|
Bugzilla – Full Text Bug Listing |
| Summary: | VUL-0: CVE-2023-40547: shim: trusting http headers | ||
|---|---|---|---|
| Product: | [Novell Products] SUSE Security Incidents | Reporter: | Marcus Meissner <meissner> |
| Component: | Incidents | Assignee: | Tseng <dennis.tseng> |
| Status: | NEW --- | QA Contact: | Security Team bot <security-team> |
| Severity: | Major | ||
| Priority: | P2 - High | CC: | antonio.gemelli, brad.bendily, brendon.caligari, davide.benini, davide.puggioni, dennis.tseng, deshun.wang, emiliano.langella, jlee, jochen.roeder, jsegitz, manohar.muvva, meissner, sreejith.kumar, stefan.kunze, stoyan.manolov, teckleong.yeap |
| Version: | unspecified | ||
| Target Milestone: | --- | ||
| Hardware: | Other | ||
| OS: | Other | ||
| URL: | https://smash.suse.de/issue/377589/ | ||
| See Also: | https://bugzilla.suse.com/show_bug.cgi?id=1221584 | ||
| Whiteboard: | CVSSv3.1:SUSE:CVE-2023-40547:7.1:(AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H) | ||
| Found By: | --- | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
| Bug Depends on: | |||
| Bug Blocks: | 1221584 | ||
| Attachments: |
original committed file from keybase
CVE-2023-40547 codes from keybase |
||
|
Comment 3
Marcus Meissner
2023-12-06 10:02:21 UTC
Created attachment 871501 [details]
CVE-2023-40547 codes from keybase
embargo end was shifted again: CRD: 2024-01-23 shim-15.8 update has been submitted to Factory for reviewing. Please refer https://build.opensuse.org/request/show/1142576 It looks like the maintenance request for this bug has been denied again. And we have received a customer request for a fix of the issue CVE-2023-40547. Do we have an idea how long it will take for the fix to be released? Adding here an another customer with the same issue: Tata Communications Ltd Case Number - 01241843 Kind Regards, Sreejith. An update for Shim[1] was released today, but these bugs/CVEs are not mentioned. Are these included in the release? [1]https://lists.suse.com/pipermail/sle-updates/2024-February/034449.html (In reply to Brad Bendily from comment #23) > An update for Shim[1] was released today, but these bugs/CVEs are not > mentioned. > Are these included in the release? > > [1]https://lists.suse.com/pipermail/sle-updates/2024-February/034449.html My Bad. I just realized this release is only for SLES12... Not SLES15. But also, even though it says released (shim-15.7-25.24.1) today, we already have shim-15.7-25.27.1. Customer AMADEUS DATA PROCESSING GMBH is asking for a timeline ref:_00D1igLOd._500Tr8Bl3s:ref Is there a rough estimate now? We are in the "external community review" stage, which is not under our control. We have some commitment from them to look at our shims "soon", but it is not clear what this will mean. The shim review has been accepted; the next step should be getting it signed by Microsoft. To better know where we are in this process, is there any place where we track it, like that we can check the progress? We got the signature from MS, integrated it into our packages, and submitted for QA. The shim update is now in QA for SLES 15 SP3 LTSS, 15 SP4 LTSS, 15 SP5. older distros will get it after release of above. SUSE-SU-2024:1368-1: An update that solves seven vulnerabilities, contains one feature and has five security fixes can now be installed. Category: security (important) Bug References: 1198101, 1205588, 1205855, 1210382, 1213945, 1215098, 1215099, 1215100, 1215101, 1215102, 1215103, 1219460 CVE References: CVE-2022-28737, CVE-2023-40546, CVE-2023-40547, CVE-2023-40548, CVE-2023-40549, CVE-2023-40550, CVE-2023-40551 Jira References: PED-922 Maintenance Incident: [SUSE:Maintenance:32617](https://smelt.suse.de/incident/32617/) Sources used: openSUSE Leap 15.3 (src): shim-15.8-150300.4.20.2, efitools-1.9.2-150300.7.3.1 openSUSE Leap Micro 5.3 (src): shim-15.8-150300.4.20.2 openSUSE Leap Micro 5.4 (src): shim-15.8-150300.4.20.2 openSUSE Leap 15.5 (src): shim-15.8-150300.4.20.2 SUSE Linux Enterprise Micro for Rancher 5.3 (src): shim-15.8-150300.4.20.2 SUSE Linux Enterprise Micro 5.3 (src): shim-15.8-150300.4.20.2 SUSE Linux Enterprise Micro for Rancher 5.4 (src): shim-15.8-150300.4.20.2 SUSE Linux Enterprise Micro 5.4 (src): shim-15.8-150300.4.20.2 SUSE Linux Enterprise Micro 5.5 (src): shim-15.8-150300.4.20.2 Basesystem Module 15-SP5 (src): shim-15.8-150300.4.20.2 SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): shim-15.8-150300.4.20.2 SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src): shim-15.8-150300.4.20.2 SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src): shim-15.8-150300.4.20.2 SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 (src): shim-15.8-150300.4.20.2 SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): shim-15.8-150300.4.20.2 SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (src): shim-15.8-150300.4.20.2 SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): shim-15.8-150300.4.20.2 SUSE Linux Enterprise Server for SAP Applications 15 SP4 (src): shim-15.8-150300.4.20.2 SUSE Manager Proxy 4.3 (src): shim-15.8-150300.4.20.2 SUSE Manager Retail Branch Server 4.3 (src): shim-15.8-150300.4.20.2 SUSE Manager Server 4.3 (src): shim-15.8-150300.4.20.2 SUSE Enterprise Storage 7.1 (src): shim-15.8-150300.4.20.2 SUSE Linux Enterprise Micro 5.1 (src): shim-15.8-150300.4.20.2 SUSE Linux Enterprise Micro 5.2 (src): shim-15.8-150300.4.20.2 SUSE Linux Enterprise Micro for Rancher 5.2 (src): shim-15.8-150300.4.20.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. Adding here an another customer with the same , requesting patch for SLES 15 sp2 for SAP Case No: 01525892. Thnaks for understanding Updates for 15-SP2 is in the QA queue now. SUSE-SU-2024:1462-1: An update that solves seven vulnerabilities, contains one feature and has five security fixes can now be installed. Category: security (important) Bug References: 1198101, 1205588, 1205855, 1210382, 1213945, 1215098, 1215099, 1215100, 1215101, 1215102, 1215103, 1219460 CVE References: CVE-2022-28737, CVE-2023-40546, CVE-2023-40547, CVE-2023-40548, CVE-2023-40549, CVE-2023-40550, CVE-2023-40551 Jira References: PED-922 Maintenance Incident: [SUSE:Maintenance:33581](https://smelt.suse.de/incident/33581/) Sources used: SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): shim-15.8-25.30.1 SUSE Linux Enterprise High Performance Computing 12 SP5 (src): shim-15.8-25.30.1 SUSE Linux Enterprise Server 12 SP5 (src): shim-15.8-25.30.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. SUSE-SU-2024:1461-1: An update that solves seven vulnerabilities, contains one feature and has five security fixes can now be installed. Category: security (important) Bug References: 1198101, 1205588, 1205855, 1210382, 1213945, 1215098, 1215099, 1215100, 1215101, 1215102, 1215103, 1219460 CVE References: CVE-2022-28737, CVE-2023-40546, CVE-2023-40547, CVE-2023-40548, CVE-2023-40549, CVE-2023-40550, CVE-2023-40551 Jira References: PED-922 Maintenance Incident: [SUSE:Maintenance:33579](https://smelt.suse.de/incident/33579/) Sources used: SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): shim-15.8-150100.3.38.1 SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): shim-15.8-150100.3.38.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): shim-15.8-150100.3.38.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. |