https://bugzilla.suse.com/show_bug.cgi?id=1185441
Bug ID: 1185441 Summary: "system is compromised" during boot after grub2+shim update Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.2 Hardware: Other OS: Linux Status: NEW Severity: Normal Priority: P5 - None Component: Bootloader Assignee: screening-team-bugs@suse.de Reporter: robert.simai@suse.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: ---
I installed the most recent
kernel-default-5.3.18-lp152.72.1.x86_64 shim-15.4-lp152.4.8.1.x86_64 grub2-2.04-lp152.7.25.1.x86_64
on my Dell Precision 3620 this week and rebooted as required. The system doesn't come up but shows "system is compromised" for a second, followed by power down.
If I change from "UEFI with secure boot" to "UEFI without secure boot" it behaves well again and just boots.
I've set "mokutil --set-verbosity true" as advised which outputs a lot of messages, I unfortunately have no serial console at hand to connect and save them. I'll try to attach a video from the screen that shows the boot process and messages.
https://bugzilla.suse.com/show_bug.cgi?id=1185441
Robert Simai robert.simai@suse.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Assignee|screening-team-bugs@suse.de |glin@suse.com
https://bugzilla.suse.com/show_bug.cgi?id=1185441 https://bugzilla.suse.com/show_bug.cgi?id=1185441#c1
Gary Ching-Pang Lin glin@suse.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |mchang@suse.com
--- Comment #1 from Gary Ching-Pang Lin glin@suse.com --- Per the design of shim, the error message, "System is compromised. halting.", should only happen when grub2 loads a kernel without verifying it with the shim protocol. However, our grub2 always verifies kernel when secure boot is on, so this should not happen.
One possible cause would be that the static variable in shim, loader_is_participating, was overwritten accidentally in some case, so shim mistakenly showed the message.
https://bugzilla.suse.com/show_bug.cgi?id=1185441 https://bugzilla.suse.com/show_bug.cgi?id=1185441#c2
--- Comment #2 from Robert Simai robert.simai@suse.com --- Created attachment 848874 --> https://bugzilla.suse.com/attachment.cgi?id=848874&action=edit screen video of boot process
https://bugzilla.suse.com/show_bug.cgi?id=1185441
Bernhard Wiedemann bwiedemann@suse.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |bwiedemann@suse.com
https://bugzilla.suse.com/show_bug.cgi?id=1185441
Witek Bedyk witold.bedyk@suse.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |witold.bedyk@suse.com
https://bugzilla.suse.com/show_bug.cgi?id=1185441 https://bugzilla.suse.com/show_bug.cgi?id=1185441#c3
--- Comment #3 from Witek Bedyk witold.bedyk@suse.com --- I have also problems after shim upgrade. Reported here:
https://bugzilla.suse.com/show_bug.cgi?id=1185456
https://bugzilla.suse.com/show_bug.cgi?id=1185441 https://bugzilla.suse.com/show_bug.cgi?id=1185441#c4
Michael Chang mchang@suse.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |glin@suse.com Flags| |needinfo?(glin@suse.com)
--- Comment #4 from Michael Chang mchang@suse.com --- I can reproduce the error. It appears that the secure boot validation has been disabled through MokManager, but shim still insist to enforce it and spew "system is compromised ..." when grub is told to skip shim_lock to honor the setting.
The step to reproduce:
(Secure Boot Standard Mode in firmware) 1. mokutil --disable-validation 2. reboot 3. Press Down and Enter in shim menu to *Change secure boot state* 4. Enter three password characters. 5. Press y and Enter to confirm *disabling* Secure Boot 6. Press any key to reboot system (reboot) 7. "Bootloader has not verified loaded image. System is compromised, halting" logged on screen when trying to boot linux kernel
Also we can observe whether secure boot validation has been disabled via examining the MokSBStateRT variable.
cd /sys/firmware/efi/efivars hexdump -C MokSBStateRT-605dab50-e046-4300-abb6-3dd810dd8b23 00000000 06 00 00 00 01 |.....| 00000005
"1" means secure boot validation disabled, in other words putting shim in "insecure" mode intentionally to allow booting unsigned image even if secure boot is enabled in firmware.
