SUSE Security Update: Security update for grub2
______________________________________________________________________________
Announcement ID: SUSE-SU-2022:2073-1
Rating: important
References: #1071559 #1159205 #1179981 #1189769 #1189874
#1191184 #1191185 #1191186 #1191504 #1191974
#1192522 #1192622 #1193282 #1193532 #1195204
#1197948 #1198460 #1198493 #1198495 #1198496
#1198581
Cross-References: CVE-2021-3695 CVE-2021-3696 CVE-2021-3697
CVE-2022-28733 CVE-2022-28734 CVE-2022-28735
CVE-2022-28736
CVSS scores:
CVE-2021-3695 (SUSE): 7.5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
CVE-2021-3696 (SUSE): 5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L
CVE-2021-3697 (SUSE): 7.5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
CVE-2022-28733 (SUSE): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2022-28735 (SUSE): 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2022-28736 (SUSE): 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected Products:
SUSE Linux Enterprise Micro 5.1
______________________________________________________________________________
An update that solves 7 vulnerabilities and has 14 fixes is
now available.
Description:
This update for grub2 fixes the following issues:
Security fixes and hardenings for boothole 3 / boothole 2022 (bsc#1198581)
- CVE-2021-3695: Fixed that a crafted PNG grayscale image could lead to
out-of-bounds write in heap (bsc#1191184)
- CVE-2021-3696: Fixed that a crafted PNG image could lead to out-of-bound
write during huffman table handling (bsc#1191185)
- CVE-2021-3697: Fixed that a crafted JPEG image could lead to buffer
underflow write in the heap (bsc#1191186)
- CVE-2022-28733: Fixed fragmentation math in net/ip (bsc#1198460)
- CVE-2022-28734: Fixed an out-of-bound write for split http headers
(bsc#1198493)
- CVE-2022-28735: Fixed some verifier framework changes (bsc#1198495)
- CVE-2022-28736: Fixed a use-after-free in chainloader command
(bsc#1198496)
- Update SBAT security contact (bsc#1193282)
- Bump grub's SBAT generation to 2
Other bugs fixed:
- Use boot disks in OpenFirmware, fixing regression caused when the root
LV is completely in the boot LUN (bsc#1197948)
- Fix grub-install error when efi system partition is created as mdadm
software raid1 device (bsc#1179981) (bsc#1195204)
- Fix error in grub-install when linux root device is on lvm thin volume
(bsc#1192622) (bsc#1191974)
- Fix wrong default entry when booting snapshot (bsc#1159205)
- Add support for simplefb (boo#1193532).
- Fix error lvmid disk cannot be found after second disk added to the root
volume group (bsc#1189874) (bsc#1071559)
- Fix error /boot/grub2/locale/POSIX.gmo not found (bsc#1189769)
- Fix unknown TPM error on buggy uefi firmware (bsc#1191504)
- Fix arm64 kernel image not aligned on 64k boundary (bsc#1192522)
Patch Instructions:
To install this SUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- SUSE Linux Enterprise Micro 5.1:
zypper in -t patch SUSE-SUSE-MicroOS-5.1-2022-2073=1
Package List:
- SUSE Linux Enterprise Micro 5.1 (aarch64 s390x x86_64):
grub2-2.04-150300.3.5.1
grub2-debuginfo-2.04-150300.3.5.1
grub2-debugsource-2.04-150300.3.5.1
- SUSE Linux Enterprise Micro 5.1 (noarch):
grub2-arm64-efi-2.04-150300.3.5.1
grub2-i386-pc-2.04-150300.3.5.1
grub2-snapper-plugin-2.04-150300.3.5.1
grub2-x86_64-efi-2.04-150300.3.5.1
grub2-x86_64-xen-2.04-150300.3.5.1
- SUSE Linux Enterprise Micro 5.1 (s390x):
grub2-s390x-emu-2.04-150300.3.5.1
References:
https://www.suse.com/security/cve/CVE-2021-3695.html
https://www.suse.com/security/cve/CVE-2021-3696.html
https://www.suse.com/security/cve/CVE-2021-3697.html
https://www.suse.com/security/cve/CVE-2022-28733.html
https://www.suse.com/security/cve/CVE-2022-28734.html
https://www.suse.com/security/cve/CVE-2022-28735.html
https://www.suse.com/security/cve/CVE-2022-28736.html
https://bugzilla.suse.com/1071559
https://bugzilla.suse.com/1159205
https://bugzilla.suse.com/1179981
https://bugzilla.suse.com/1189769
https://bugzilla.suse.com/1189874
https://bugzilla.suse.com/1191184
https://bugzilla.suse.com/1191185
https://bugzilla.suse.com/1191186
https://bugzilla.suse.com/1191504
https://bugzilla.suse.com/1191974
https://bugzilla.suse.com/1192522
https://bugzilla.suse.com/1192622
https://bugzilla.suse.com/1193282
https://bugzilla.suse.com/1193532
https://bugzilla.suse.com/1195204
https://bugzilla.suse.com/1197948
https://bugzilla.suse.com/1198460
https://bugzilla.suse.com/1198493
https://bugzilla.suse.com/1198495
https://bugzilla.suse.com/1198496
https://bugzilla.suse.com/1198581
SUSE: 2022:2073-1 important: grub2
June 14, 2022
