You are here
Home > Preporuke > Sigurnosni propust programskog paketa grub2

Sigurnosni propust programskog paketa grub2

by ncert - 0
  • Detalji os-a: LSU
  • Važnost: IMP
  • Operativni sustavi: L
  • Kategorije: LSU

SUSE Security Update: Security update for grub2
______________________________________________________________________________

Announcement ID: SUSE-SU-2015:2385-1
Rating: important
References: #884828 #884830 #946148 #952539 #954592 #956631

Cross-References: CVE-2015-8370
Affected Products:
SUSE Linux Enterprise Server 11-SP4
SUSE Linux Enterprise Desktop 11-SP4
SUSE Linux Enterprise Debuginfo 11-SP4
______________________________________________________________________________

An update that solves one vulnerability and has 5 fixes is
now available.

Description:

This update for grub2 provides the following fixes:

A security issues with a bufferoverflow when reading username and password
was fixed (bsc#956631, CVE-2015-8370)

Also following bugs were fixed:
– Fix buffer overflows when reading username and password. (bsc#956631,
CVE-2015-8370)
– Expand list of grub.cfg search path in PV Xen guests for systems
installed
on btrfs snapshots. (bsc#946148, bsc#952539)
– Add grub.xen config searching path on boot partition. (bsc#884828)
– Add linux16 and initrd16 to grub.xen. (bsc#884830)

Patch Instructions:

To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:

– SUSE Linux Enterprise Server 11-SP4:

zypper in -t patch slessp4-grub2-12288=1

– SUSE Linux Enterprise Desktop 11-SP4:

zypper in -t patch sledsp4-grub2-12288=1

– SUSE Linux Enterprise Debuginfo 11-SP4:

zypper in -t patch dbgsp4-grub2-12288=1

To bring your system up-to-date, use “zypper patch”.

Package List:

– SUSE Linux Enterprise Server 11-SP4 (x86_64):

grub2-x86_64-efi-2.00-0.54.2
grub2-x86_64-xen-2.00-0.54.2

– SUSE Linux Enterprise Desktop 11-SP4 (x86_64):

grub2-x86_64-efi-2.00-0.54.2
grub2-x86_64-xen-2.00-0.54.2

– SUSE Linux Enterprise Debuginfo 11-SP4 (x86_64):

grub2-debuginfo-2.00-0.54.2
grub2-debugsource-2.00-0.54.2

References:

https://www.suse.com/security/cve/CVE-2015-8370.html
https://bugzilla.suse.com/884828
https://bugzilla.suse.com/884830
https://bugzilla.suse.com/946148
https://bugzilla.suse.com/952539
https://bugzilla.suse.com/954592
https://bugzilla.suse.com/956631


To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-security-announce+help@opensuse.org

SUSE Security Update: Security update for grub2
______________________________________________________________________________

Announcement ID: SUSE-SU-2015:2386-1
Rating: important
References: #884828 #884830 #946148 #952539 #954592 #956631

Cross-References: CVE-2015-8370
Affected Products:
SUSE Linux Enterprise Server for VMWare 11-SP3
SUSE Linux Enterprise Server 11-SP3
SUSE Linux Enterprise Desktop 11-SP3
SUSE Linux Enterprise Debuginfo 11-SP3
______________________________________________________________________________

An update that solves one vulnerability and has 5 fixes is
now available.

Description:

This update for grub2 provides the following fixes:

A security issues with a bufferoverflow when reading username and password
was fixed (bsc#956631, CVE-2015-8370)

Bugs fixed:
– Expand list of grub.cfg search path in PV Xen guests for systems
installed on btrfs snapshots. (bsc#946148, bsc#952539)
– Add grub.xen config searching path on boot partition. (bsc#884828)
– Add linux16 and initrd16 to grub.xen. (bsc#884830)

Patch Instructions:

To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:

– SUSE Linux Enterprise Server for VMWare 11-SP3:

zypper in -t patch slessp3-grub2-12287=1

– SUSE Linux Enterprise Server 11-SP3:

zypper in -t patch slessp3-grub2-12287=1

– SUSE Linux Enterprise Desktop 11-SP3:

zypper in -t patch sledsp3-grub2-12287=1

– SUSE Linux Enterprise Debuginfo 11-SP3:

zypper in -t patch dbgsp3-grub2-12287=1

To bring your system up-to-date, use “zypper patch”.

