Security update for shim SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2021:0598-1 Final 1 1 2021-04-23T10:44:47Z current 2021-04-23T10:44:47Z 2021-04-23T10:44:47Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for shim This update for shim fixes the following issues: - Updated openSUSE x86 signature - Avoid the error message during linux system boot (boo#1184454) - Prevent the build id being added to the binary. That can cause issues with the signature Update to 15.4 (boo#1182057) + Rename the SBAT variable and fix the self-check of SBAT + sbat: add more dprint() + arm/aa64: Swizzle some sections to make old sbsign happier + arm/aa64 targets: put .rel* and .dyn* in .rodata - Change the SBAT variable name and enhance the handling of SBAT (boo#1182057) Update to 15.3 for SBAT support (boo#1182057) + Drop gnu-efi from BuildRequires since upstream pull it into the - Generate vender-specific SBAT metadata + Add dos2unix to BuildRequires since Makefile requires it for vendor SBAT - Update dbx-cert.tar.xz and vendor-dbx.bin to block the following sign keys: + SLES-UEFI-SIGN-Certificate-2020-07.crt + openSUSE-UEFI-SIGN-Certificate-2020-07.crt - Check CodeSign in the signer's EKU (boo#1177315) - Fixed NULL pointer dereference in AuthenticodeVerify() (boo#1177789, CVE-2019-14584) - All newly released openSUSE kernels enable kernel lockdown and signature verification, so there is no need to add the prompt anymore. - shim-install: Support changing default shim efi binary in /usr/etc/default/shim and /etc/default/shim (boo#1177315) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2021-598 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/O2IF5TPLLS7U2RNC42HXIHTRUMS4Q6YV/ E-Mail link for openSUSE-SU-2021:0598-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1173411 SUSE Bug 1173411 https://bugzilla.suse.com/1174512 SUSE Bug 1174512 https://bugzilla.suse.com/1175509 SUSE Bug 1175509 https://bugzilla.suse.com/1177315 SUSE Bug 1177315 https://bugzilla.suse.com/1177404 SUSE Bug 1177404 https://bugzilla.suse.com/1177789 SUSE Bug 1177789 https://bugzilla.suse.com/1182057 SUSE Bug 1182057 https://bugzilla.suse.com/1184454 SUSE Bug 1184454 https://www.suse.com/security/cve/CVE-2019-14584/ SUSE CVE CVE-2019-14584 page openSUSE Leap 15.2 shim-15.4-lp152.4.8.1 shim-15.4-lp152.4.8.1 as a component of openSUSE Leap 15.2 Null pointer dereference in Tianocore EDK2 may allow an authenticated user to potentially enable escalation of privilege via local access. CVE-2019-14584 openSUSE Leap 15.2:shim-15.4-lp152.4.8.1 low 4.6 AV:L/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/O2IF5TPLLS7U2RNC42HXIHTRUMS4Q6YV/ https://www.suse.com/security/cve/CVE-2019-14584.html CVE-2019-14584 https://bugzilla.suse.com/1177789 SUSE Bug 1177789