Описание
Security update for shim
This update for shim fixes the following issues:
This update addresses the 'BootHole' security issue (master CVE CVE-2020-10713), by disallowing binaries signed by the previous SUSE UEFI signing key from booting.
This update should only be installed after updates of grub2, the Linux kernel and (if used) Xen from July / August 2020 are applied.
Changes:
Use vendor-dbx to block old SUSE/openSUSE signkeys (bsc#1168994)
- Add dbx-cert.tar.xz which contains the certificates to block and a script, generate-vendor-dbx.sh, to generate vendor-dbx.bin
- Add vendor-dbx.bin as the vendor dbx to block unwanted keys
- Update the path to grub-tpm.efi in shim-install (bsc#1174320)
- Only check EFI variable copying when Secure Boot is enabled (bsc#1173411)
- Use the full path of efibootmgr to avoid errors when invoking shim-install from packagekitd (bsc#1168104)
- shim-install: add check for btrfs is used as root file system to enable relative path lookup for file. (bsc#1153953)
- shim-install: install MokManager to \EFI\boot to process the pending MOK request (bsc#1175626, bsc#1175656)
Список пакетов
Image SLES15-SP1-CAP-Deployment-BYOS-GCE
Image SLES15-SP1-CHOST-BYOS-Azure
Image SLES15-SP1-CHOST-BYOS-EC2
Image SLES15-SP1-CHOST-BYOS-GCE
Image SLES15-SP1-EC2-HPC-HVM-BYOS
Image SLES15-SP1-EC2-HVM-BYOS
Image SLES15-SP1-GCE-BYOS
Image SLES15-SP1-Manager-4-0-GCE-BYOS-Proxy
Image SLES15-SP1-Manager-4-0-GCE-BYOS-Server
Image SLES15-SP1-OCI-BYOS
Image SLES15-SP1-SAP-Azure-LI-BYOS-Production
Image SLES15-SP1-SAP-Azure-VLI-BYOS-Production
Image SLES15-SP1-SAP-EC2-HVM
Image SLES15-SP1-SAP-EC2-HVM-BYOS
Image SLES15-SP1-SAP-GCE
Image SLES15-SP1-SAP-GCE-BYOS
Image SLES15-SP1-SAP-OCI-BYOS
Image SLES15-SP1-SAPCAL-Azure
Image SLES15-SP1-SAPCAL-EC2-HVM
Image SLES15-SP1-SAPCAL-GCE
Image SLES15-SP2-Azure-Basic
Image SLES15-SP2-Azure-Standard
Image SLES15-SP2-BYOS-Azure
Image SLES15-SP2-BYOS-EC2-HVM
Image SLES15-SP2-BYOS-GCE
Image SLES15-SP2-CAP-Deployment-BYOS-Azure
Image SLES15-SP2-CHOST-BYOS-Azure
Image SLES15-SP2-CHOST-BYOS-EC2
Image SLES15-SP2-CHOST-BYOS-GCE
Image SLES15-SP2-GCE
Image SLES15-SP2-HPC-Azure
Image SLES15-SP2-HPC-BYOS-Azure
Image SLES15-SP2-HPC-BYOS-EC2-HVM
Image SLES15-SP2-Manager-4-1-Proxy-BYOS-Azure
Image SLES15-SP2-Manager-4-1-Proxy-BYOS-EC2-HVM
Image SLES15-SP2-Manager-4-1-Proxy-BYOS-GCE
Image SLES15-SP2-Manager-4-1-Server-BYOS-Azure
Image SLES15-SP2-Manager-4-1-Server-BYOS-EC2-HVM
Image SLES15-SP2-Manager-4-1-Server-BYOS-GCE
Image SLES15-SP2-SAP-Azure
Image SLES15-SP2-SAP-Azure-LI-BYOS-Production
Image SLES15-SP2-SAP-Azure-VLI-BYOS-Production
Image SLES15-SP2-SAP-BYOS-Azure
Image SLES15-SP2-SAP-BYOS-EC2-HVM
Image SLES15-SP2-SAP-BYOS-GCE
Image SLES15-SP2-SAP-EC2-HVM
Image SLES15-SP2-SAP-GCE
SUSE Linux Enterprise Module for Basesystem 15 SP1
SUSE Linux Enterprise Module for Basesystem 15 SP2
Ссылки
- Link for SUSE-SU-2020:2629-1
- E-Mail link for SUSE-SU-2020:2629-1
- SUSE Security Ratings
- SUSE Bug 1113225
- SUSE Bug 1121268
- SUSE Bug 1153953
- SUSE Bug 1168104
- SUSE Bug 1168994
- SUSE Bug 1173411
- SUSE Bug 1174320
- SUSE Bug 1175626
- SUSE Bug 1175656
- SUSE CVE CVE-2020-10713 page
Описание
A flaw was found in grub2, prior to version 2.06. An attacker may use the GRUB 2 flaw to hijack and tamper the GRUB verification process. This flaw also allows the bypass of Secure Boot protections. In order to load an untrusted or modified kernel, an attacker would first need to establish access to the system such as gaining physical access, obtain the ability to alter a pxe-boot network, or have remote access to a networked system with root access. With this access, an attacker could then craft a string to cause a buffer overflow by injecting a malicious payload that leads to arbitrary code execution within GRUB. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Затронутые продукты
Ссылки
- CVE-2020-10713
- SUSE Bug 1168994
- SUSE Bug 1173456
- SUSE Bug 1173812
- SUSE Bug 1199353