Package List:

– SUSE Linux Enterprise Server for VMWare 11-SP3 (x86_64):

grub2-x86_64-efi-2.00-0.49.2
grub2-x86_64-xen-2.00-0.49.2

– SUSE Linux Enterprise Server 11-SP3 (x86_64):

grub2-x86_64-efi-2.00-0.49.2
grub2-x86_64-xen-2.00-0.49.2

– SUSE Linux Enterprise Desktop 11-SP3 (x86_64):

grub2-x86_64-efi-2.00-0.49.2
grub2-x86_64-xen-2.00-0.49.2

– SUSE Linux Enterprise Debuginfo 11-SP3 (x86_64):

grub2-debuginfo-2.00-0.49.2
grub2-debugsource-2.00-0.49.2

References:

https://www.suse.com/security/cve/CVE-2015-8370.html
https://bugzilla.suse.com/884828
https://bugzilla.suse.com/884830
https://bugzilla.suse.com/946148
https://bugzilla.suse.com/952539
https://bugzilla.suse.com/954592
https://bugzilla.suse.com/956631


To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-security-announce+help@opensuse.org

SUSE Security Update: Security update for grub2
______________________________________________________________________________

Announcement ID: SUSE-SU-2015:2387-1
Rating: important
References: #774666 #917427 #946148 #952539 #954126 #954519
#955493 #955609 #956631
Cross-References: CVE-2015-8370
Affected Products:
SUSE Linux Enterprise Server 12-SP1
SUSE Linux Enterprise Desktop 12-SP1
______________________________________________________________________________

An update that solves one vulnerability and has 8 fixes is
now available.

Description:

– Fix buffer overflows when reading username and password. (bsc#956631,
CVE-2015-8370)
– Check MS-DOS header to find PE file header. (bsc#954126)
– Use dirname for copying Xen kernel and initrd to esp. (bsc#955493)
– Fix reading password by grub2-mkpasswd-pbdk2 without controlling tty.
(bsc#954519)
– Add luks, gcry_rijndael and gcry_sha1 to signed EFI image to support
LUKS partition in default setup. (bsc#917427, bsc#955609)
– Expand list of grub.cfg search path in PV Xen guests for systems
installed on btrfs snapshots. (bsc#946148, bsc#952539)

Patch Instructions:

To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:

– SUSE Linux Enterprise Server 12-SP1:

zypper in -t patch SUSE-SLE-SERVER-12-SP1-2015-1027=1

– SUSE Linux Enterprise Desktop 12-SP1:

zypper in -t patch SUSE-SLE-DESKTOP-12-SP1-2015-1027=1

To bring your system up-to-date, use “zypper patch”.

Package List:

– SUSE Linux Enterprise Server 12-SP1 (ppc64le s390x x86_64):

grub2-2.02~beta2-73.3
grub2-debuginfo-2.02~beta2-73.3

– SUSE Linux Enterprise Server 12-SP1 (ppc64le):

grub2-powerpc-ieee1275-2.02~beta2-73.3

– SUSE Linux Enterprise Server 12-SP1 (x86_64):

grub2-i386-pc-2.02~beta2-73.3
grub2-x86_64-efi-2.02~beta2-73.3
grub2-x86_64-xen-2.02~beta2-73.3

– SUSE Linux Enterprise Server 12-SP1 (noarch):

grub2-snapper-plugin-2.02~beta2-73.3

– SUSE Linux Enterprise Server 12-SP1 (s390x):

grub2-debugsource-2.02~beta2-73.3
grub2-s390x-emu-2.02~beta2-73.3

– SUSE Linux Enterprise Desktop 12-SP1 (x86_64):

grub2-2.02~beta2-73.3
grub2-debuginfo-2.02~beta2-73.3
grub2-i386-pc-2.02~beta2-73.3
grub2-x86_64-efi-2.02~beta2-73.3
grub2-x86_64-xen-2.02~beta2-73.3

