SUSE-SU-2024:1368-1

Source
https://www.suse.com/support/update/announcement/2024/suse-su-20241368-1/
Import Source
https://ftp.suse.com/pub/projects/security/osv/SUSE-SU-2024:1368-1.json
JSON Data
https://api.osv.dev/v1/vulns/SUSE-SU-2024:1368-1
Related
Published
2024-04-22T09:06:33Z
Modified
2024-04-22T09:06:33Z
Summary
Security update for shim
Details

This update for shim fixes the following issues:

  • Update shim-install to set the TPM2 SRK algorithm (bsc#1213945)
  • Limit the requirement of fde-tpm-helper-macros to the distro with suse_version 1600 and above (bsc#1219460)

Update to version 15.8:

Security issues fixed:

  • mok: fix LogError() invocation (bsc#1215099,CVE-2023-40546)
  • avoid incorrectly trusting HTTP headers (bsc#1215098,CVE-2023-40547)
  • Fix integer overflow on SBAT section size on 32-bit system (bsc#1215100,CVE-2023-40548)
  • Authenticode: verify that the signature header is in bounds (bsc#1215101,CVE-2023-40549)
  • pe: Fix an out-of-bound read in verifybuffersbat() (bsc#1215102,CVE-2023-40550)
  • pe-relocate: Fix bounds check for MZ binaries (bsc#1215103,CVE-2023-40551)

The NX flag is disable which is same as the default value of shim-15.8, hence, not need to enable it by this patch now.

  • Generate dbx during build so we don't include binary files in sources
  • Don't require grub so shim can still be used with systemd-boot
  • Update shim-install to fix boot failure of ext4 root file system on RAID10 (bsc#1205855)
  • Adopt the macros from fde-tpm-helper-macros to update the signature in the sealed key after a bootloader upgrade

  • Update shim-install to amend full disk encryption support

    • Adopt TPM 2.0 Key File for grub2 TPM 2.0 protector
    • Use the long name to specify the grub2 key protector
    • cryptodisk: support TPM authorized policies
    • Do not use tpmrecordpcrs unless the command is in command.lst
  • Removed POSTPROCESSPE_FLAGS=-N from the build command in shim.spec to enable the NX compatibility flag when using post-process-pe after discussed with grub2 experts in mail. It's useful for further development and testing. (bsc#1205588)

References

Affected packages

SUSE:Linux Enterprise Micro 5.3 / shim

Package

Name
shim
Purl
purl:rpm/suse/shim&distro=SUSE%20Linux%20Enterprise%20Micro%205.3

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
15.8-150300.4.20.2

Ecosystem specific

{
    "binaries": [
        {
            "shim": "15.8-150300.4.20.2"
        }
    ]
}

SUSE:Linux Enterprise Micro 5.4 / shim

Package

Name
shim
Purl
purl:rpm/suse/shim&distro=SUSE%20Linux%20Enterprise%20Micro%205.4

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
15.8-150300.4.20.2

Ecosystem specific

{
    "binaries": [
        {
            "shim": "15.8-150300.4.20.2"
        }
    ]
}

SUSE:Linux Enterprise Micro 5.5 / shim

Package

Name
shim
Purl
purl:rpm/suse/shim&distro=SUSE%20Linux%20Enterprise%20Micro%205.5

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
15.8-150300.4.20.2

Ecosystem specific

{
    "binaries": [
        {
            "shim": "15.8-150300.4.20.2"
        }
    ]
}

SUSE:Linux Enterprise Module for Basesystem 15 SP5 / shim

Package

Name
shim
Purl
purl:rpm/suse/shim&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP5

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
15.8-150300.4.20.2

Ecosystem specific

{
    "binaries": [
        {
            "shim": "15.8-150300.4.20.2"
        }
    ]
}

SUSE:Linux Enterprise High Performance Computing 15 SP3-LTSS / shim

Package

Name
shim
Purl
purl:rpm/suse/shim&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-LTSS

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
15.8-150300.4.20.2

Ecosystem specific

{
    "binaries": [
        {
            "shim": "15.8-150300.4.20.2"
        }
    ]
}

SUSE:Linux Enterprise High Performance Computing 15 SP4-ESPOS / shim

Package

Name
shim
Purl
purl:rpm/suse/shim&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-ESPOS

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
15.8-150300.4.20.2

Ecosystem specific

{
    "binaries": [
        {
            "shim": "15.8-150300.4.20.2"
        }
    ]
}