An update that solves 7 vulnerabilities and has 14 fixes is now available
Summary
This update for grub2 fixes the following issues: Security fixes and hardenings for boothole 3 / boothole 2022 (bsc#1198581) - CVE-2021-3695: Fixed that a crafted PNG grayscale image could lead to out-of-bounds write in heap (bsc#1191184) - CVE-2021-3696: Fixed that a crafted PNG image could lead to out-of-bound write during huffman table handling (bsc#1191185) - CVE-2021-3697: Fixed that a crafted JPEG image could lead to buffer underflow write in the heap (bsc#1191186) - CVE-2022-28733: Fixed fragmentation math in net/ip (bsc#1198460) - CVE-2022-28734: Fixed an out-of-bound write for split http headers (bsc#1198493) - CVE-2022-28735: Fixed some verifier framework changes (bsc#1198495) - CVE-2022-28736: Fixed a use-after-free in chainloader command (bsc#1198496) - Update SBAT security contact (bsc#1193282) - Bump grub's SBAT generation to 2 Other bugs fixed: - Use boot disks in OpenFirmware, fixing regression caused when the root LV is completely in the boot LUN (bsc#1197948) - Fix grub-install error when efi system partition is created as mdadm software raid1 device (bsc#1179981) (bsc#1195204) - Fix error in grub-install when linux root device is on lvm thin volume (bsc#1192622) (bsc#1191974) - Fix wrong default entry when booting snapshot (bsc#1159205) - Add support for simplefb (boo#1193532). - Fix error lvmid disk cannot be found after second disk added to the root volume group (bsc#1189874) (bsc#1071559) - Fix error /boot/grub2/locale/POSIX.gmo not found (bsc#1189769) - Fix unknown TPM error on buggy uefi firmware (bsc#1191504) - Fix arm64 kernel image not aligned on 64k boundary (bsc#1192522) Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Micro 5.1: zypper in -t patch SUSE-SUSE-MicroOS-5.1-2022-2073=1 Package List: - SUSE Linux Enterprise Micro 5.1 (aarch64 s390x x86_64): grub2-2.04-150300.3.5.1 grub2-debuginfo-2.04-150300.3.5.1 grub2-debugsource-2.04-150300.3.5.1 - SUSE Linux Enterprise Micro 5.1 (noarch): grub2-arm64-efi-2.04-150300.3.5.1 grub2-i386-pc-2.04-150300.3.5.1 grub2-snapper-plugin-2.04-150300.3.5.1 grub2-x86_64-efi-2.04-150300.3.5.1 grub2-x86_64-xen-2.04-150300.3.5.1 - SUSE Linux Enterprise Micro 5.1 (s390x): grub2-s390x-emu-2.04-150300.3.5.1
References
#1071559 #1159205 #1179981 #1189769 #1189874
#1191184 #1191185 #1191186 #1191504 #1191974
#1192522 #1192622 #1193282 #1193532 #1195204
#1197948 #1198460 #1198493 #1198495 #1198496
#1198581
Cross- CVE-2021-3695 CVE-2021-3696 CVE-2021-3697
CVE-2022-28733 CVE-2022-28734 CVE-2022-28735
CVE-2022-28736
CVSS scores:
CVE-2021-3695 (SUSE): 7.5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
CVE-2021-3696 (SUSE): 5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L
CVE-2021-3697 (SUSE): 7.5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
CVE-2022-28733 (SUSE): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2022-28735 (SUSE): 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2022-28736 (SUSE): 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected Products:
SUSE Linux Enterprise Micro 5.1
https://www.suse.com/security/cve/CVE-2021-3695.html
https://www.suse.com/security/cve/CVE-2021-3696.html
https://www.suse.com/security/cve/CVE-2021-3697.html
https://www.suse.com/security/cve/CVE-2022-28733.html
https://www.suse.com/security/cve/CVE-2022-28734.html
https://www.suse.com/security/cve/CVE-2022-28735.html
https://www.suse.com/security/cve/CVE-2022-28736.html
https://bugzilla.suse.com/1071559
https://bugzilla.suse.com/1159205
https://bugzilla.suse.com/1179981
https://bugzilla.suse.com/1189769
https://bugzilla.suse.com/1189874
https://bugzilla.suse.com/1191184
https://bugzilla.suse.com/1191185
https://bugzilla.suse.com/1191186
https://bugzilla.suse.com/1191504
https://bugzilla.suse.com/1191974
https://bugzilla.suse.com/1192522
https://bugzilla.suse.com/1192622
https://bugzilla.suse.com/1193282
https://bugzilla.suse.com/1193532
https://bugzilla.suse.com/1195204
https://bugzilla.suse.com/1197948
https://bugzilla.suse.com/1198460
https://bugzilla.suse.com/1198493
https://bugzilla.suse.com/1198495
https://bugzilla.suse.com/1198496
https://bugzilla.suse.com/1198581
Severity
Announcement ID: SUSE-SU-2022:2073-1
Rating: important
News
HOWTOs
Features
How To Hide Your IP And Keep From Being Tracked
Which Browser is Best for Online Security?
Complete Guide to Using Wapiti Web Vulnerability Scanner to Keep Your Web Applications & Websites Secure
Guide to Web Application Penetration Testing
Thank You for Participating in Our Security Dashboard Redesign Survey
About Us
Powered By
