Security update for dracut SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2017:0951-1 Final 1 1 2017-04-06T07:31:33Z current 2017-04-06T07:31:33Z 2017-04-06T07:31:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for dracut This update for dracut fixes the following issues: Security issues fixed: - CVE-2016-8637: When the early microcode loading was enabled during initrd creation, the initrd would be read-only available for all users, allowing local users to retrieve secrets stored in the initial ramdisk. (bsc#1008340) Non security issues fixed: - Remove zlib module as requirement. (bsc#1020063) - Unlimit TaskMax for xfs_repair in emergency shell. (bsc#1019938) - Resolve symbolic links for -i and -k parameters. (bsc#902375) - Enhance purge-kernels script to handle kgraft patches. (bsc#1017141) - Allow booting from degraded MD arrays with systemd. (bsc#1017695) - Allow booting on s390x with fips=1 on the kernel command line. (bnc#1021687) - Start multipath services before local-fs-pre.target. (bsc#1005410, bsc#1006118, bsc#1007925) - Fix /sbin/installkernel to handle kernel packages built with 'make bin-rpmpkg'. (bsc#1008648) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-OpenStack-Cloud-Magnum-Orchestration-7-2017-547,SUSE-SLE-DESKTOP-12-SP2-2017-547,SUSE-SLE-RPI-12-SP2-2017-547,SUSE-SLE-SERVER-12-SP2-2017-547 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2017/suse-su-20170951-1/ Link for SUSE-SU-2017:0951-1 https://lists.suse.com/pipermail/sle-security-updates/2017-April/002788.html E-Mail link for SUSE-SU-2017:0951-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1005410 SUSE Bug 1005410 https://bugzilla.suse.com/1006118 SUSE Bug 1006118 https://bugzilla.suse.com/1007925 SUSE Bug 1007925 https://bugzilla.suse.com/1008340 SUSE Bug 1008340 https://bugzilla.suse.com/1008648 SUSE Bug 1008648 https://bugzilla.suse.com/1017141 SUSE Bug 1017141 https://bugzilla.suse.com/1017695 SUSE Bug 1017695 https://bugzilla.suse.com/1019938 SUSE Bug 1019938 https://bugzilla.suse.com/1020063 SUSE Bug 1020063 https://bugzilla.suse.com/1021687 SUSE Bug 1021687 https://bugzilla.suse.com/902375 SUSE Bug 902375 https://www.suse.com/security/cve/CVE-2016-8637/ SUSE CVE CVE-2016-8637 page SUSE Linux Enterprise Desktop 12 SP2 SUSE Linux Enterprise Server 12 SP2 SUSE Linux Enterprise Server for Raspberry Pi 12 SP2 SUSE Linux Enterprise Server for SAP Applications 12 SP2 dracut-044-108.1 dracut-fips-044-108.1 dracut-044-108.1 as a component of SUSE Linux Enterprise Desktop 12 SP2 dracut-044-108.1 as a component of SUSE Linux Enterprise Server 12 SP2 dracut-fips-044-108.1 as a component of SUSE Linux Enterprise Server 12 SP2 dracut-044-108.1 as a component of SUSE Linux Enterprise Server for Raspberry Pi 12 SP2 dracut-fips-044-108.1 as a component of SUSE Linux Enterprise Server for Raspberry Pi 12 SP2 dracut-044-108.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP2 dracut-fips-044-108.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP2 A local information disclosure issue was found in dracut before 045 when generating initramfs images with world-readable permissions when 'early cpio' is used, such as when including microcode updates. Local attacker can use this to obtain sensitive information from these files, such as encryption keys or credentials. CVE-2016-8637 SUSE Linux Enterprise Desktop 12 SP2:dracut-044-108.1 SUSE Linux Enterprise Server 12 SP2:dracut-044-108.1 SUSE Linux Enterprise Server 12 SP2:dracut-fips-044-108.1 SUSE Linux Enterprise Server for Raspberry Pi 12 SP2:dracut-044-108.1 SUSE Linux Enterprise Server for Raspberry Pi 12 SP2:dracut-fips-044-108.1 SUSE Linux Enterprise Server for SAP Applications 12 SP2:dracut-044-108.1 SUSE Linux Enterprise Server for SAP Applications 12 SP2:dracut-fips-044-108.1 low 2.1 AV:L/AC:L/Au:N/C:P/I:N/A:N 2.1 AV:L/AC:L/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2017/suse-su-20170951-1/ https://www.suse.com/security/cve/CVE-2016-8637.html CVE-2016-8637 https://bugzilla.suse.com/1008340 SUSE Bug 1008340