Security update for grub2

Announcement ID:	SUSE-SU-2020:2207-1
Rating:	important
References:	bsc#1004959 bsc#1072648 bsc#1084632 bsc#1168994 bsc#1173812 bsc#1174463 bsc#1174519 bsc#1174570 bsc#1175049
Cross-References:	CVE-2020-10713 CVE-2020-14308 CVE-2020-14309 CVE-2020-14310 CVE-2020-14311 CVE-2020-15706 CVE-2020-15707
CVSS scores:	CVE-2020-10713 ( SUSE ): 8.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H CVE-2020-10713 ( NVD ): 8.2 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H CVE-2020-14308 ( SUSE ): 6.4 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H CVE-2020-14308 ( NVD ): 6.4 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H CVE-2020-14309 ( SUSE ): 5.7 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:H CVE-2020-14309 ( NVD ): 6.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVE-2020-14310 ( SUSE ): 5.7 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:H CVE-2020-14310 ( NVD ): 6.0 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H CVE-2020-14311 ( SUSE ): 5.7 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:H CVE-2020-14311 ( NVD ): 6.0 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H CVE-2020-15706 ( SUSE ): 6.4 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H CVE-2020-15706 ( NVD ): 6.4 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H CVE-2020-15707 ( NVD ): 6.4 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
Affected Products:	SUSE Linux Enterprise Server 12 SP1 SUSE Linux Enterprise Server 12 SP1 LTSS 12-SP1 SUSE Linux Enterprise Server for SAP Applications 12 SP1

An update that solves seven vulnerabilities and has two security fixes can now be installed.

Description:

This update for grub2 fixes the following issues:

Fix for CVE-2020-10713 (bsc#1168994)
Fix for CVE-2020-14308 CVE-2020-14309, CVE-2020-14310, CVE-2020-14311 (bsc#1173812)
Fix for CVE-2020-15706 (bsc#1174463)
Fix for CVE-2020-15707 (bsc#1174570)
Use overflow checking primitives where the arithmetic expression for buffer allocations may include unvalidated data
Fix packed-not-aligned error on GCC 8 (bsc#1084632)
Fix "no symbol table" (bsc#1072648) (bsc#1174519)

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

SUSE Linux Enterprise Server for SAP Applications 12 SP1
zypper in -t patch SUSE-SLE-SAP-12-SP1-2020-2207=1
SUSE Linux Enterprise Server 12 SP1 LTSS 12-SP1
zypper in -t patch SUSE-SLE-SERVER-12-SP1-2020-2207=1

Package List:

SUSE Linux Enterprise Server for SAP Applications 12 SP1 (x86_64)
- grub2-2.02~beta2-91.21.1
- grub2-x86_64-xen-2.02~beta2-91.21.1
- grub2-i386-pc-2.02~beta2-91.21.1
- grub2-debuginfo-2.02~beta2-91.21.1
- grub2-x86_64-efi-2.02~beta2-91.21.1
SUSE Linux Enterprise Server for SAP Applications 12 SP1 (noarch)
- grub2-snapper-plugin-2.02~beta2-91.21.1
SUSE Linux Enterprise Server 12 SP1 LTSS 12-SP1 (ppc64le s390x x86_64)
- grub2-debuginfo-2.02~beta2-91.21.1
- grub2-2.02~beta2-91.21.1
SUSE Linux Enterprise Server 12 SP1 LTSS 12-SP1 (ppc64le)
- grub2-powerpc-ieee1275-2.02~beta2-91.21.1
SUSE Linux Enterprise Server 12 SP1 LTSS 12-SP1 (noarch)
- grub2-snapper-plugin-2.02~beta2-91.21.1
SUSE Linux Enterprise Server 12 SP1 LTSS 12-SP1 (s390x)
- grub2-debugsource-2.02~beta2-91.21.1
- grub2-s390x-emu-2.02~beta2-91.21.1
SUSE Linux Enterprise Server 12 SP1 LTSS 12-SP1 (x86_64)
- grub2-x86_64-efi-2.02~beta2-91.21.1
- grub2-i386-pc-2.02~beta2-91.21.1
- grub2-x86_64-xen-2.02~beta2-91.21.1

Security update for grub2

Description:

Patch Instructions:

Package List:

References: