Early Access — Mondoo Vulnerability Intelligence is currently in preview.

SUSE-SU-2022:2037-1

UNKNOWN

Security update for grub2

Published Jun 10, 2022

Modified 3 years ago

Fix available

Details

This update for grub2 fixes the following issues:

Security fixes and hardenings for boothole 3 / boothole 2022 (bsc#1198581)

CVE-2021-3695: Fixed that a crafted PNG grayscale image could lead to out-of-bounds write in heap (bsc#1191184)
CVE-2021-3696: Fixed that a crafted PNG image could lead to out-of-bound write during huffman table handling (bsc#1191185)
CVE-2021-3697: Fixed that a crafted JPEG image could lead to buffer underflow write in the heap (bsc#1191186)
CVE-2022-28733: Fixed fragmentation math in net/ip (bsc#1198460)
CVE-2022-28734: Fixed an out-of-bound write for split http headers (bsc#1198493)
CVE-2022-28736: Fixed a use-after-free in chainloader command (bsc#1198496)
Update SBAT security contact (bsc#1193282)
Bump grub's SBAT generation to 2
Use boot disks in OpenFirmware, fixing regression caused when the root LV is completely in the boot LUN (bsc#1197948)

Affected Packages

SUSE:HPE Helion OpenStack 8grub2

Fixed in:

2.02-137.2

SUSE:HPE Helion OpenStack 8grub2-i386-pc

Fixed in:

2.02-137.2

SUSE:HPE Helion OpenStack 8grub2-snapper-plugin

Fixed in:

2.02-137.2

SUSE:HPE Helion OpenStack 8grub2-systemd-sleep-plugin

Fixed in:

2.02-137.2

SUSE:HPE Helion OpenStack 8grub2-x86_64-efi

Fixed in:

2.02-137.2

SUSE:HPE Helion OpenStack 8grub2-x86_64-xen

Fixed in:

2.02-137.2

SUSE:Linux Enterprise Server 12 SP3-BCLgrub2

Fixed in:

2.02-137.2

SUSE:Linux Enterprise Server 12 SP3-BCLgrub2-i386-pc

Fixed in:

2.02-137.2

SUSE:Linux Enterprise Server 12 SP3-BCLgrub2-snapper-plugin

Fixed in:

2.02-137.2

SUSE:Linux Enterprise Server 12 SP3-BCLgrub2-systemd-sleep-plugin

Fixed in:

2.02-137.2

SUSE:Linux Enterprise Server 12 SP3-BCLgrub2-x86_64-efi

Fixed in:

2.02-137.2

SUSE:Linux Enterprise Server 12 SP3-BCLgrub2-x86_64-xen

Fixed in:

2.02-137.2

SUSE:Linux Enterprise Server 12 SP3-LTSSgrub2

Fixed in:

2.02-137.2

SUSE:Linux Enterprise Server 12 SP3-LTSSgrub2-arm64-efi

Fixed in:

2.02-137.2

SUSE:Linux Enterprise Server 12 SP3-LTSSgrub2-i386-pc

Fixed in:

2.02-137.2

SUSE:Linux Enterprise Server 12 SP3-LTSSgrub2-powerpc-ieee1275

Fixed in:

2.02-137.2

SUSE:Linux Enterprise Server 12 SP3-LTSSgrub2-s390x-emu

Fixed in:

2.02-137.2

SUSE:Linux Enterprise Server 12 SP3-LTSSgrub2-snapper-plugin

Fixed in:

2.02-137.2

SUSE:Linux Enterprise Server 12 SP3-LTSSgrub2-systemd-sleep-plugin

Fixed in:

2.02-137.2

SUSE:Linux Enterprise Server 12 SP3-LTSSgrub2-x86_64-efi

Fixed in:

2.02-137.2

SUSE:Linux Enterprise Server 12 SP3-LTSSgrub2-x86_64-xen

Fixed in:

2.02-137.2

SUSE:Linux Enterprise Server for SAP Applications 12 SP3grub2

Fixed in:

2.02-137.2

SUSE:Linux Enterprise Server for SAP Applications 12 SP3grub2-i386-pc

Fixed in:

2.02-137.2

SUSE:Linux Enterprise Server for SAP Applications 12 SP3grub2-powerpc-ieee1275

Fixed in:

2.02-137.2

SUSE:Linux Enterprise Server for SAP Applications 12 SP3grub2-snapper-plugin

Fixed in:

2.02-137.2

SUSE:Linux Enterprise Server for SAP Applications 12 SP3grub2-systemd-sleep-plugin

Fixed in:

2.02-137.2

SUSE:Linux Enterprise Server for SAP Applications 12 SP3grub2-x86_64-efi

Fixed in:

2.02-137.2

SUSE:Linux Enterprise Server for SAP Applications 12 SP3grub2-x86_64-xen

Fixed in:

2.02-137.2

SUSE:OpenStack Cloud 8grub2

Fixed in:

2.02-137.2

SUSE:OpenStack Cloud 8grub2-i386-pc

Fixed in:

2.02-137.2

SUSE:OpenStack Cloud 8grub2-snapper-plugin

Fixed in:

2.02-137.2

SUSE:OpenStack Cloud 8grub2-systemd-sleep-plugin

Fixed in:

2.02-137.2

SUSE:OpenStack Cloud 8grub2-x86_64-efi

Fixed in:

2.02-137.2

SUSE:OpenStack Cloud 8grub2-x86_64-xen

Fixed in:

2.02-137.2

SUSE:OpenStack Cloud Crowbar 8grub2

Fixed in:

2.02-137.2

SUSE:OpenStack Cloud Crowbar 8grub2-i386-pc

Fixed in:

2.02-137.2

SUSE:OpenStack Cloud Crowbar 8grub2-snapper-plugin

Fixed in:

2.02-137.2

SUSE:OpenStack Cloud Crowbar 8grub2-systemd-sleep-plugin

Fixed in:

2.02-137.2

SUSE:OpenStack Cloud Crowbar 8grub2-x86_64-efi

Fixed in:

2.02-137.2

SUSE:OpenStack Cloud Crowbar 8grub2-x86_64-xen

Fixed in:

2.02-137.2

References

REPORThttps://bugzilla.suse.com/1191184 REPORThttps://bugzilla.suse.com/1191185 REPORThttps://bugzilla.suse.com/1191186 REPORThttps://bugzilla.suse.com/1193282 REPORThttps://bugzilla.suse.com/1197948 REPORThttps://bugzilla.suse.com/1198460 REPORThttps://bugzilla.suse.com/1198493 REPORThttps://bugzilla.suse.com/1198496 REPORThttps://bugzilla.suse.com/1198581 WEBhttps://www.suse.com/security/cve/CVE-2021-3695 WEBhttps://www.suse.com/security/cve/CVE-2021-3696 WEBhttps://www.suse.com/security/cve/CVE-2021-3697 WEBhttps://www.suse.com/security/cve/CVE-2022-28733 WEBhttps://www.suse.com/security/cve/CVE-2022-28734 WEBhttps://www.suse.com/security/cve/CVE-2022-28736 ADVISORYhttps://www.suse.com/support/update/announcement/2022/suse-su-20222037-1/

Upstream

CVE-2021-3695 CVE-2021-3696 CVE-2021-3697 CVE-2022-28733 CVE-2022-28734 CVE-2022-28736

Related

CVE-2021-3695 CVE-2021-3696 CVE-2021-3697 CVE-2022-28733 CVE-2022-28734 CVE-2022-28736

Ecosystems

SUSE HPE Helion OpenStack 8 SUSE Linux Enterprise Server 12 SP3-BCL SUSE Linux Enterprise Server 12 SP3-LTSS SUSE Linux Enterprise Server for SAP Applications 12 SP3 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud Crowbar 8

Timeline

PublishedJun 10, 2022

ModifiedJun 10, 2022

SUSE-SU-2022:2037-1 | Mondoo Vulnerability Intelligence