drucken bookmarks versenden konfigurieren admin pdf Sicherheit: Pufferüberlauf in shim
| Name: |
Pufferüberlauf in shim |
|
| ID: |
SUSE-SU-2023:1702-1 |
|
| Distribution: |
SUSE |
|
| Plattformen: |
SUSE Linux Enterprise Micro 5.1, SUSE Manager Server 4.2, SUSE Manager Proxy 4.2, SUSE Manager Retail Branch Server 4.2, openSUSE Leap 15.4, SUSE Linux Enterprise Micro 5.2, SUSE Manager Proxy 4.3, SUSE Enterprise Storage 7.1, SUSE Manager Server 4.3, SUSE Manager Retail Branch Server 4.3, SUSE Linux Enterprise Micro 5.3, openSUSE Leap Micro 5.3, SUSE Linux Enterprise Real Time 15 SP4, SUSE Linux Enterprise High Performance Computing 15 SP3, SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3, SUSE Linux Enterprise High Performance Computing 15 SP4, SUSE Linux Enterprise Server 15 SP4, SUSE Linux Enterprise Server 15 SP3, SUSE Linux Enterprise Desktop 15 SP4, SUSE Linux Enterprise Server for SAP Applications 15 SP4, SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP3, SUSE Linux Enterprise Server for SAP Applications 15 SP3, Basesystem Module 15-SP4, SUSE Linux Enterprise Real Time 15 SP3, SUSE Linux Enterprise High Performance Computing LTSS 15 SP3, SUSE Linux Enterprise Micro for Rancher 5.3, SUSE Linux Enterprise Micro for Rancher 5.2, SUSE Linux Enterprise Micro 5.4, SUSE Linux Enterprise Micro for Rancher 5.4 |
|
| Datum: |
Do, 30. März 2023, 23:12 |
|
| Referenzen: |
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28737 |
|
| Applikationen: |
shim |
|
Originalnachricht |
--===============1441889317369318734==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
# Security update for shim
Announcement ID: SUSE-SU-2023:1702-1
Rating: important
References:
* #1185232
* #1185261
* #1185441
* #1185621
* #1187071
* #1187260
* #1193282
* #1198458
* #1201066
* #1202120
* #1205588
Cross-References:
* CVE-2022-28737
CVSS scores:
* CVE-2022-28737 ( SUSE ): 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected Products:
* Basesystem Module 15-SP4
* openSUSE Leap 15.4
* openSUSE Leap Micro 5.3
* SUSE Enterprise Storage 7.1
* SUSE Linux Enterprise Desktop 15 SP4
* SUSE Linux Enterprise High Performance Computing 15 SP3
* SUSE Linux Enterprise High Performance Computing 15 SP4
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP3
* SUSE Linux Enterprise Micro 5.1
* SUSE Linux Enterprise Micro 5.2
* SUSE Linux Enterprise Micro 5.3
* SUSE Linux Enterprise Micro 5.4
* SUSE Linux Enterprise Micro for Rancher 5.2
* SUSE Linux Enterprise Micro for Rancher 5.3
* SUSE Linux Enterprise Micro for Rancher 5.4
* SUSE Linux Enterprise Real Time 15 SP3
* SUSE Linux Enterprise Real Time 15 SP4
* SUSE Linux Enterprise Server 15 SP3
* SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3
* SUSE Linux Enterprise Server 15 SP4
* SUSE Linux Enterprise Server for SAP Applications 15 SP3
* SUSE Linux Enterprise Server for SAP Applications 15 SP4
* SUSE Manager Proxy 4.2
* SUSE Manager Proxy 4.3
* SUSE Manager Retail Branch Server 4.2
* SUSE Manager Retail Branch Server 4.3
* SUSE Manager Server 4.2
* SUSE Manager Server 4.3
An update that solves one vulnerability, contains two features and has 10 fixes
can now be installed.
## Description:
This update for shim fixes the following issues:
* Updated shim signature after shim 15.7 be signed back: signature-
sles.x86_64.asc, signature-sles.aarch64.asc (bsc#1198458)
* Add POST_PROCESS_PE_FLAGS=-N to the build command in shim.spec to disable
the NX compatibility flag when using post-process-pe because grub2 is not
ready. (bsc#1205588)
* Enable the NX compatibility flag by default. (jsc#PED-127)
Update to 15.7 (bsc#1198458) (jsc#PED-127):
* Make SBAT variable payload introspectable
* Reference MokListRT instead of MokList
* Add a link to the test plan in the readme.
* [V3] Enable TDX measurement to RTMR register
* Discard load-options that start with a NUL
* Fixed load_cert_file bugs
* Add -malign-double to IA32 compiler flags
* pe: Fix image section entry-point validation
* make-archive: Build reproducible tarball
* mok: remove MokListTrusted from PCR 7
Other fixes:
* Support enhance shim measurement to TD RTMR. (jsc#PED-1273)
* shim-install: ensure grub.cfg created is not overwritten after installing
grub related files
* Add logic to shim.spec to only set sbat policy when efivarfs is writeable.