SUSE:Linux Enterprise High Performance Computing 15 SP4-LTSS / shim

Package

Name
shim
Purl
purl:rpm/suse/shim&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-LTSS

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
15.8-150300.4.20.2

Ecosystem specific

{
    "binaries": [
        {
            "shim": "15.8-150300.4.20.2"
        }
    ]
}

SUSE:Linux Enterprise Server 15 SP3-LTSS / shim

Package

Name
shim
Purl
purl:rpm/suse/shim&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP3-LTSS

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
15.8-150300.4.20.2

Ecosystem specific

{
    "binaries": [
        {
            "shim": "15.8-150300.4.20.2"
        }
    ]
}

SUSE:Linux Enterprise Server 15 SP4-LTSS / shim

Package

Name
shim
Purl
purl:rpm/suse/shim&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP4-LTSS

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
15.8-150300.4.20.2

Ecosystem specific

{
    "binaries": [
        {
            "shim": "15.8-150300.4.20.2"
        }
    ]
}

SUSE:Linux Enterprise Server for SAP Applications 15 SP3 / shim

Package

Name
shim
Purl
purl:rpm/suse/shim&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP3

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
15.8-150300.4.20.2

Ecosystem specific

{
    "binaries": [
        {
            "shim": "15.8-150300.4.20.2"
        }
    ]
}

SUSE:Linux Enterprise Server for SAP Applications 15 SP4 / shim

Package

Name
shim
Purl
purl:rpm/suse/shim&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP4

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
15.8-150300.4.20.2

Ecosystem specific

{
    "binaries": [
        {
            "shim": "15.8-150300.4.20.2"
        }
    ]
}

SUSE:Manager Proxy 4.3 / shim

Package

Name
shim
Purl
purl:rpm/suse/shim&distro=SUSE%20Manager%20Proxy%204.3

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
15.8-150300.4.20.2

Ecosystem specific

{
    "binaries": [
        {
            "shim": "15.8-150300.4.20.2"
        }
    ]
}

SUSE:Manager Server 4.3 / shim

Package

Name
shim
Purl
purl:rpm/suse/shim&distro=SUSE%20Manager%20Server%204.3

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
15.8-150300.4.20.2

Ecosystem specific

{
    "binaries": [
        {
            "shim": "15.8-150300.4.20.2"
        }
    ]
}

SUSE:Linux Enterprise Micro 5.1 / shim

Package

Name
shim
Purl
purl:rpm/suse/shim&distro=SUSE%20Linux%20Enterprise%20Micro%205.1

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
15.8-150300.4.20.2

Ecosystem specific

{
    "binaries": [
        {
            "shim": "15.8-150300.4.20.2"
        }
    ]
}

SUSE:Linux Enterprise Micro 5.2 / shim

Package

Name
shim
Purl
purl:rpm/suse/shim&distro=SUSE%20Linux%20Enterprise%20Micro%205.2

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
15.8-150300.4.20.2

Ecosystem specific

{
    "binaries": [
        {
            "shim": "15.8-150300.4.20.2"
        }
    ]
}

SUSE:Enterprise Storage 7.1 / shim

Package

Name
shim
Purl
purl:rpm/suse/shim&distro=SUSE%20Enterprise%20Storage%207.1

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
15.8-150300.4.20.2

Ecosystem specific

{
    "binaries": [
        {
            "shim": "15.8-150300.4.20.2"
        }
    ]
}

openSUSE:Leap Micro 5.3 / shim

Package

Name
shim
Purl
purl:rpm/suse/shim&distro=openSUSE%20Leap%20Micro%205.3

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
15.8-150300.4.20.2

Ecosystem specific

{
    "binaries": [
        {
            "shim": "15.8-150300.4.20.2"
        }
    ]
}

openSUSE:Leap Micro 5.4 / shim

Package

Name
shim
Purl
purl:rpm/suse/shim&distro=openSUSE%20Leap%20Micro%205.4

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
15.8-150300.4.20.2

Ecosystem specific

{
    "binaries": [
        {
            "shim": "15.8-150300.4.20.2"
        }
    ]
}

openSUSE:Leap 15.5 / shim

Package

Name
shim
Purl
purl:rpm/suse/shim&distro=openSUSE%20Leap%2015.5

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
15.8-150300.4.20.2

Ecosystem specific

{
    "binaries": [
        {
            "shim": "15.8-150300.4.20.2"
        }
    ]
}