It then looks like shim issue to me ...
Gary did you have any idea ? Thanks.
https://bugzilla.suse.com/show_bug.cgi?id=1185441 https://bugzilla.suse.com/show_bug.cgi?id=1185441#c5
--- Comment #5 from Michael Chang mchang@suse.com --- FWIW. The relevant source code in grub to honor MokSBStateRT setting.
https://git.savannah.gnu.org/cgit/grub.git/tree/grub-core/kern/efi/sb.c#n94
https://bugzilla.suse.com/show_bug.cgi?id=1185441
Pavel Dost�l pdostal@suse.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |pdostal@suse.com
https://bugzilla.suse.com/show_bug.cgi?id=1185441
Marcus Meissner meissner@suse.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |meissner@suse.com
https://bugzilla.suse.com/show_bug.cgi?id=1185441 https://bugzilla.suse.com/show_bug.cgi?id=1185441#c6
--- Comment #6 from Michael Chang mchang@suse.com --- Reverting to old shim helps to get rid of the error for me. I could see 'Booting in insecure mode' logged on the screen before grub starts, and grub boots kernel without error.
https://bugzilla.suse.com/show_bug.cgi?id=1185441 https://bugzilla.suse.com/show_bug.cgi?id=1185441#c7
--- Comment #7 from Bernhard Wiedemann bwiedemann@suse.com --- Here are the shim changes: osc rdiff openSUSE:Leap:15.2:Update/shim.13675 \ openSUSE:Leap:15.2:Update/shim.16135
------------------------------------------------------------------- Wed Apr 21 05:46:19 UTC 2021 - Johannes Segitz jsegitz@suse.com
- Updated openSUSE x86 signature
------------------------------------------------------------------- Thu Apr 8 08:44:27 UTC 2021 - Gary Ching-Pang Lin glin@suse.com
- Add shim-bsc1184454-allocate-mok-config-table-BS.patch to avoid the error message during linux system boot (bsc#1184454)
------------------------------------------------------------------- Wed Apr 7 12:25:02 UTC 2021 - Johannes Segitz jsegitz@suse.com
- Add remove_build_id.patch to prevent the build id being added to the binary. That can cause issues with the signature
------------------------------------------------------------------- Wed Mar 31 08:45:52 UTC 2021 - Gary Ching-Pang Lin glin@suse.com
- Update to 15.4 (bsc#1182057) + Rename the SBAT variable and fix the self-check of SBAT + sbat: add more dprint() + arm/aa64: Swizzle some sections to make old sbsign happier + arm/aa64 targets: put .rel* and .dyn* in .rodata - Drop upstreamed patch: shim-bsc1182057-sbat-variable-enhancement.patch
------------------------------------------------------------------- Mon Mar 29 07:18:20 UTC 2021 - Gary Ching-Pang Lin glin@suse.com
- Add shim-bsc1182057-sbat-variable-enhancement.patch to change the SBAT variable name and enhance the handling of SBAT (bsc#1182057)
------------------------------------------------------------------- Wed Mar 24 01:29:17 UTC 2021 - Gary Ching-Pang Lin glin@suse.com
- Update to 15.3 for SBAT support (bsc#1182057) + Drop gnu-efi from BuildRequires since upstream pull it into the + Include the fixes for bsc#1175509, bsc#1173411, bsc#1177404, bsc#1175509, bsc#1174512 - Generate vender-specific SBAT metadata + Add dos2unix to BuildRequires since Makefile requires it for vendor SBAT - Update dbx-cert.tar.xz and vendor-dbx.bin to block the following sign keys: + SLES-UEFI-SIGN-Certificate-2020-07.crt + openSUSE-UEFI-SIGN-Certificate-2020-07.crt - Refresh patches + shim-arch-independent-names.patch + shim-change-debug-file-path.patch - Add shim-bsc1177315-verify-eku-codesign.patch to check CodeSign in the signer's EKU (bsc#1177315) - Add shim-bsc1177789-fix-null-pointer-deref-AuthenticodeVerify.patch to fix NULL pointer dereference in AuthenticodeVerify() (bsc#1177789, CVE-2019-14584) - Drop upstreamed fixes + shim-always-mirror-mok-variables.patch + gcc9-fix-warnings.patch + shim-fix-gnu-efi-3.0.11.patch + shim-bsc1092000-fallback-menu.patch + shim-bsc1173411-only-check-efi-var-on-sb.patch + shim-correct-license-in-headers.patch - Drop shim-opensuse-cert-prompt.patch + All newly released openSUSE kernels enable kernel lockdown and signature verification, so there is no need to add the prompt anymore. - Amend timestamp.pl to include the linker version to avoid the potential breakage of signature due to the upgrade of binutils + Also update the signature files to add the linker version - shim-install: Support changing default shim efi binary in /usr/etc/default/shim and /etc/default/shim (bsc#1177315)
https://bugzilla.suse.com/show_bug.cgi?id=1185441 https://bugzilla.suse.com/show_bug.cgi?id=1185441#c9
Gary Ching-Pang Lin glin@suse.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(glin@suse.com) |
--- Comment #9 from Gary Ching-Pang Lin glin@suse.com --- Hmmm, there is a known bug in shim 15.4 that MokSBState wasn't handled properly. https://github.com/rhboot/shim/pull/362
https://bugzilla.suse.com/show_bug.cgi?id=1185441
Joey Lee jlee@suse.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |jlee@suse.com
https://bugzilla.suse.com/show_bug.cgi?id=1185441 https://bugzilla.suse.com/show_bug.cgi?id=1185441#c10
--- Comment #10 from Gary Ching-Pang Lin glin@suse.com --- If the error is really caused by MokSBState, then it can be work around by reverting to old shim, executing "mokutil --enable-validation", rebooting the system, and then upgrading shim again.
https://bugzilla.suse.com/show_bug.cgi?id=1185441 https://bugzilla.suse.com/show_bug.cgi?id=1185441#c13
--- Comment #13 from Gary Ching-Pang Lin glin@suse.com --- (In reply to Tiago Marques from comment #12)
Hi,
I've been hit by this for some months now. Every Grub2 update, I get the same message as OP. Not sure which grub package is to blame and I'm using EFI and secure boot.
I've managed to (twice) solve the issue by booting a live USB, chrooting and then running 'shim-install'.
Not sure where the bug is or if this helps. I'm available to test other things out to help fix this.
Before upgrading "shim", could you try "mokutil --enable-validation" and reboot the system to clean up MokSBState?
https://bugzilla.suse.com/show_bug.cgi?id=1185441 https://bugzilla.suse.com/show_bug.cgi?id=1185441#c15
--- Comment #15 from Tiago Marques bugs@tmarques.com --- (In reply to Gary Ching-Pang Lin from comment #13)
(In reply to Tiago Marques from comment #12)
Hi,
I've been hit by this for some months now. Every Grub2 update, I get the same message as OP. Not sure which grub package is to blame and I'm using EFI and secure boot.
I've managed to (twice) solve the issue by booting a live USB, chrooting and then running 'shim-install'.
Not sure where the bug is or if this helps. I'm available to test other things out to help fix this.
Before upgrading "shim", could you try "mokutil --enable-validation" and reboot the system to clean up MokSBState?
Tried but the command is asking me for a password. I have no password set on the BIOS. Is this the expected behavior?
https://bugzilla.suse.com/show_bug.cgi?id=1185441 https://bugzilla.suse.com/show_bug.cgi?id=1185441#c16
--- Comment #16 from Gary Ching-Pang Lin glin@suse.com --- (In reply to Tiago Marques from comment #15)
(In reply to Gary Ching-Pang Lin from comment #13)
(In reply to Tiago Marques from comment #12)
Hi,
I've been hit by this for some months now. Every Grub2 update, I get the same message as OP. Not sure which grub package is to blame and I'm using EFI and secure boot.
I've managed to (twice) solve the issue by booting a live USB, chrooting and then running 'shim-install'.
Not sure where the bug is or if this helps. I'm available to test other things out to help fix this.