(bsc#1201066)
* Add logic to shim.spec for detecting --set-sbat-policy option before using
mokutil to set sbat policy. (bsc#1202120)
* Change the URL in SBAT section to mail:security@suse.de. (bsc#1193282)
Update to 15.6 (bsc#1198458):
* MokManager: removed Locate graphic output protocol fail error message
* shim: implement SBAT verification for the shim_lock protocol
* post-process-pe: Fix a missing return code check
* Update github actions matrix to be more useful
* post-process-pe: Fix format string warnings on 32-bit platforms
* Allow MokListTrusted to be enabled by default
* Re-add ARM AArch64 support
* Use ASCII as fallback if Unicode Box Drawing characters fail
* make: don't treat cert.S specially
* shim: use SHIM_DEVEL_VERBOSE when built in devel mode
* Break out of the inner sbat loop if we find the entry.
* Support loading additional certificates
* Add support for NX (W^X) mitigations.
* Fix preserve_sbat_uefi_variable() logic
* SBAT Policy latest should be a one-shot
* pe: Fix a buffer overflow when SizeOfRawData > VirtualSize
* pe: Perform image verification earlier when loading grub
* Update advertised sbat generation number for shim
* Update SBAT generation requirements for 05/24/22
* Also avoid CVE-2022-28737 in verify_image() by @vathpela
Update to 15.5 (bsc#1198458):
* Broken ia32 relocs and an unimportant submodule change.
* mok: allocate MOK config table as BootServicesData
* Don't call QueryVariableInfo() on EFI 1.10 machines (bsc#1187260)
* Relax the check for import_mok_state() (bsc#1185261)
* SBAT.md: trivial changes
* shim: another attempt to fix load options handling
* Add tests for our load options parsing.
* arm/aa64: fix the size of .rela* sections
* mok: fix potential buffer overrun in import_mok_state
* mok: relax the maximum variable size check
* Don't unhook ExitBootServices when EBS protection is disabled
* fallback: find_boot_option() needs to return the index for the boot entry
in
optnum
* httpboot: Ignore case when checking HTTP headers
* Fallback allocation errors
* shim: avoid BOOTx64.EFI in message on other architectures
* str: remove duplicate parameter check
* fallback: add compile option FALLBACK_NONINTERACTIVE
* Test mok mirror
* Modify sbat.md to help with readability.
* csv: detect end of csv file correctly
* Specify that the .sbat section is ASCII not UTF-8
* tests: add "include-fixed" GCC directory to include directories
* pe: simplify generate_hash()
* Don't make shim abort when TPM log event fails (RHBZ #2002265)
* Fallback to default loader if parsed one does not exist
* fallback: Fix for BootOrder crash when index returned
* Better console checks
* docs: update SBAT UEFI variable name
* Don't parse load options if invoked from removable media path
* fallback: fix fallback not passing arguments of the first boot option
* shim: Don't stop forever at "Secure Boot not enabled"
notification
* Allocate mokvar table in runtime memory.
* Remove post-process-pe on 'make clean'
* pe: missing perror argument
* CVE-2022-28737: Fixed a buffer overflow when SizeOfRawData > VirtualSize
(bsc#1198458)
* Add mokutil command to post script for setting sbat policy to latest mode
when the SbatPolicy-605dab50-e046-4300-abb6-3dd810dd8b23 is not created.
(bsc#1198458)
* Updated vendor dbx binary and script (bsc#1198458)
* Updated dbx-cert.tar.xz and vendor-dbx-sles.bin for adding SLES-UEFI-SIGN-
Certificate-2021-05.crt to vendor dbx list.
* Updated dbx-cert.tar.xz and vendor-dbx-opensuse.bin for adding openSUSE-
UEFI-SIGN-Certificate-2021-05.crt to vendor dbx list.
* Updated vendor-dbx.bin for adding SLES-UEFI-SIGN-Certificate-2021-05.crt
and
openSUSE-UEFI-SIGN-Certificate-2021-05.crt for testing environment.
* Updated generate-vendor-dbx.sh script for generating a vendor-dbx.bin file
which includes all .der for testing environment.
