Security update for grub2

Announcement ID:	SUSE-SU-2015:2399-1
Rating:	important
References:	bsc#928131 bsc#943380 bsc#946148 bsc#952539 bsc#956631
Cross-References:	CVE-2015-8370
CVSS scores:
Affected Products:	SUSE Linux Enterprise Desktop 12 SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Server for SAP Applications 12

An update that solves one vulnerability and has four security fixes can now be installed.

Description:

This update for grub2 provides the following fixes and enhancements:

Security issue fixed: - Fix buffer overflows when reading username and password. (bsc#956631, CVE-2015-8370)

Non security issues fixed: - Expand list of grub.cfg search path in PV Xen guests for systems installed on btrfs snapshots. (bsc#946148, bsc#952539) - Add --image switch to force zipl update to specific kernel. (bsc#928131) - Do not use shim lock protocol for reading PE header as it won't be available when secure boot is disabled. (bsc#943380) - Make firmware flaw condition be more precisely detected and add debug message for the case.

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Linux Enterprise Desktop 12
  zypper in -t patch SUSE-SLE-DESKTOP-12-2015-1032=1
• SUSE Linux Enterprise Server 12
  zypper in -t patch SUSE-SLE-SERVER-12-2015-1032=1
• SUSE Linux Enterprise Server for SAP Applications 12
  zypper in -t patch SUSE-SLE-SERVER-12-2015-1032=1

Package List:

• SUSE Linux Enterprise Desktop 12 (x86_64)
  • grub2-i386-pc-2.02~beta2-56.9.4
  • grub2-x86_64-efi-2.02~beta2-56.9.4
  • grub2-2.02~beta2-56.9.4
  • grub2-x86_64-xen-2.02~beta2-56.9.4
  • grub2-debuginfo-2.02~beta2-56.9.4
• SUSE Linux Enterprise Desktop 12 (noarch)
  • grub2-snapper-plugin-2.02~beta2-56.9.4
• SUSE Linux Enterprise Server 12 (ppc64le s390x x86_64)
  • grub2-2.02~beta2-56.9.4
  • grub2-debuginfo-2.02~beta2-56.9.4
• SUSE Linux Enterprise Server 12 (ppc64le)
  • grub2-powerpc-ieee1275-2.02~beta2-56.9.4
• SUSE Linux Enterprise Server 12 (noarch)
  • grub2-snapper-plugin-2.02~beta2-56.9.4
• SUSE Linux Enterprise Server 12 (s390x)
  • grub2-s390x-emu-2.02~beta2-56.9.4
  • grub2-debugsource-2.02~beta2-56.9.4
• SUSE Linux Enterprise Server 12 (x86_64)
  • grub2-x86_64-efi-2.02~beta2-56.9.4
  • grub2-x86_64-xen-2.02~beta2-56.9.4
  • grub2-i386-pc-2.02~beta2-56.9.4
• SUSE Linux Enterprise Server for SAP Applications 12 (x86_64)
  • grub2-i386-pc-2.02~beta2-56.9.4
  • grub2-x86_64-efi-2.02~beta2-56.9.4
  • grub2-2.02~beta2-56.9.4
  • grub2-x86_64-xen-2.02~beta2-56.9.4
  • grub2-debuginfo-2.02~beta2-56.9.4
• SUSE Linux Enterprise Server for SAP Applications 12 (noarch)
  • grub2-snapper-plugin-2.02~beta2-56.9.4

References:

• https://www.suse.com/security/cve/CVE-2015-8370.html
• https://bugzilla.suse.com/show_bug.cgi?id=928131
• https://bugzilla.suse.com/show_bug.cgi?id=943380
• https://bugzilla.suse.com/show_bug.cgi?id=946148
• https://bugzilla.suse.com/show_bug.cgi?id=952539
• https://bugzilla.suse.com/show_bug.cgi?id=956631