SUSE 5181 Published by

A shim security update has been released for openSUSE Leap 15.2.



openSUSE-SU-2021:0598-1: important: Security update for shim


openSUSE Security Update: Security update for shim
______________________________________________________________________________

Announcement ID: openSUSE-SU-2021:0598-1
Rating: important
References: #1173411 #1174512 #1175509 #1177315 #1177404
#1177789 #1182057 #1184454
Cross-References: CVE-2019-14584
CVSS scores:
CVE-2019-14584 (SUSE): 4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Affected Products:
openSUSE Leap 15.2
______________________________________________________________________________

An update that solves one vulnerability and has 7 fixes is
now available.

Description:

This update for shim fixes the following issues:

- Updated openSUSE x86 signature

- Avoid the error message during linux system boot (boo#1184454)
- Prevent the build id being added to the binary. That can cause issues
with the signature

Update to 15.4 (boo#1182057)

+ Rename the SBAT variable and fix the self-check of SBAT
+ sbat: add more dprint()
+ arm/aa64: Swizzle some sections to make old sbsign happier
+ arm/aa64 targets: put .rel* and .dyn* in .rodata

- Change the SBAT variable name and enhance the handling of SBAT
(boo#1182057)

Update to 15.3 for SBAT support (boo#1182057)

+ Drop gnu-efi from BuildRequires since upstream pull it into the
- Generate vender-specific SBAT metadata
+ Add dos2unix to BuildRequires since Makefile requires it for vendor
SBAT
- Update dbx-cert.tar.xz and vendor-dbx.bin to block the following sign
keys:
+ SLES-UEFI-SIGN-Certificate-2020-07.crt
+ openSUSE-UEFI-SIGN-Certificate-2020-07.crt
- Check CodeSign in the signer's EKU (boo#1177315)
- Fixed NULL pointer dereference in AuthenticodeVerify() (boo#1177789,
CVE-2019-14584)

- All newly released openSUSE kernels enable kernel lockdown and signature
verification, so there is no need to add the prompt anymore.
- shim-install: Support changing default shim efi binary in
/usr/etc/default/shim and /etc/default/shim (boo#1177315)

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.2:

zypper in -t patch openSUSE-2021-598=1


Package List:

- openSUSE Leap 15.2 (x86_64):

shim-15.4-lp152.4.8.1
shim-debuginfo-15.4-lp152.4.8.1
shim-debugsource-15.4-lp152.4.8.1

References:

  https://www.suse.com/security/cve/CVE-2019-14584.html
  https://bugzilla.suse.com/1173411
  https://bugzilla.suse.com/1174512
  https://bugzilla.suse.com/1175509
  https://bugzilla.suse.com/1177315
  https://bugzilla.suse.com/1177404
  https://bugzilla.suse.com/1177789
  https://bugzilla.suse.com/1182057
  https://bugzilla.suse.com/1184454