* avoid buffer overflow when copying data to the MOK config table
(bsc#1185232)
* Disable exporting vendor-dbx to MokListXRT since writing a large RT
variable
could crash some machines (bsc#1185261)
* ignore the odd LoadOptions length (bsc#1185232)
* shim-install: reset def_shim_efi to "shim.efi" if the given file
doesn't
exist
* relax the maximum variable size check for u-boot (bsc#1185621)
* handle ignore_db and user_insecure_mode correctly (bsc#1185441,
bsc#1187071)
* Split the keys in vendor-dbx.bin to vendor-dbx-sles and vendor-dbx-opensuse
for shim-sles and shim-opensuse to reduce the size of MokListXRT
(bsc#1185261)
* Also update generate-vendor-dbx.sh in dbx-cert.tar.xz
## Patch Instructions:
To install this SUSE Important update use the SUSE recommended installation
methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
* openSUSE Leap Micro 5.3
zypper in -t patch openSUSE-Leap-Micro-5.3-2023-1702=1
* openSUSE Leap 15.4
zypper in -t patch openSUSE-SLE-15.4-2023-1702=1
* SUSE Linux Enterprise Micro for Rancher 5.3
zypper in -t patch SUSE-SLE-Micro-5.3-2023-1702=1
* SUSE Linux Enterprise Micro 5.3
zypper in -t patch SUSE-SLE-Micro-5.3-2023-1702=1
* SUSE Linux Enterprise Micro for Rancher 5.4
zypper in -t patch SUSE-SLE-Micro-5.4-2023-1702=1
* SUSE Linux Enterprise Micro 5.4
zypper in -t patch SUSE-SLE-Micro-5.4-2023-1702=1
* Basesystem Module 15-SP4
zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP4-2023-1702=1
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3
zypper in -t patch SUSE-SLE-Product-HPC-15-SP3-ESPOS-2023-1702=1
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP3
zypper in -t patch SUSE-SLE-Product-HPC-15-SP3-LTSS-2023-1702=1
* SUSE Linux Enterprise Real Time 15 SP3
zypper in -t patch SUSE-SLE-Product-RT-15-SP3-2023-1702=1
* SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3
zypper in -t patch SUSE-SLE-Product-SLES-15-SP3-LTSS-2023-1702=1
* SUSE Linux Enterprise Server for SAP Applications 15 SP3
zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP3-2023-1702=1
* SUSE Manager Proxy 4.2
zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Proxy-4.2-2023-1702=1
* SUSE Manager Retail Branch Server 4.2
zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Retail-Branch-
Server-4.2-2023-1702=1
* SUSE Manager Server 4.2
zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.2-2023-1702=1
* SUSE Enterprise Storage 7.1
zypper in -t patch SUSE-Storage-7.1-2023-1702=1
* SUSE Linux Enterprise Micro 5.1
zypper in -t patch SUSE-SUSE-MicroOS-5.1-2023-1702=1
* SUSE Linux Enterprise Micro 5.2
zypper in -t patch SUSE-SUSE-MicroOS-5.2-2023-1702=1
* SUSE Linux Enterprise Micro for Rancher 5.2
zypper in -t patch SUSE-SUSE-MicroOS-5.2-2023-1702=1
## Package List:
* openSUSE Leap Micro 5.3 (aarch64 x86_64)
* shim-debugsource-15.7-150300.4.11.1
* shim-debuginfo-15.7-150300.4.11.1
* shim-15.7-150300.4.11.1
* openSUSE Leap 15.4 (aarch64 x86_64)
* shim-debugsource-15.7-150300.4.11.1
* shim-debuginfo-15.7-150300.4.11.1
* shim-15.7-150300.4.11.1
* SUSE Linux Enterprise Micro for Rancher 5.3 (aarch64 x86_64)
* shim-debugsource-15.7-150300.4.11.1
* shim-debuginfo-15.7-150300.4.11.1
* shim-15.7-150300.4.11.1
* SUSE Linux Enterprise Micro 5.3 (aarch64 x86_64)
* shim-debugsource-15.7-150300.4.11.1
* shim-debuginfo-15.7-150300.4.11.1
* shim-15.7-150300.4.11.1
* SUSE Linux Enterprise Micro for Rancher 5.4 (aarch64 x86_64)
* shim-debugsource-15.7-150300.4.11.1
* shim-debuginfo-15.7-150300.4.11.1
* shim-15.7-150300.4.11.1
* SUSE Linux Enterprise Micro 5.4 (aarch64 x86_64)
* shim-debugsource-15.7-150300.4.11.1
* shim-debuginfo-15.7-150300.4.11.1
* shim-15.7-150300.4.11.1
* Basesystem Module 15-SP4 (aarch64 x86_64)
* shim-debugsource-15.7-150300.4.11.1
* shim-debuginfo-15.7-150300.4.11.1
* shim-15.7-150300.4.11.1
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (aarch64
x86_64)
* shim-debugsource-15.7-150300.4.11.1
* shim-debuginfo-15.7-150300.4.11.1
* shim-15.7-150300.4.11.1
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (aarch64
x86_64)
* shim-debugsource-15.7-150300.4.11.1
* shim-debuginfo-15.7-150300.4.11.1
* shim-15.7-150300.4.11.1
* SUSE Linux Enterprise Real Time 15 SP3 (x86_64)
* shim-debugsource-15.7-150300.4.11.1