Before upgrading "shim", could you try "mokutil --enable-validation" and reboot the system to clean up MokSBState?
Tried but the command is asking me for a password. I have no password set on the BIOS. Is this the expected behavior?
That's a password used to verify physical access when modifying MokSBState variable. During the next boot, MokManager will ask if you want to "Change Secure Boot state" and randomly ask 3 characters of the password you set. It's an one-time password and will be dropped after use.
https://bugzilla.suse.com/show_bug.cgi?id=1185441 https://bugzilla.suse.com/show_bug.cgi?id=1185441#c17
--- Comment #17 from Tiago Marques bugs@tmarques.com --- (In reply to Gary Ching-Pang Lin from comment #16)
(In reply to Tiago Marques from comment #15)
(In reply to Gary Ching-Pang Lin from comment #13)
(In reply to Tiago Marques from comment #12)
Hi,
I've been hit by this for some months now. Every Grub2 update, I get the same message as OP. Not sure which grub package is to blame and I'm using EFI and secure boot.
I've managed to (twice) solve the issue by booting a live USB, chrooting and then running 'shim-install'.
Not sure where the bug is or if this helps. I'm available to test other things out to help fix this.
Before upgrading "shim", could you try "mokutil --enable-validation" and reboot the system to clean up MokSBState?
Tried but the command is asking me for a password. I have no password set on the BIOS. Is this the expected behavior?
That's a password used to verify physical access when modifying MokSBState variable. During the next boot, MokManager will ask if you want to "Change Secure Boot state" and randomly ask 3 characters of the password you set. It's an one-time password and will be dropped after use.
After doing that, got an unbootable system with the the same "system is compromised message".
Tried to restore the same way as before, but the OpenSUSE live USB was also unbootable w/ messages:
--- Failed to open \EFI\BOOT\MokManager.efi - Not Found Failed to load image \EFI\BOOT\MokManager.efi: Not Found Failed to start MokManager: Not Found Something has gone seriously wrong: import_mok_state() failed : Not Found ---
I managed to select an option to run "UEFI Application", manually select 'shim.efi' from the boot drive and get into the OS.
https://bugzilla.suse.com/show_bug.cgi?id=1185441 https://bugzilla.suse.com/show_bug.cgi?id=1185441#c18
--- Comment #18 from Gary Ching-Pang Lin glin@suse.com --- (In reply to Tiago Marques from comment #17)
(In reply to Gary Ching-Pang Lin from comment #16)
(In reply to Tiago Marques from comment #15)
(In reply to Gary Ching-Pang Lin from comment #13)
(In reply to Tiago Marques from comment #12)
Hi,
I've been hit by this for some months now. Every Grub2 update, I get the same message as OP. Not sure which grub package is to blame and I'm using EFI and secure boot.
I've managed to (twice) solve the issue by booting a live USB, chrooting and then running 'shim-install'.
Not sure where the bug is or if this helps. I'm available to test other things out to help fix this.
Before upgrading "shim", could you try "mokutil --enable-validation" and reboot the system to clean up MokSBState?
Tried but the command is asking me for a password. I have no password set on the BIOS. Is this the expected behavior?
That's a password used to verify physical access when modifying MokSBState variable. During the next boot, MokManager will ask if you want to "Change Secure Boot state" and randomly ask 3 characters of the password you set. It's an one-time password and will be dropped after use.
After doing that, got an unbootable system with the the same "system is compromised message".
What's the version of shim in the system? Could you try
1) downgrade shim with the following rpm http://download.opensuse.org/update/leap/15.2/oss/x86_64/shim-15+git47-lp152...
2) mokutil --enable-validation
3) reboot the system to clear MokSBState
4) upgrade shim to 15.4 again and reboot the system to see if the issue persists
Tried to restore the same way as before, but the OpenSUSE live USB was also unbootable w/ messages:
Failed to open \EFI\BOOT\MokManager.efi - Not Found Failed to load image \EFI\BOOT\MokManager.efi: Not Found Failed to start MokManager: Not Found Something has gone seriously wrong: import_mok_state() failed : Not Found
It seems the request for MokSBState wasn't handled, and MokManager.efi wasn't in Live USB so that shim cannot handle the request.
