Security update for ovmf SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2020:0314-1 Final 1 1 2020-03-08T15:12:50Z current 2020-03-08T15:12:50Z 2020-03-08T15:12:50Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for ovmf This update for ovmf fixes the following issues: Security issues fixed: - CVE-2019-14563: Fixed a memory corruption caused by insufficient numeric truncation (bsc#1163959). - CVE-2019-14553: Fixed the TLS certification verification in HTTPS-over-IPv6 boot sequences (bsc#1153072). - CVE-2019-14559: Fixed a remotely exploitable memory leak in the ARP handling code (bsc#1163927). - CVE-2019-14575: Fixed an insufficient signature check in the DxeImageVerificationHandler (bsc#1163969). - Enabled HTTPS-over-IPv6 (bsc#1153072). This update was imported from the SUSE:SLE-15:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2020-314 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/VANMRLN7SHDVR27SB7Q5S4EAGOPND4LC/ E-Mail link for openSUSE-SU-2020:0314-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1153072 SUSE Bug 1153072 https://bugzilla.suse.com/1163927 SUSE Bug 1163927 https://bugzilla.suse.com/1163959 SUSE Bug 1163959 https://bugzilla.suse.com/1163969 SUSE Bug 1163969 https://www.suse.com/security/cve/CVE-2019-14553/ SUSE CVE CVE-2019-14553 page https://www.suse.com/security/cve/CVE-2019-14559/ SUSE CVE CVE-2019-14559 page https://www.suse.com/security/cve/CVE-2019-14563/ SUSE CVE CVE-2019-14563 page https://www.suse.com/security/cve/CVE-2019-14575/ SUSE CVE CVE-2019-14575 page openSUSE Leap 15.1 ovmf-2017+git1510945757.b2662641d5-lp151.11.3.1 ovmf-tools-2017+git1510945757.b2662641d5-lp151.11.3.1 qemu-ovmf-ia32-2017+git1510945757.b2662641d5-lp151.11.3.1 qemu-ovmf-x86_64-2017+git1510945757.b2662641d5-lp151.11.3.1 qemu-ovmf-x86_64-debug-2017+git1510945757.b2662641d5-lp151.11.3.1 ovmf-2017+git1510945757.b2662641d5-lp151.11.3.1 as a component of openSUSE Leap 15.1 ovmf-tools-2017+git1510945757.b2662641d5-lp151.11.3.1 as a component of openSUSE Leap 15.1 qemu-ovmf-ia32-2017+git1510945757.b2662641d5-lp151.11.3.1 as a component of openSUSE Leap 15.1 qemu-ovmf-x86_64-2017+git1510945757.b2662641d5-lp151.11.3.1 as a component of openSUSE Leap 15.1 qemu-ovmf-x86_64-debug-2017+git1510945757.b2662641d5-lp151.11.3.1 as a component of openSUSE Leap 15.1 Improper authentication in EDK II may allow a privileged user to potentially enable information disclosure via network access. CVE-2019-14553 openSUSE Leap 15.1:ovmf-2017+git1510945757.b2662641d5-lp151.11.3.1 openSUSE Leap 15.1:ovmf-tools-2017+git1510945757.b2662641d5-lp151.11.3.1 openSUSE Leap 15.1:qemu-ovmf-ia32-2017+git1510945757.b2662641d5-lp151.11.3.1 openSUSE Leap 15.1:qemu-ovmf-x86_64-2017+git1510945757.b2662641d5-lp151.11.3.1 openSUSE Leap 15.1:qemu-ovmf-x86_64-debug-2017+git1510945757.b2662641d5-lp151.11.3.1 important 4 AV:N/AC:L/Au:S/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/VANMRLN7SHDVR27SB7Q5S4EAGOPND4LC/ https://www.suse.com/security/cve/CVE-2019-14553.html CVE-2019-14553 https://bugzilla.suse.com/1153072 SUSE Bug 1153072 Uncontrolled resource consumption in EDK II may allow an unauthenticated user to potentially enable denial of service via network access. CVE-2019-14559 openSUSE Leap 15.1:ovmf-2017+git1510945757.b2662641d5-lp151.11.3.1 openSUSE Leap 15.1:ovmf-tools-2017+git1510945757.b2662641d5-lp151.11.3.1 openSUSE Leap 15.1:qemu-ovmf-ia32-2017+git1510945757.b2662641d5-lp151.11.3.1 openSUSE Leap 15.1:qemu-ovmf-x86_64-2017+git1510945757.b2662641d5-lp151.11.3.1 openSUSE Leap 15.1:qemu-ovmf-x86_64-debug-2017+git1510945757.b2662641d5-lp151.11.3.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/VANMRLN7SHDVR27SB7Q5S4EAGOPND4LC/ https://www.suse.com/security/cve/CVE-2019-14559.html CVE-2019-14559 https://bugzilla.suse.com/1163927 SUSE Bug 1163927 Integer truncation in EDK II may allow an authenticated user to potentially enable escalation of privilege via local access. CVE-2019-14563 openSUSE Leap 15.1:ovmf-2017+git1510945757.b2662641d5-lp151.11.3.1 openSUSE Leap 15.1:ovmf-tools-2017+git1510945757.b2662641d5-lp151.11.3.1 openSUSE Leap 15.1:qemu-ovmf-ia32-2017+git1510945757.b2662641d5-lp151.11.3.1 openSUSE Leap 15.1:qemu-ovmf-x86_64-2017+git1510945757.b2662641d5-lp151.11.3.1 openSUSE Leap 15.1:qemu-ovmf-x86_64-debug-2017+git1510945757.b2662641d5-lp151.11.3.1 moderate 4.6 AV:L/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/VANMRLN7SHDVR27SB7Q5S4EAGOPND4LC/ https://www.suse.com/security/cve/CVE-2019-14563.html CVE-2019-14563 https://bugzilla.suse.com/1163959 SUSE Bug 1163959 Logic issue in DxeImageVerificationHandler() for EDK II may allow an authenticated user to potentially enable escalation of privilege via local access. CVE-2019-14575 openSUSE Leap 15.1:ovmf-2017+git1510945757.b2662641d5-lp151.11.3.1 openSUSE Leap 15.1:ovmf-tools-2017+git1510945757.b2662641d5-lp151.11.3.1 openSUSE Leap 15.1:qemu-ovmf-ia32-2017+git1510945757.b2662641d5-lp151.11.3.1 openSUSE Leap 15.1:qemu-ovmf-x86_64-2017+git1510945757.b2662641d5-lp151.11.3.1 openSUSE Leap 15.1:qemu-ovmf-x86_64-debug-2017+git1510945757.b2662641d5-lp151.11.3.1 important 4.6 AV:L/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/VANMRLN7SHDVR27SB7Q5S4EAGOPND4LC/ https://www.suse.com/security/cve/CVE-2019-14575.html CVE-2019-14575 https://bugzilla.suse.com/1163969 SUSE Bug 1163969