* shim-debuginfo-15.7-150300.4.11.1
* shim-15.7-150300.4.11.1
* SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (aarch64 x86_64)
* shim-debugsource-15.7-150300.4.11.1
* shim-debuginfo-15.7-150300.4.11.1
* shim-15.7-150300.4.11.1
* SUSE Linux Enterprise Server for SAP Applications 15 SP3 (x86_64)
* shim-debugsource-15.7-150300.4.11.1
* shim-debuginfo-15.7-150300.4.11.1
* shim-15.7-150300.4.11.1
* SUSE Manager Proxy 4.2 (x86_64)
* shim-debugsource-15.7-150300.4.11.1
* shim-debuginfo-15.7-150300.4.11.1
* shim-15.7-150300.4.11.1
* SUSE Manager Retail Branch Server 4.2 (x86_64)
* shim-debugsource-15.7-150300.4.11.1
* shim-debuginfo-15.7-150300.4.11.1
* shim-15.7-150300.4.11.1
* SUSE Manager Server 4.2 (x86_64)
* shim-debugsource-15.7-150300.4.11.1
* shim-debuginfo-15.7-150300.4.11.1
* shim-15.7-150300.4.11.1
* SUSE Enterprise Storage 7.1 (aarch64 x86_64)
* shim-debugsource-15.7-150300.4.11.1
* shim-debuginfo-15.7-150300.4.11.1
* shim-15.7-150300.4.11.1
* SUSE Linux Enterprise Micro 5.1 (aarch64 x86_64)
* shim-debugsource-15.7-150300.4.11.1
* shim-debuginfo-15.7-150300.4.11.1
* shim-15.7-150300.4.11.1
* SUSE Linux Enterprise Micro 5.2 (aarch64 x86_64)
* shim-debugsource-15.7-150300.4.11.1
* shim-debuginfo-15.7-150300.4.11.1
* shim-15.7-150300.4.11.1
* SUSE Linux Enterprise Micro for Rancher 5.2 (aarch64 x86_64)
* shim-debugsource-15.7-150300.4.11.1
* shim-debuginfo-15.7-150300.4.11.1
* shim-15.7-150300.4.11.1
## References:
* https://www.suse.com/security/cve/CVE-2022-28737.html
* https://bugzilla.suse.com/show_bug.cgi?id=1185232
* https://bugzilla.suse.com/show_bug.cgi?id=1185261
* https://bugzilla.suse.com/show_bug.cgi?id=1185441
* https://bugzilla.suse.com/show_bug.cgi?id=1185621
* https://bugzilla.suse.com/show_bug.cgi?id=1187071
* https://bugzilla.suse.com/show_bug.cgi?id=1187260
* https://bugzilla.suse.com/show_bug.cgi?id=1193282
* https://bugzilla.suse.com/show_bug.cgi?id=1198458
* https://bugzilla.suse.com/show_bug.cgi?id=1201066
* https://bugzilla.suse.com/show_bug.cgi?id=1202120
* https://bugzilla.suse.com/show_bug.cgi?id=1205588
* https://jira.suse.com/browse/PED-127
* https://jira.suse.com/browse/PED-1273
--===============1441889317369318734==
Content-Type: text/html; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
<div class="container">
<h1>Security update for shim</h1>
<table class="table table-striped table-bordered">
<tbody>
<tr>
<th>Announcement ID:</th>
<td>SUSE-SU-2023:1702-1</td>
</tr>
<tr>
<th>Rating:</th>
<td>important</td>
</tr>
<tr>
<th>References:</th>
<td>
<ul>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1185232">#1185232</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1185261">#1185261</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1185441">#1185441</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1185621">#1185621</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1187071">#1187071</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1187260">#1187260</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1193282">#1193282</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1198458">#1198458</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1201066">#1201066</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1202120">#1202120</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1205588">#1205588</a>
</li>
</ul>
</td>
</tr>
<tr>
<th>
Cross-References:
</th>
<td>
<ul>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2022-28737.html">CVE-2022-28737</a>
</li>
</ul>
</td>
</tr>
<tr>
<th>CVSS scores:</th>
<td>
<ul class="list-group">
<li class="list-group-item">
<span
class="cvss-reference">CVE-2022-28737</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span
class="cvss-score">8.4</span>
<span
class="cvss-vector">CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H</span>
</li>
</ul>
</td>
</tr>
<tr>
<th>Affected Products:</th>
<td>
<ul class="list-group">
<li class="list-group-item">Basesystem
Module 15-SP4</li>
<li class="list-group-item">openSUSE Leap
15.4</li>
<li class="list-group-item">openSUSE Leap
Micro 5.3</li>
<li class="list-group-item">SUSE
Enterprise Storage 7.1</li>
<li class="list-group-item">SUSE Linux
Enterprise Desktop 15 SP4</li>
<li class="list-group-item">SUSE Linux
