openSUSE: 2021:0598-1 important: shim | LinuxSecurity.com

   openSUSE Security Update: Security update for shim
______________________________________________________________________________

Announcement ID:    openSUSE-SU-2021:0598-1
Rating:             important
References:         #1173411 #1174512 #1175509 #1177315 #1177404 
                    #1177789 #1182057 #1184454 
Cross-References:   CVE-2019-14584
CVSS scores:
                    CVE-2019-14584 (SUSE): 4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Affected Products:
                    openSUSE Leap 15.2
______________________________________________________________________________

   An update that solves one vulnerability and has 7 fixes is
   now available.

Description:

   This update for shim fixes the following issues:

   - Updated openSUSE x86 signature

   - Avoid the error message during linux system boot (boo#1184454)
   - Prevent the build id being added to the binary. That can cause issues
     with the signature

   Update to 15.4 (boo#1182057)

   + Rename the SBAT variable and fix the self-check of SBAT
   + sbat: add more dprint()
   + arm/aa64: Swizzle some sections to make old sbsign happier
   + arm/aa64 targets: put .rel* and .dyn* in .rodata

   - Change the SBAT variable name and enhance the handling of SBAT
     (boo#1182057)

   Update to 15.3 for SBAT support (boo#1182057)

   + Drop gnu-efi from BuildRequires since upstream pull it into the
   - Generate vender-specific SBAT metadata
     + Add dos2unix to BuildRequires since Makefile requires it for vendor
       SBAT
   - Update dbx-cert.tar.xz and vendor-dbx.bin to block the following sign
     keys:
     + SLES-UEFI-SIGN-Certificate-2020-07.crt
     + openSUSE-UEFI-SIGN-Certificate-2020-07.crt
   - Check CodeSign in the signer's EKU (boo#1177315)
   - Fixed NULL pointer dereference in AuthenticodeVerify() (boo#1177789,
     CVE-2019-14584)

   - All newly released openSUSE kernels enable kernel lockdown and signature
     verification, so there is no need to add the prompt anymore.
   - shim-install: Support changing default shim efi binary in
     /usr/etc/default/shim and /etc/default/shim (boo#1177315)


Patch Instructions:

   To install this openSUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - openSUSE Leap 15.2:

      zypper in -t patch openSUSE-2021-598=1



Package List:

   - openSUSE Leap 15.2 (x86_64):

      shim-15.4-lp152.4.8.1
      shim-debuginfo-15.4-lp152.4.8.1
      shim-debugsource-15.4-lp152.4.8.1


References:

   https://www.suse.com/security/cve/CVE-2019-14584.html
   https://bugzilla.suse.com/1173411
   https://bugzilla.suse.com/1174512
   https://bugzilla.suse.com/1175509
   https://bugzilla.suse.com/1177315
   https://bugzilla.suse.com/1177404
   https://bugzilla.suse.com/1177789
   https://bugzilla.suse.com/1182057
   https://bugzilla.suse.com/1184454

openSUSE: 2021:0598-1 important: shim

April 23, 2021
An update that solves one vulnerability and has 7 fixes is now available

Description

This update for shim fixes the following issues: - Updated openSUSE x86 signature - Avoid the error message during linux system boot (boo#1184454) - Prevent the build id being added to the binary. That can cause issues with the signature Update to 15.4 (boo#1182057) + Rename the SBAT variable and fix the self-check of SBAT + sbat: add more dprint() + arm/aa64: Swizzle some sections to make old sbsign happier + arm/aa64 targets: put .rel* and .dyn* in .rodata - Change the SBAT variable name and enhance the handling of SBAT (boo#1182057) Update to 15.3 for SBAT support (boo#1182057) + Drop gnu-efi from BuildRequires since upstream pull it into the - Generate vender-specific SBAT metadata + Add dos2unix to BuildRequires since Makefile requires it for vendor SBAT - Update dbx-cert.tar.xz and vendor-dbx.bin to block the following sign keys: + SLES-UEFI-SIGN-Certificate-2020-07.crt + openSUSE-UEFI-SIGN-Certificate-2020-07.crt - Check CodeSign in the signer's EKU (boo#1177315) - Fixed NULL pointer dereference in AuthenticodeVerify() (boo#1177789, CVE-2019-14584) - All newly released openSUSE kernels enable kernel lockdown and signature verification, so there is no need to add the prompt anymore. - shim-install: Support changing default shim efi binary in /usr/etc/default/shim and /etc/default/shim (boo#1177315)

 

Patch

Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 15.2: zypper in -t patch openSUSE-2021-598=1


Package List

- openSUSE Leap 15.2 (x86_64): shim-15.4-lp152.4.8.1 shim-debuginfo-15.4-lp152.4.8.1 shim-debugsource-15.4-lp152.4.8.1


References

https://www.suse.com/security/cve/CVE-2019-14584.html https://bugzilla.suse.com/1173411 https://bugzilla.suse.com/1174512 https://bugzilla.suse.com/1175509 https://bugzilla.suse.com/1177315 https://bugzilla.suse.com/1177404 https://bugzilla.suse.com/1177789 https://bugzilla.suse.com/1182057 https://bugzilla.suse.com/1184454


Severity
Announcement ID: openSUSE-SU-2021:0598-1
Rating: important
Affected Products: openSUSE Leap 15.2 ble. Affected Products: openSUSE Leap 15.2 ble.

Related News

We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.