Security update for dracut SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2017:0708-1 Final 1 1 2017-03-16T11:56:34Z current 2017-03-16T11:56:34Z 2017-03-16T11:56:34Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for dracut This update for dracut fixes the following issues: Security issues fixed: - CVE-2016-8637: When the early microcode loading was enabled during initrd creation, the initrd would be read-only available for all users, allowing local users to retrieve secrets stored in the initial ramdisk. (bsc#1008340) Non security issues fixed: - Allow booting from degraded MD arrays with systemd. (bsc#1017695) - Start multipath services before local-fs-pre.target. (bsc#1005410, bsc#1006118, bsc#1007925, bsc#986734, bsc#986838) This update was imported from the SUSE:SLE-12-SP1:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-updates/2017-03/msg00047.html E-Mail link for openSUSE-SU-2017:0708-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 42.1 dracut-037-80.1 dracut-fips-037-80.1 dracut-037-80.1 as a component of openSUSE Leap 42.1 dracut-fips-037-80.1 as a component of openSUSE Leap 42.1 A local information disclosure issue was found in dracut before 045 when generating initramfs images with world-readable permissions when 'early cpio' is used, such as when including microcode updates. Local attacker can use this to obtain sensitive information from these files, such as encryption keys or credentials. CVE-2016-8637 openSUSE Leap 42.1:dracut-037-80.1 openSUSE Leap 42.1:dracut-fips-037-80.1 moderate 2.1 AV:L/AC:L/Au:N/C:P/I:N/A:N Please Install the update. https://lists.opensuse.org/opensuse-updates/2017-03/msg00047.html https://www.suse.com/security/cve/CVE-2016-8637.html CVE-2016-8637 https://bugzilla.suse.com/1008340 SUSE Bug 1008340