Enterprise High Performance Computing 15 SP3</li>
<li class="list-group-item">SUSE Linux
Enterprise High Performance Computing 15 SP4</li>
<li class="list-group-item">SUSE Linux
Enterprise High Performance Computing ESPOS 15 SP3</li>
<li class="list-group-item">SUSE Linux
Enterprise High Performance Computing LTSS 15 SP3</li>
<li class="list-group-item">SUSE Linux
Enterprise Micro 5.1</li>
<li class="list-group-item">SUSE Linux
Enterprise Micro 5.2</li>
<li class="list-group-item">SUSE Linux
Enterprise Micro 5.3</li>
<li class="list-group-item">SUSE Linux
Enterprise Micro 5.4</li>
<li class="list-group-item">SUSE Linux
Enterprise Micro for Rancher 5.2</li>
<li class="list-group-item">SUSE Linux
Enterprise Micro for Rancher 5.3</li>
<li class="list-group-item">SUSE Linux
Enterprise Micro for Rancher 5.4</li>
<li class="list-group-item">SUSE Linux
Enterprise Real Time 15 SP3</li>
<li class="list-group-item">SUSE Linux
Enterprise Real Time 15 SP4</li>
<li class="list-group-item">SUSE Linux
Enterprise Server 15 SP3</li>
<li class="list-group-item">SUSE Linux
Enterprise Server 15 SP3 LTSS 15-SP3</li>
<li class="list-group-item">SUSE Linux
Enterprise Server 15 SP4</li>
<li class="list-group-item">SUSE Linux
Enterprise Server for SAP Applications 15 SP3</li>
<li class="list-group-item">SUSE Linux
Enterprise Server for SAP Applications 15 SP4</li>
<li class="list-group-item">SUSE Manager
Proxy 4.2</li>
<li class="list-group-item">SUSE Manager
Proxy 4.3</li>
<li class="list-group-item">SUSE Manager
Retail Branch Server 4.2</li>
<li class="list-group-item">SUSE Manager
Retail Branch Server 4.3</li>
<li class="list-group-item">SUSE Manager
Server 4.2</li>
<li class="list-group-item">SUSE Manager
Server 4.3</li>
</ul>
</td>
</tr>
</tbody>
</table>
<p>An update that solves one vulnerability, contains two features and
has 10 fixes can now be installed.</p>
<h2>Description:</h2>
<p>This update for shim fixes the following issues:</p>
<ul>
<li>
<p>Updated shim signature after shim 15.7 be signed back:
signature-sles.x86_64.asc, signature-sles.aarch64.asc (bsc#1198458)</p>
</li>
<li>
<p>Add POST_PROCESS_PE_FLAGS=-N to the build command in shim.spec to
disable the NX compatibility flag when using post-process-pe because
grub2 is not ready. (bsc#1205588)</p>
</li>
<li>
<p>Enable the NX compatibility flag by default. (jsc#PED-127) </p>
</li>
</ul>
<p>Update to 15.7 (bsc#1198458) (jsc#PED-127):</p>
<ul>
<li>Make SBAT variable payload introspectable</li>
<li>Reference MokListRT instead of MokList</li>
<li>Add a link to the test plan in the readme.</li>
<li>[V3] Enable TDX measurement to RTMR register</li>
<li>Discard load-options that start with a NUL</li>
<li>Fixed load_cert_file bugs</li>
<li>Add -malign-double to IA32 compiler flags</li>
<li>pe: Fix image section entry-point validation</li>
<li>make-archive: Build reproducible tarball</li>
<li>mok: remove MokListTrusted from PCR 7</li>
</ul>
<p>Other fixes:</p>
<ul>
<li>
<p>Support enhance shim measurement to TD RTMR. (jsc#PED-1273) </p>
</li>
<li>
<p>shim-install: ensure grub.cfg created is not overwritten after
installing grub related files</p>
</li>
<li>Add logic to shim.spec to only set sbat policy when efivarfs is
writeable. (bsc#1201066)</li>
<li>Add logic to shim.spec for detecting --set-sbat-policy option before
using mokutil to set sbat policy. (bsc#1202120)</li>
<li>Change the URL in SBAT section to mail:security@suse.de.
(bsc#1193282)</li>
</ul>
<p>Update to 15.6 (bsc#1198458):</p>
<ul>
<li>MokManager: removed Locate graphic output protocol fail error
message</li>
<li>shim: implement SBAT verification for the shim_lock
protocol</li>
<li>post-process-pe: Fix a missing return code check</li>
<li>Update github actions matrix to be more useful</li>
<li>post-process-pe: Fix format string warnings on 32-bit
platforms</li>
<li>Allow MokListTrusted to be enabled by default</li>
<li>Re-add ARM AArch64 support</li>
<li>Use ASCII as fallback if Unicode Box Drawing characters
fail</li>
<li>make: don't treat cert.S specially</li>
<li>shim: use SHIM_DEVEL_VERBOSE when built in devel mode</li>
<li>Break out of the inner sbat loop if we find the entry.</li>
<li>Support loading additional certificates</li>