I managed to select an option to run "UEFI Application", manually select 'shim.efi' from the boot drive and get into the OS.
https://bugzilla.suse.com/show_bug.cgi?id=1185441 https://bugzilla.suse.com/show_bug.cgi?id=1185441#c20
--- Comment #20 from Gary Ching-Pang Lin glin@suse.com --- (In reply to Michiel Janssens from comment #19)
Hi, since upgrading to shim 15.4 I had the same issue with Secureboot enabled in BIOS on Tumbleweed, so with message "system is compromised". To be able to boot I disabled Secureboot in BIOS. Today I upgraded TW to snapshot 20210520, with shim-15.4-3.1.x86_64, still the same issue when enabling Secureboot in BIOS, so disabled it again.
So I followed some of the steps in this report, didn't downgrade shim package.
- mokutil --enable-validation (not disable)
- reboot
- Press Down and Enter in shim menu to *Change secure boot state*
- Enter three password characters.
- Press y and Enter
- Press any key to reboot system (reboot)
- system boots, Secureboot still disabled in BIOS.
- Boot to Bios and enabled Secureboot again
- System boots, without error
mokutil --sb-state gives SecureBoot enabled, so I guess it's fixed.
Thanks for verifying MokSBState and provide the workaround!
https://bugzilla.suse.com/show_bug.cgi?id=1185441 https://bugzilla.suse.com/show_bug.cgi?id=1185441#c21
--- Comment #21 from Tiago Marques bugs@tmarques.com --- (In reply to Gary Ching-Pang Lin from comment #18)
(In reply to Tiago Marques from comment #17)
(In reply to Gary Ching-Pang Lin from comment #16)
(In reply to Tiago Marques from comment #15)
(In reply to Gary Ching-Pang Lin from comment #13)
(In reply to Tiago Marques from comment #12)
Hi,
I've been hit by this for some months now. Every Grub2 update, I get the same message as OP. Not sure which grub package is to blame and I'm using EFI and secure boot.
I've managed to (twice) solve the issue by booting a live USB, chrooting and then running 'shim-install'.
Not sure where the bug is or if this helps. I'm available to test other things out to help fix this.
Before upgrading "shim", could you try "mokutil --enable-validation" and reboot the system to clean up MokSBState?
Tried but the command is asking me for a password. I have no password set on the BIOS. Is this the expected behavior?
That's a password used to verify physical access when modifying MokSBState variable. During the next boot, MokManager will ask if you want to "Change Secure Boot state" and randomly ask 3 characters of the password you set. It's an one-time password and will be dropped after use.
After doing that, got an unbootable system with the the same "system is compromised message".
What's the version of shim in the system? Could you try
- downgrade shim with the following rpm
http://download.opensuse.org/update/leap/15.2/oss/x86_64/shim-15+git47-lp152. 4.6.1.x86_64.rpm
mokutil --enable-validation
reboot the system to clear MokSBState
upgrade shim to 15.4 again and reboot the system to see if the issue
persists
Tried to restore the same way as before, but the OpenSUSE live USB was also unbootable w/ messages:
Failed to open \EFI\BOOT\MokManager.efi - Not Found Failed to load image \EFI\BOOT\MokManager.efi: Not Found Failed to start MokManager: Not Found Something has gone seriously wrong: import_mok_state() failed : Not Found
It seems the request for MokSBState wasn't handled, and MokManager.efi wasn't in Live USB so that shim cannot handle the request.
I managed to select an option to run "UEFI Application", manually select 'shim.efi' from the boot drive and get into the OS.
Tried this to no avail.
Also tried changing the SB state through the Shim management options but it fails with error "Failed to changed SB state".
Running shim through UEFI programs still works and "shim-install" then fixes the boot issue.
