openSUSE-SU-2021:0598-1

See a problem?
Import Source
https://ftp.suse.com/pub/projects/security/osv/openSUSE-SU-2021:0598-1.json
JSON Data
https://api.osv.dev/v1/vulns/openSUSE-SU-2021:0598-1
Related
Published
2021-04-23T10:44:47Z
Modified
2021-04-23T10:44:47Z
Summary
Security update for shim
Details

This update for shim fixes the following issues:

  • Updated openSUSE x86 signature

  • Avoid the error message during linux system boot (boo#1184454)

  • Prevent the build id being added to the binary. That can cause issues with the signature

Update to 15.4 (boo#1182057)

  • Rename the SBAT variable and fix the self-check of SBAT
  • sbat: add more dprint()
  • arm/aa64: Swizzle some sections to make old sbsign happier
  • arm/aa64 targets: put .rel* and .dyn* in .rodata

  • Change the SBAT variable name and enhance the handling of SBAT (boo#1182057)

Update to 15.3 for SBAT support (boo#1182057)

  • Drop gnu-efi from BuildRequires since upstream pull it into the
  • Generate vender-specific SBAT metadata
    • Add dos2unix to BuildRequires since Makefile requires it for vendor SBAT
  • Update dbx-cert.tar.xz and vendor-dbx.bin to block the following sign keys:
    • SLES-UEFI-SIGN-Certificate-2020-07.crt
    • openSUSE-UEFI-SIGN-Certificate-2020-07.crt
  • Check CodeSign in the signer's EKU (boo#1177315)
  • Fixed NULL pointer dereference in AuthenticodeVerify() (boo#1177789, CVE-2019-14584)

  • All newly released openSUSE kernels enable kernel lockdown and signature verification, so there is no need to add the prompt anymore.

  • shim-install: Support changing default shim efi binary in /usr/etc/default/shim and /etc/default/shim (boo#1177315)
References

Affected packages

openSUSE:Leap 15.2 / shim

Package

Name
shim
Purl
purl:rpm/suse/shim&distro=openSUSE%20Leap%2015.2

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
15.4-lp152.4.8.1

Ecosystem specific

{
    "binaries": [
        {
            "shim": "15.4-lp152.4.8.1"
        }
    ]
}