<li>Add support for NX (W^X) mitigations.</li>
<li>Fix preserve_sbat_uefi_variable() logic</li>
<li>SBAT Policy latest should be a one-shot</li>
<li>pe: Fix a buffer overflow when SizeOfRawData >
VirtualSize</li>
<li>pe: Perform image verification earlier when loading grub</li>
<li>Update advertised sbat generation number for shim</li>
<li>Update SBAT generation requirements for 05/24/22</li>
<li>Also avoid CVE-2022-28737 in verify_image() by @vathpela</li>
</ul>
<p>Update to 15.5 (bsc#1198458):</p>
<ul>
<li>Broken ia32 relocs and an unimportant submodule change.</li>
<li>mok: allocate MOK config table as BootServicesData</li>
<li>Don't call QueryVariableInfo() on EFI 1.10 machines
(bsc#1187260)</li>
<li>Relax the check for import_mok_state() (bsc#1185261)</li>
<li>SBAT.md: trivial changes</li>
<li>shim: another attempt to fix load options handling</li>
<li>Add tests for our load options parsing.</li>
<li>arm/aa64: fix the size of .rela* sections</li>
<li>mok: fix potential buffer overrun in import_mok_state</li>
<li>mok: relax the maximum variable size check</li>
<li>Don't unhook ExitBootServices when EBS protection is
disabled</li>
<li>fallback: find_boot_option() needs to return the index for the boot
entry in optnum</li>
<li>httpboot: Ignore case when checking HTTP headers</li>
<li>Fallback allocation errors</li>
<li>shim: avoid BOOTx64.EFI in message on other architectures</li>
<li>str: remove duplicate parameter check</li>
<li>fallback: add compile option FALLBACK_NONINTERACTIVE</li>
<li>Test mok mirror</li>
<li>Modify sbat.md to help with readability.</li>
<li>csv: detect end of csv file correctly</li>
<li>Specify that the .sbat section is ASCII not UTF-8</li>
<li>tests: add "include-fixed" GCC directory to include
directories</li>
<li>pe: simplify generate_hash()</li>
<li>Don't make shim abort when TPM log event fails (RHBZ
#2002265)</li>
<li>Fallback to default loader if parsed one does not exist</li>
<li>fallback: Fix for BootOrder crash when index returned</li>
<li>Better console checks</li>
<li>docs: update SBAT UEFI variable name</li>
<li>Don't parse load options if invoked from removable media
path</li>
<li>fallback: fix fallback not passing arguments of the first boot
option</li>
<li>shim: Don't stop forever at "Secure Boot not
enabled" notification</li>
<li>Allocate mokvar table in runtime memory.</li>
<li>Remove post-process-pe on 'make clean'</li>
<li>
<p>pe: missing perror argument</p>
</li>
<li>
<p>CVE-2022-28737: Fixed a buffer overflow when SizeOfRawData >
VirtualSize (bsc#1198458)</p>
</li>
<li>
<p>Add mokutil command to post script for setting sbat policy to latest
mode
when the SbatPolicy-605dab50-e046-4300-abb6-3dd810dd8b23 is not created.
(bsc#1198458)</p>
</li>
<li>
<p>Updated vendor dbx binary and script (bsc#1198458)</p>
</li>
<li>
<p>Updated dbx-cert.tar.xz and vendor-dbx-sles.bin for adding
SLES-UEFI-SIGN-Certificate-2021-05.crt to vendor dbx list.</p>
</li>
<li>Updated dbx-cert.tar.xz and vendor-dbx-opensuse.bin for adding
openSUSE-UEFI-SIGN-Certificate-2021-05.crt to vendor dbx list.</li>
<li>Updated vendor-dbx.bin for adding
SLES-UEFI-SIGN-Certificate-2021-05.crt
and openSUSE-UEFI-SIGN-Certificate-2021-05.crt for testing
environment.</li>
<li>
<p>Updated generate-vendor-dbx.sh script for generating a vendor-dbx.bin
file which includes all .der for testing environment.</p>
</li>
<li>
<p>avoid buffer overflow when copying data to the MOK config table
(bsc#1185232)</p>
</li>
<li>Disable exporting vendor-dbx to MokListXRT since writing a large RT
variable could crash some machines (bsc#1185261)</li>
<li>ignore the odd LoadOptions length (bsc#1185232)</li>
<li>shim-install: reset def_shim_efi to "shim.efi" if
the given file doesn't exist</li>
<li>relax the maximum variable size check for u-boot
(bsc#1185621)</li>
<li>
<p>handle ignore_db and user_insecure_mode correctly (bsc#1185441,
bsc#1187071)</p>
</li>
<li>
<p>Split the keys in vendor-dbx.bin to vendor-dbx-sles and
vendor-dbx-opensuse for shim-sles and shim-opensuse to reduce
the size of MokListXRT (bsc#1185261) </p>
</li>
<li>Also update generate-vendor-dbx.sh in dbx-cert.tar.xz</li>
</ul>
<h2>Patch Instructions:</h2>
<p>
To install this SUSE Important update use the SUSE recommended