$ mokutil --list-enrolled MokListRT is empty
Could this be related?
https://bugzilla.suse.com/show_bug.cgi?id=1185441 https://bugzilla.suse.com/show_bug.cgi?id=1185441#c22
--- Comment #22 from Gary Ching-Pang Lin glin@suse.com --- (In reply to Tiago Marques from comment #21)
(In reply to Gary Ching-Pang Lin from comment #18)
(In reply to Tiago Marques from comment #17)
(In reply to Gary Ching-Pang Lin from comment #16)
(In reply to Tiago Marques from comment #15)
(In reply to Gary Ching-Pang Lin from comment #13)
(In reply to Tiago Marques from comment #12) > Hi, > > I've been hit by this for some months now. Every Grub2 update, I get the > same message as OP. > Not sure which grub package is to blame and I'm using EFI and secure boot. > > I've managed to (twice) solve the issue by booting a live USB, chrooting and > then running 'shim-install'. > > Not sure where the bug is or if this helps. I'm available to test other > things out to help fix this.
Before upgrading "shim", could you try "mokutil --enable-validation" and reboot the system to clean up MokSBState?
Tried but the command is asking me for a password. I have no password set on the BIOS. Is this the expected behavior?
That's a password used to verify physical access when modifying MokSBState variable. During the next boot, MokManager will ask if you want to "Change Secure Boot state" and randomly ask 3 characters of the password you set. It's an one-time password and will be dropped after use.
After doing that, got an unbootable system with the the same "system is compromised message".
What's the version of shim in the system? Could you try
- downgrade shim with the following rpm
http://download.opensuse.org/update/leap/15.2/oss/x86_64/shim-15+git47-lp152. 4.6.1.x86_64.rpm
mokutil --enable-validation
reboot the system to clear MokSBState
upgrade shim to 15.4 again and reboot the system to see if the issue
persists
Tried to restore the same way as before, but the OpenSUSE live USB was also unbootable w/ messages:
Failed to open \EFI\BOOT\MokManager.efi - Not Found Failed to load image \EFI\BOOT\MokManager.efi: Not Found Failed to start MokManager: Not Found Something has gone seriously wrong: import_mok_state() failed : Not Found
It seems the request for MokSBState wasn't handled, and MokManager.efi wasn't in Live USB so that shim cannot handle the request.
I managed to select an option to run "UEFI Application", manually select 'shim.efi' from the boot drive and get into the OS.
Tried this to no avail.
Also tried changing the SB state through the Shim management options but it fails with error "Failed to changed SB state".
Running shim through UEFI programs still works and "shim-install" then fixes the boot issue.
$ mokutil --list-enrolled MokListRT is empty
Could this be related?
The empty MokListRT sounds similar to bsc#1185528. It seems that shim failed to mirror the keys for some reason.
https://bugzilla.suse.com/show_bug.cgi?id=1185441 https://bugzilla.suse.com/show_bug.cgi?id=1185441#c25
--- Comment #25 from Swamp Workflow Management swamp@suse.de --- openSUSE-RU-2021:1064-1: An update that has 7 recommended fixes can now be installed.
Category: recommended (moderate) Bug References: 1185232,1185261,1185441,1185621,1187071,1187260,1187696 CVE References: JIRA References: Sources used: openSUSE Leap 15.2 (src): shim-15.4-lp152.4.17.1
https://bugzilla.suse.com/show_bug.cgi?id=1185441 https://bugzilla.suse.com/show_bug.cgi?id=1185441#c28
--- Comment #28 from Swamp Workflow Management swamp@suse.de --- SUSE-RU-2021:2464-1: An update that has 8 recommended fixes can now be installed.
Category: recommended (moderate) Bug References: 1185232,1185261,1185441,1185464,1185961,1187071,1187260,1187696 CVE References: JIRA References: Sources used: SUSE Linux Enterprise Module for Basesystem 15-SP3 (src): shim-15.4-4.7.1
NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
https://bugzilla.suse.com/show_bug.cgi?id=1185441 https://bugzilla.suse.com/show_bug.cgi?id=1185441#c29
--- Comment #29 from Swamp Workflow Management swamp@suse.de --- openSUSE-RU-2021:2464-1: An update that has 8 recommended fixes can now be installed.
