SUSE-SU-2024:1461-1
See a problem?- Import Source
- https://ftp.suse.com/pub/projects/security/osv/SUSE-SU-2024:1461-1.json
- JSON Data
- https://api.osv.dev/v1/vulns/SUSE-SU-2024:1461-1
- Related
- Published
- 2024-04-29T11:19:11Z
- Modified
- 2024-04-29T11:19:11Z
- Summary
- Security update for shim
- Details
-
This update for shim fixes the following issues:
- Update shim-install to set the TPM2 SRK algorithm (bsc#1213945)
- Limit the requirement of fde-tpm-helper-macros to the distro with suse_version 1600 and above (bsc#1219460)
Update to version 15.8:
Security issues fixed:
- mok: fix LogError() invocation (bsc#1215099,CVE-2023-40546)
- avoid incorrectly trusting HTTP headers (bsc#1215098,CVE-2023-40547)
- Fix integer overflow on SBAT section size on 32-bit system (bsc#1215100,CVE-2023-40548)
- Authenticode: verify that the signature header is in bounds (bsc#1215101,CVE-2023-40549)
- pe: Fix an out-of-bound read in verifybuffersbat() (bsc#1215102,CVE-2023-40550)
- pe-relocate: Fix bounds check for MZ binaries (bsc#1215103,CVE-2023-40551)
The NX flag is disable which is same as the default value of shim-15.8, hence, not need to enable it by this patch now.
- Generate dbx during build so we don't include binary files in sources
- Don't require grub so shim can still be used with systemd-boot
- Update shim-install to fix boot failure of ext4 root file system on RAID10 (bsc#1205855)
Adopt the macros from fde-tpm-helper-macros to update the signature in the sealed key after a bootloader upgrade
Update shim-install to amend full disk encryption support
- Adopt TPM 2.0 Key File for grub2 TPM 2.0 protector
- Use the long name to specify the grub2 key protector
- cryptodisk: support TPM authorized policies
- Do not use tpmrecordpcrs unless the command is in command.lst
Removed POSTPROCESSPE_FLAGS=-N from the build command in shim.spec to enable the NX compatibility flag when using post-process-pe after discussed with grub2 experts in mail. It's useful for further development and testing. (bsc#1205588)
- References
-
- https://www.suse.com/support/update/announcement/2024/suse-su-20241461-1/
- https://bugzilla.suse.com/1198101
- https://bugzilla.suse.com/1205588
- https://bugzilla.suse.com/1205855
- https://bugzilla.suse.com/1210382
- https://bugzilla.suse.com/1213945
- https://bugzilla.suse.com/1215098
- https://bugzilla.suse.com/1215099
- https://bugzilla.suse.com/1215100
- https://bugzilla.suse.com/1215101
- https://bugzilla.suse.com/1215102
- https://bugzilla.suse.com/1215103
- https://bugzilla.suse.com/1219460
- https://www.suse.com/security/cve/CVE-2022-28737
- https://www.suse.com/security/cve/CVE-2023-40546
- https://www.suse.com/security/cve/CVE-2023-40547
- https://www.suse.com/security/cve/CVE-2023-40548
- https://www.suse.com/security/cve/CVE-2023-40549
- https://www.suse.com/security/cve/CVE-2023-40550
- https://www.suse.com/security/cve/CVE-2023-40551
Affected packages
SUSE:Linux Enterprise High Performance Computing 15 SP2-LTSS / shim
Package
- Name
- shim
- Purl
- purl:rpm/suse/shim&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSS
SUSE:Linux Enterprise Server 15 SP2-LTSS / shim
Package
- Name
- shim
- Purl
- purl:rpm/suse/shim&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-LTSS