– SUSE Linux Enterprise Desktop 12-SP1 (noarch):

grub2-snapper-plugin-2.02~beta2-73.3

References:

https://www.suse.com/security/cve/CVE-2015-8370.html
https://bugzilla.suse.com/774666
https://bugzilla.suse.com/917427
https://bugzilla.suse.com/946148
https://bugzilla.suse.com/952539
https://bugzilla.suse.com/954126
https://bugzilla.suse.com/954519
https://bugzilla.suse.com/955493
https://bugzilla.suse.com/955609
https://bugzilla.suse.com/956631


To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-security-announce+help@opensuse.org
 

 

 

   SUSE Security Update: Security update for grub2
______________________________________________________________________________

Announcement ID:    SUSE-SU-2015:2399-1
Rating:             important
References:         #928131 #943380 #946148 #952539 #956631
Cross-References:   CVE-2015-8370
Affected Products:
                    SUSE Linux Enterprise Server 12
                    SUSE Linux Enterprise Desktop 12
______________________________________________________________________________

   An update that solves one vulnerability and has four fixes
   is now available.

Description:

   This update for grub2 provides the following fixes and enhancements:

   Security issue fixed:
   – Fix buffer overflows when reading username and password. (bsc#956631,
     CVE-2015-8370)

   Non security issues fixed:
   – Expand list of grub.cfg search path in PV Xen guests for systems
     installed
     on btrfs snapshots. (bsc#946148, bsc#952539)
   – Add –image switch to force zipl update to specific kernel. (bsc#928131)
   – Do not use shim lock protocol for reading PE header as it won’t be
     available when secure boot is disabled. (bsc#943380)
   – Make firmware flaw condition be more precisely detected and add debug
     message for the case.

Patch Instructions:

   To install this SUSE Security Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   – SUSE Linux Enterprise Server 12:

      zypper in -t patch SUSE-SLE-SERVER-12-2015-1032=1

   – SUSE Linux Enterprise Desktop 12:

      zypper in -t patch SUSE-SLE-DESKTOP-12-2015-1032=1

   To bring your system up-to-date, use “zypper patch”.

Package List:

   – SUSE Linux Enterprise Server 12 (ppc64le s390x x86_64):

      grub2-2.02~beta2-56.9.4
      grub2-debuginfo-2.02~beta2-56.9.4

   – SUSE Linux Enterprise Server 12 (ppc64le):

      grub2-powerpc-ieee1275-2.02~beta2-56.9.4

   – SUSE Linux Enterprise Server 12 (x86_64):

      grub2-i386-pc-2.02~beta2-56.9.4
      grub2-x86_64-efi-2.02~beta2-56.9.4
      grub2-x86_64-xen-2.02~beta2-56.9.4

   – SUSE Linux Enterprise Server 12 (noarch):

      grub2-snapper-plugin-2.02~beta2-56.9.4

   – SUSE Linux Enterprise Server 12 (s390x):

      grub2-debugsource-2.02~beta2-56.9.4
      grub2-s390x-emu-2.02~beta2-56.9.4

   – SUSE Linux Enterprise Desktop 12 (x86_64):

      grub2-2.02~beta2-56.9.4
      grub2-debuginfo-2.02~beta2-56.9.4
      grub2-i386-pc-2.02~beta2-56.9.4
      grub2-x86_64-efi-2.02~beta2-56.9.4
      grub2-x86_64-xen-2.02~beta2-56.9.4

   – SUSE Linux Enterprise Desktop 12 (noarch):

      grub2-snapper-plugin-2.02~beta2-56.9.4

References:

   https://www.suse.com/security/cve/CVE-2015-8370.html
   https://bugzilla.suse.com/928131
   https://bugzilla.suse.com/943380
   https://bugzilla.suse.com/946148
   https://bugzilla.suse.com/952539
   https://bugzilla.suse.com/956631


To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-security-announce+help@opensuse.org
 

AutorTomislav Protega
Cert idNCERT-REF-2015-12-0001-ADV
CveCVE-2015-8370
ID izvornikaSUSE-SU-2015:2385-1 SUSE-SU-2015:2386-1 SUSE-SU-2015:2387-1
Proizvodgrub2
Izvorhttp://www.suse.com
ncert
Top
More in Preporuke
Sigurnosni propust programskog paketa nodejs-handlebars

Otkriven je sigurnosni propust u modulu handlebars node uzrokovan nedostatkom pojedinih znakova unutar svojeg zaštitnog mehanizma, što potencijalnim napadačima pruža...

Close