Category: recommended (moderate) Bug References: 1185232,1185261,1185441,1185464,1185961,1187071,1187260,1187696 CVE References: JIRA References: Sources used: openSUSE Leap 15.3 (src): shim-15.4-4.7.1
https://bugzilla.suse.com/show_bug.cgi?id=1185441 https://bugzilla.suse.com/show_bug.cgi?id=1185441#c30
--- Comment #30 from Swamp Workflow Management swamp@suse.de --- SUSE-RU-2021:2465-1: An update that has 7 recommended fixes can now be installed.
Category: recommended (moderate) Bug References: 1185232,1185261,1185441,1185621,1187071,1187260,1187696 CVE References: JIRA References: Sources used: SUSE MicroOS 5.0 (src): shim-15.4-3.29.1 SUSE Manager Server 4.0 (src): shim-15.4-3.29.1 SUSE Manager Retail Branch Server 4.0 (src): shim-15.4-3.29.1 SUSE Manager Proxy 4.0 (src): shim-15.4-3.29.1 SUSE Linux Enterprise Server for SAP 15-SP1 (src): shim-15.4-3.29.1 SUSE Linux Enterprise Server 15-SP1-LTSS (src): shim-15.4-3.29.1 SUSE Linux Enterprise Server 15-SP1-BCL (src): shim-15.4-3.29.1 SUSE Linux Enterprise Module for Basesystem 15-SP2 (src): shim-15.4-3.29.1 SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src): shim-15.4-3.29.1 SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src): shim-15.4-3.29.1 SUSE Enterprise Storage 6 (src): shim-15.4-3.29.1 SUSE CaaS Platform 4.0 (src): shim-15.4-3.29.1
NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
https://bugzilla.suse.com/show_bug.cgi?id=1185441 https://bugzilla.suse.com/show_bug.cgi?id=1185441#c31
--- Comment #31 from Swamp Workflow Management swamp@suse.de --- SUSE-RU-2021:2466-1: An update that has 7 recommended fixes can now be installed.
Category: recommended (moderate) Bug References: 1185232,1185261,1185441,1185621,1187071,1187260,1187696 CVE References: JIRA References: Sources used: SUSE Linux Enterprise Server for SAP 15 (src): shim-15.4-7.23.1 SUSE Linux Enterprise High Performance Computing 15-LTSS (src): shim-15.4-7.23.1 SUSE Linux Enterprise High Performance Computing 15-ESPOS (src): shim-15.4-7.23.1
NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
https://bugzilla.suse.com/show_bug.cgi?id=1185441 https://bugzilla.suse.com/show_bug.cgi?id=1185441#c32
--- Comment #32 from Swamp Workflow Management swamp@suse.de --- SUSE-RU-2021:2594-1: An update that has 9 recommended fixes can now be installed.
Category: recommended (moderate) Bug References: 1185232,1185261,1185441,1185464,1185621,1185961,1187071,1187260,1187696 CVE References: JIRA References: Sources used: SUSE OpenStack Cloud Crowbar 9 (src): shim-15.4-25.21.1 SUSE OpenStack Cloud Crowbar 8 (src): shim-15.4-25.21.1 SUSE OpenStack Cloud 9 (src): shim-15.4-25.21.1 SUSE OpenStack Cloud 8 (src): shim-15.4-25.21.1 SUSE Linux Enterprise Server for SAP 12-SP4 (src): shim-15.4-25.21.1 SUSE Linux Enterprise Server for SAP 12-SP3 (src): shim-15.4-25.21.1 SUSE Linux Enterprise Server 12-SP5 (src): shim-15.4-25.21.1 SUSE Linux Enterprise Server 12-SP4-LTSS (src): shim-15.4-25.21.1 SUSE Linux Enterprise Server 12-SP3-LTSS (src): shim-15.4-25.21.1 SUSE Linux Enterprise Server 12-SP3-BCL (src): shim-15.4-25.21.1 HPE Helion Openstack 8 (src): shim-15.4-25.21.1
NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
https://bugzilla.suse.com/show_bug.cgi?id=1185441 https://bugzilla.suse.com/show_bug.cgi?id=1185441#c35
--- Comment #35 from Swamp Workflow Management swamp@suse.de --- SUSE-RU-2021:14808-1: An update that has 7 recommended fixes can now be installed.