installation methods like YaST online_update or "zypper
patch".<br/>
Alternatively you can run the command listed for your product:
</p>
<ul class="list-group">
<li class="list-group-item">
openSUSE Leap Micro 5.3
<br/>
<code>zypper in -t patch
openSUSE-Leap-Micro-5.3-2023-1702=1</code>
</li>
<li class="list-group-item">
openSUSE Leap 15.4
<br/>
<code>zypper in -t patch
openSUSE-SLE-15.4-2023-1702=1</code>
</li>
<li class="list-group-item">
SUSE Linux Enterprise Micro for Rancher 5.3
<br/>
<code>zypper in -t patch
SUSE-SLE-Micro-5.3-2023-1702=1</code>
</li>
<li class="list-group-item">
SUSE Linux Enterprise Micro 5.3
<br/>
<code>zypper in -t patch
SUSE-SLE-Micro-5.3-2023-1702=1</code>
</li>
<li class="list-group-item">
SUSE Linux Enterprise Micro for Rancher 5.4
<br/>
<code>zypper in -t patch
SUSE-SLE-Micro-5.4-2023-1702=1</code>
</li>
<li class="list-group-item">
SUSE Linux Enterprise Micro 5.4
<br/>
<code>zypper in -t patch
SUSE-SLE-Micro-5.4-2023-1702=1</code>
</li>
<li class="list-group-item">
Basesystem Module 15-SP4
<br/>
<code>zypper in -t patch
SUSE-SLE-Module-Basesystem-15-SP4-2023-1702=1</code>
</li>
<li class="list-group-item">
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3
<br/>
<code>zypper in -t patch
SUSE-SLE-Product-HPC-15-SP3-ESPOS-2023-1702=1</code>
</li>
<li class="list-group-item">
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3
<br/>
<code>zypper in -t patch
SUSE-SLE-Product-HPC-15-SP3-LTSS-2023-1702=1</code>
</li>
<li class="list-group-item">
SUSE Linux Enterprise Real Time 15 SP3
<br/>
<code>zypper in -t patch
SUSE-SLE-Product-RT-15-SP3-2023-1702=1</code>
</li>
<li class="list-group-item">
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3
<br/>
<code>zypper in -t patch
SUSE-SLE-Product-SLES-15-SP3-LTSS-2023-1702=1</code>
</li>
<li class="list-group-item">
SUSE Linux Enterprise Server for SAP Applications 15 SP3
<br/>
<code>zypper in -t patch
SUSE-SLE-Product-SLES_SAP-15-SP3-2023-1702=1</code>
</li>
<li class="list-group-item">
SUSE Manager Proxy 4.2
<br/>
<code>zypper in -t patch
SUSE-SLE-Product-SUSE-Manager-Proxy-4.2-2023-1702=1</code>
</li>
<li class="list-group-item">
SUSE Manager Retail Branch Server 4.2
<br/>
<code>zypper in -t patch
SUSE-SLE-Product-SUSE-Manager-Retail-Branch-Server-4.2-2023-1702=1</code>
</li>
<li class="list-group-item">
SUSE Manager Server 4.2
<br/>
<code>zypper in -t patch
SUSE-SLE-Product-SUSE-Manager-Server-4.2-2023-1702=1</code>
</li>
<li class="list-group-item">
SUSE Enterprise Storage 7.1
<br/>
<code>zypper in -t patch
SUSE-Storage-7.1-2023-1702=1</code>
</li>
<li class="list-group-item">
SUSE Linux Enterprise Micro 5.1
<br/>
<code>zypper in -t patch
SUSE-SUSE-MicroOS-5.1-2023-1702=1</code>
</li>
<li class="list-group-item">
SUSE Linux Enterprise Micro 5.2
<br/>
<code>zypper in -t patch
SUSE-SUSE-MicroOS-5.2-2023-1702=1</code>
</li>
<li class="list-group-item">
SUSE Linux Enterprise Micro for Rancher 5.2
<br/>
<code>zypper in -t patch
SUSE-SUSE-MicroOS-5.2-2023-1702=1</code>
</li>
</ul>
<h2>Package List:</h2>
<ul>
<li>
openSUSE Leap Micro 5.3 (aarch64 x86_64)
<ul>
<li>shim-debugsource-15.7-150300.4.11.1</li>
<li>shim-debuginfo-15.7-150300.4.11.1</li>
<li>shim-15.7-150300.4.11.1</li>
</ul>
</li>
<li>
openSUSE Leap 15.4 (aarch64 x86_64)
<ul>
<li>shim-debugsource-15.7-150300.4.11.1</li>
<li>shim-debuginfo-15.7-150300.4.11.1</li>
<li>shim-15.7-150300.4.11.1</li>
</ul>
</li>
<li>
SUSE Linux Enterprise Micro for Rancher 5.3 (aarch64
x86_64)
<ul>
<li>shim-debugsource-15.7-150300.4.11.1</li>
<li>shim-debuginfo-15.7-150300.4.11.1</li>
<li>shim-15.7-150300.4.11.1</li>
</ul>
</li>
<li>
SUSE Linux Enterprise Micro 5.3 (aarch64 x86_64)
<ul>
<li>shim-debugsource-15.7-150300.4.11.1</li>
<li>shim-debuginfo-15.7-150300.4.11.1</li>
<li>shim-15.7-150300.4.11.1</li>
</ul>
</li>
<li>
SUSE Linux Enterprise Micro for Rancher 5.4 (aarch64
x86_64)
<ul>
<li>shim-debugsource-15.7-150300.4.11.1</li>
<li>shim-debuginfo-15.7-150300.4.11.1</li>
<li>shim-15.7-150300.4.11.1</li>
</ul>
</li>
<li>
SUSE Linux Enterprise Micro 5.4 (aarch64 x86_64)
<ul>
<li>shim-debugsource-15.7-150300.4.11.1</li>
<li>shim-debuginfo-15.7-150300.4.11.1</li>
<li>shim-15.7-150300.4.11.1</li>
</ul>
</li>
<li>
