhum comentário:
Postar um comentário