Category: recommended (moderate) Bug References: 1185232,1185261,1185441,1185621,1187071,1187260,1187696 CVE References: JIRA References: Sources used: SUSE Linux Enterprise Server 11-SP4-LTSS (src): shim-15.4-12.11.1
NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
https://bugzilla.suse.com/show_bug.cgi?id=1185441 https://bugzilla.suse.com/show_bug.cgi?id=1185441#c36
--- Comment #36 from Swamp Workflow Management swamp@suse.de --- SUSE-RU-2021:3224-1: An update that has 12 recommended fixes can now be installed.
Category: recommended (moderate) Bug References: 1177315,1177789,1182057,1184454,1185232,1185261,1185441,1185464,1185621,1185961,1187260,1187696 CVE References: JIRA References: Sources used: SUSE MicroOS 5.0 (src): shim-15.4-3.32.1 SUSE Linux Enterprise Module for Basesystem 15-SP3 (src): shim-susesigned-15.4-3.10.1 SUSE Linux Enterprise Module for Basesystem 15-SP2 (src): shim-15.4-3.32.1
NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
https://bugzilla.suse.com/show_bug.cgi?id=1185441 https://bugzilla.suse.com/show_bug.cgi?id=1185441#c37
--- Comment #37 from Swamp Workflow Management swamp@suse.de --- openSUSE-RU-2021:3224-1: An update that has 12 recommended fixes can now be installed.
Category: recommended (moderate) Bug References: 1177315,1177789,1182057,1184454,1185232,1185261,1185441,1185464,1185621,1185961,1187260,1187696 CVE References: JIRA References: Sources used: openSUSE Leap 15.3 (src): shim-susesigned-15.4-3.10.1
https://bugzilla.suse.com/show_bug.cgi?id=1185441 https://bugzilla.suse.com/show_bug.cgi?id=1185441#c38
--- Comment #38 from Maintenance Automation maint-coord+maintenance-robot@suse.de --- SUSE-SU-2023:1702-1: An update that solves one vulnerability, contains two features and has 10 fixes can now be installed.
Category: security (important) Bug References: 1185232, 1185261, 1185441, 1185621, 1187071, 1187260, 1193282, 1198458, 1201066, 1202120, 1205588 CVE References: CVE-2022-28737 Jira References: PED-127, PED-1273 Sources used: openSUSE Leap Micro 5.3 (src): shim-15.7-150300.4.11.1 openSUSE Leap 15.4 (src): shim-15.7-150300.4.11.1 SUSE Linux Enterprise Micro for Rancher 5.3 (src): shim-15.7-150300.4.11.1 SUSE Linux Enterprise Micro 5.3 (src): shim-15.7-150300.4.11.1 SUSE Linux Enterprise Micro for Rancher 5.4 (src): shim-15.7-150300.4.11.1 SUSE Linux Enterprise Micro 5.4 (src): shim-15.7-150300.4.11.1 Basesystem Module 15-SP4 (src): shim-15.7-150300.4.11.1 SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): shim-15.7-150300.4.11.1 SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): shim-15.7-150300.4.11.1 SUSE Linux Enterprise Real Time 15 SP3 (src): shim-15.7-150300.4.11.1 SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): shim-15.7-150300.4.11.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): shim-15.7-150300.4.11.1 SUSE Manager Proxy 4.2 (src): shim-15.7-150300.4.11.1 SUSE Manager Retail Branch Server 4.2 (src): shim-15.7-150300.4.11.1 SUSE Manager Server 4.2 (src): shim-15.7-150300.4.11.1 SUSE Enterprise Storage 7.1 (src): shim-15.7-150300.4.11.1 SUSE Linux Enterprise Micro 5.1 (src): shim-15.7-150300.4.11.1 SUSE Linux Enterprise Micro 5.2 (src): shim-15.7-150300.4.11.1 SUSE Linux Enterprise Micro for Rancher 5.2 (src): shim-15.7-150300.4.11.1
NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
-
bugzilla_noreply@suse.com