Basesystem Module 15-SP4 (aarch64 x86_64)
<ul>
<li>shim-debugsource-15.7-150300.4.11.1</li>
<li>shim-debuginfo-15.7-150300.4.11.1</li>
<li>shim-15.7-150300.4.11.1</li>
</ul>
</li>
<li>
SUSE Linux Enterprise High Performance Computing ESPOS 15
SP3 (aarch64 x86_64)
<ul>
<li>shim-debugsource-15.7-150300.4.11.1</li>
<li>shim-debuginfo-15.7-150300.4.11.1</li>
<li>shim-15.7-150300.4.11.1</li>
</ul>
</li>
<li>
SUSE Linux Enterprise High Performance Computing LTSS 15
SP3 (aarch64 x86_64)
<ul>
<li>shim-debugsource-15.7-150300.4.11.1</li>
<li>shim-debuginfo-15.7-150300.4.11.1</li>
<li>shim-15.7-150300.4.11.1</li>
</ul>
</li>
<li>
SUSE Linux Enterprise Real Time 15 SP3 (x86_64)
<ul>
<li>shim-debugsource-15.7-150300.4.11.1</li>
<li>shim-debuginfo-15.7-150300.4.11.1</li>
<li>shim-15.7-150300.4.11.1</li>
</ul>
</li>
<li>
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (aarch64
x86_64)
<ul>
<li>shim-debugsource-15.7-150300.4.11.1</li>
<li>shim-debuginfo-15.7-150300.4.11.1</li>
<li>shim-15.7-150300.4.11.1</li>
</ul>
</li>
<li>
SUSE Linux Enterprise Server for SAP Applications 15 SP3
(x86_64)
<ul>
<li>shim-debugsource-15.7-150300.4.11.1</li>
<li>shim-debuginfo-15.7-150300.4.11.1</li>
<li>shim-15.7-150300.4.11.1</li>
</ul>
</li>
<li>
SUSE Manager Proxy 4.2 (x86_64)
<ul>
<li>shim-debugsource-15.7-150300.4.11.1</li>
<li>shim-debuginfo-15.7-150300.4.11.1</li>
<li>shim-15.7-150300.4.11.1</li>
</ul>
</li>
<li>
SUSE Manager Retail Branch Server 4.2 (x86_64)
<ul>
<li>shim-debugsource-15.7-150300.4.11.1</li>
<li>shim-debuginfo-15.7-150300.4.11.1</li>
<li>shim-15.7-150300.4.11.1</li>
</ul>
</li>
<li>
SUSE Manager Server 4.2 (x86_64)
<ul>
<li>shim-debugsource-15.7-150300.4.11.1</li>
<li>shim-debuginfo-15.7-150300.4.11.1</li>
<li>shim-15.7-150300.4.11.1</li>
</ul>
</li>
<li>
SUSE Enterprise Storage 7.1 (aarch64 x86_64)
<ul>
<li>shim-debugsource-15.7-150300.4.11.1</li>
<li>shim-debuginfo-15.7-150300.4.11.1</li>
<li>shim-15.7-150300.4.11.1</li>
</ul>
</li>
<li>
SUSE Linux Enterprise Micro 5.1 (aarch64 x86_64)
<ul>
<li>shim-debugsource-15.7-150300.4.11.1</li>
<li>shim-debuginfo-15.7-150300.4.11.1</li>
<li>shim-15.7-150300.4.11.1</li>
</ul>
</li>
<li>
SUSE Linux Enterprise Micro 5.2 (aarch64 x86_64)
<ul>
<li>shim-debugsource-15.7-150300.4.11.1</li>
<li>shim-debuginfo-15.7-150300.4.11.1</li>
<li>shim-15.7-150300.4.11.1</li>
</ul>
</li>
<li>
SUSE Linux Enterprise Micro for Rancher 5.2 (aarch64
x86_64)
<ul>
<li>shim-debugsource-15.7-150300.4.11.1</li>
<li>shim-debuginfo-15.7-150300.4.11.1</li>
<li>shim-15.7-150300.4.11.1</li>
</ul>
</li>
</ul>
<h2>References:</h2>
<ul>
<li>
<a href="https://www.suse.com/security/cve/CVE-2022-28737.html">https://www.suse.com/security/cve/CVE-2022-28737.html</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1185232">https://bugzilla.suse.com/show_bug.cgi?id=1185232</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1185261">https://bugzilla.suse.com/show_bug.cgi?id=1185261</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1185441">https://bugzilla.suse.com/show_bug.cgi?id=1185441</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1185621">https://bugzilla.suse.com/show_bug.cgi?id=1185621</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1187071">https://bugzilla.suse.com/show_bug.cgi?id=1187071</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1187260">https://bugzilla.suse.com/show_bug.cgi?id=1187260</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1193282">https://bugzilla.suse.com/show_bug.cgi?id=1193282</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1198458">https://bugzilla.suse.com/show_bug.cgi?id=1198458</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1201066">https://bugzilla.suse.com/show_bug.cgi?id=1201066</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1202120">https://bugzilla.suse.com/show_bug.cgi?id=1202120</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1205588">https://bugzilla.suse.com/show_bug.cgi?id=1205588</a>
</li>
<li>
<a href="https://jira.suse.com/browse/PED-127">https://jira.suse.com/browse/PED-127</a>
</li>
<li>
<a href="https://jira.suse.com/browse/PED-1273">https://jira.suse.com/browse/PED-1273</a>
</li>
</ul>
</div>
--===============1441889317369318734==--
|
|
|
|
