SUSE alert SUSE-SU-2025:20863-1 (grub2)
| From: | SLE-SECURITY-UPDATES <null@suse.de> | |
| To: | sle-security-updates@lists.suse.com | |
| Subject: | SUSE-SU-2025:20863-1: important: Security update for grub2 | |
| Date: | Fri, 24 Oct 2025 20:30:32 -0000 | |
| Message-ID: | <176133783207.31037.12390438579331774368@smelt2.prg2.suse.org> |
# Security update for grub2 Announcement ID: SUSE-SU-2025:20863-1 Release Date: 2025-10-17T12:05:21Z Rating: important References: * bsc#1229163 * bsc#1229164 * bsc#1230840 * bsc#1231591 * bsc#1232411 * bsc#1233606 * bsc#1233608 * bsc#1233609 * bsc#1233610 * bsc#1233612 * bsc#1233613 * bsc#1233614 * bsc#1233615 * bsc#1233616 * bsc#1233617 * bsc#1234958 * bsc#1234959 * bsc#1236316 * bsc#1236317 * bsc#1237002 * bsc#1237006 * bsc#1237008 * bsc#1237009 * bsc#1237010 * bsc#1237011 * bsc#1237012 * bsc#1237013 * bsc#1237014 * bsc#1242971 * bsc#1247242 * bsc#1249140 Cross-References: * CVE-2024-45774 * CVE-2024-45775 * CVE-2024-45776 * CVE-2024-45777 * CVE-2024-45778 * CVE-2024-45779 * CVE-2024-45780 * CVE-2024-45781 * CVE-2024-45782 * CVE-2024-45783 * CVE-2024-49504 * CVE-2024-56737 * CVE-2024-56738 * CVE-2025-0622 * CVE-2025-0624 * CVE-2025-0677 * CVE-2025-0678 * CVE-2025-0684 * CVE-2025-0685 * CVE-2025-0686 * CVE-2025-0689 * CVE-2025-0690 * CVE-2025-1118 * CVE-2025-1125 * CVE-2025-4382 CVSS scores: * CVE-2024-45774 ( SUSE ): 6.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H * CVE-2024-45774 ( NVD ): 6.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H * CVE-2024-45775 ( SUSE ): 6.4 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H * CVE-2024-45775 ( NVD ): 5.2 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:H * CVE-2024-45776 ( SUSE ): 6.4 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H * CVE-2024-45776 ( NVD ): 6.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H * CVE-2024-45777 ( SUSE ): 6.4 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H * CVE-2024-45777 ( NVD ): 6.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H * CVE-2024-45778 ( SUSE ): 3.9 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L * CVE-2024-45778 ( NVD ): 4.1 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H * CVE-2024-45778 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H * CVE-2024-45779 ( SUSE ): 6.4 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H * CVE-2024-45779 ( NVD ): 6.0 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H * CVE-2024-45779 ( NVD ): 6.0 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H * CVE-2024-45780 ( SUSE ): 6.4 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H * CVE-2024-45780 ( NVD ): 6.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H * CVE-2024-45781 ( SUSE ): 6.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H * CVE-2024-45781 ( NVD ): 6.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H * CVE-2024-45782 ( SUSE ): 6.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H * CVE-2024-45782 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H * CVE-2024-45782 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H * CVE-2024-45783 ( SUSE ): 6.4 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H * CVE-2024-45783 ( NVD ): 4.4 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H * CVE-2024-49504 ( SUSE ): 6.9 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N * CVE-2024-49504 ( SUSE ): 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N * CVE-2024-49504 ( NVD ): 7.0 CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X * CVE-2024-56737 ( SUSE ): 8.4 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N * CVE-2024-56737 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H * CVE-2024-56737 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H * CVE-2024-56738 ( SUSE ): 5.7 CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N * CVE-2024-56738 ( SUSE ): 4.7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N * CVE-2024-56738 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N * CVE-2025-0622 ( SUSE ): 6.4 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H * CVE-2025-0622 ( NVD ): 6.4 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H * CVE-2025-0624 ( SUSE ): 7.6 CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H * CVE-2025-0624 ( NVD ): 7.6 CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H * CVE-2025-0677 ( SUSE ): 8.9 CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H * CVE-2025-0677 ( SUSE ): 6.4 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H * CVE-2025-0677 ( NVD ): 6.4 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H * CVE-2025-0678 ( SUSE ): 8.9 CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H * CVE-2025-0678 ( SUSE ): 6.4 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H * CVE-2025-0678 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H * CVE-2025-0678 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H * CVE-2025-0684 ( SUSE ): 6.4 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H * CVE-2025-0684 ( NVD ): 6.4 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H * CVE-2025-0684 ( NVD ): 6.4 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H * CVE-2025-0685 ( SUSE ): 8.9 CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H * CVE-2025-0685 ( SUSE ): 6.4 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H * CVE-2025-0685 ( NVD ): 6.4 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H * CVE-2025-0685 ( NVD ): 6.4 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H * CVE-2025-0686 ( SUSE ): 8.9 CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H * CVE-2025-0686 ( SUSE ): 6.4 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H * CVE-2025-0686 ( NVD ): 6.4 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H * CVE-2025-0686 ( NVD ): 6.4 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H * CVE-2025-0689 ( SUSE ): 8.9 CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H * CVE-2025-0689 ( SUSE ): 6.4 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H * CVE-2025-0689 ( NVD ): 6.7 CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H * CVE-2025-0689 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H * CVE-2025-0690 ( SUSE ): 7.3 CVSS:4.0/AV:P/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H * CVE-2025-0690 ( SUSE ): 6.1 CVSS:3.1/AV:P/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H * CVE-2025-0690 ( NVD ): 6.1 CVSS:3.1/AV:P/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H * CVE-2025-1118 ( SUSE ): 6.7 CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N * CVE-2025-1118 ( SUSE ): 4.4 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N * CVE-2025-1118 ( NVD ): 4.4 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N * CVE-2025-1125 ( SUSE ): 8.7 CVSS:4.0/AV:L/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H * CVE-2025-1125 ( SUSE ): 6.4 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H * CVE-2025-1125 ( NVD ): 6.7 CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H * CVE-2025-1125 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H * CVE-2025-4382 ( SUSE ): 8.4 CVSS:4.0/AV:P/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N * CVE-2025-4382 ( SUSE ): 5.9 CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N * CVE-2025-4382 ( NVD ): 5.9 CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N Affected Products: * SUSE Linux Micro 6.1 An update that solves 25 vulnerabilities and has six fixes can now be installed. ## Description: This update for grub2 fixes the following issues: * Fix error: /boot/grub2/x86_64-efi/bli.mod not found (bsc#1231591) * Fix OOM error in loading loopback file (bsc#1230840) (bsc#1249140) * Update the patch to fix "SRK not matched" errors when unsealing the key (bsc#1232411) (bsc#1247242) Security fixes for 2024: * Bump upstream SBAT generation to 5 * CVE-2024-45774: Fixed heap overflows in JPEG parser (bsc#1233609) * CVE-2024-45775: Fixed missing NULL check in extcmd parser (bsc#1233610) * CVE-2024-45776: Fixed overflow in .MO file (gettext) handling (bsc#1233612) * CVE-2024-45777: Fixed integer overflow in gettext (bsc#1233613) * CVE-2024-45778: Fixed bfs filesystem not fuzzing stable (bsc#1233606) * CVE-2024-45779: Fixed bfs heap overflow (bsc#1233608) * CVE-2024-45780: Fixed overflow in tar/cpio (bsc#1233614) * CVE-2024-45781: Fixed ufs strcpy overflow(bsc#1233617) * CVE-2024-45782: Fixed hfs strcpy overflow (bsc#1233615) * CVE-2024-45783: Fixed hfsplus refcount overflow (bsc#1233616) * CVE-2024-49504: Fixed bypassing TPM-bound disk encryption on SL(E)M encrypted Images (bsc#1229163) (bsc#1229164) * CVE-2024-56737: Fixed heap-based buffer overflow in fs/hfs.c via crafted sblock data in an HFS filesystem (bsc#1234958) * CVE-2024-56738: Fixed side-channel attack due to not constant-time algorithm in grub_crypto_memcmp (bsc#1234959) * CVE-2025-0622: Fixed command/gpg use-after-free due to hooks not being removed on module unload (bsc#1236317) * CVE-2025-0624: Fixed net Out-of-bounds write in grub_net_search_config_file() (bsc#1236316) * CVE-2025-0677: Fixed UFS integer overflow may lead to heap based out-of- bounds write when handling symlinks (bsc#1237002) * CVE-2025-0678: Fixed squash4 Integer overflow may lead to heap based out-of- bounds write when reading data (bsc#1237006) * CVE-2025-0684: Fixed reiserfs Integer overflow when handling symlinks may lead to heap based out-of-bounds write when reading data (bsc#1237008) * CVE-2025-0685: Fixed jfs Integer overflow when handling symlinks may lead to heap based out-of-bounds write when reading data (bsc#1237009) * CVE-2025-0686: Fixed romfs Integer overflow when handling symlinks may lead to heap based out-of-bounds write when reading data (bsc#1237010) * CVE-2025-0689: Fixed udf heap based buffer overflow in grub_udf_read_block() may lead to arbitrary code execution (bsc#1237011) * CVE-2025-0690: Fixed "read" integer overflow may lead to out-of-bounds write (bsc#1237012) * CVE-2025-1118: Fixed commands/dump The dump command is not in lockdown when secure boot is enabled (bsc#1237013) * CVE-2025-1125: Fixed fs/hfs interger overflow may lead to heap based out-of- bounds write (bsc#1237014) * CVE-2025-4382: Fixed TPM auto-decryption data exposure (bsc#1242971) * Restrict CLI access if the encrypted root device is automatically unlocked by the TPM. LUKS password authentication is required for access to be granted ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * SUSE Linux Micro 6.1 zypper in -t patch SUSE-SLE-Micro-6.1-308=1 ## Package List: * SUSE Linux Micro 6.1 (aarch64 ppc64le s390x x86_64) * grub2-2.12-slfo.1.1_2.1 * grub2-debuginfo-2.12-slfo.1.1_2.1 * SUSE Linux Micro 6.1 (noarch) * grub2-x86_64-efi-2.12-slfo.1.1_2.1 * grub2-i386-pc-2.12-slfo.1.1_2.1 * grub2-powerpc-ieee1275-2.12-slfo.1.1_2.1 * grub2-arm64-efi-2.12-slfo.1.1_2.1 * grub2-x86_64-xen-2.12-slfo.1.1_2.1 * grub2-snapper-plugin-2.12-slfo.1.1_2.1 * SUSE Linux Micro 6.1 (aarch64 s390x x86_64) * grub2-debugsource-2.12-slfo.1.1_2.1 * SUSE Linux Micro 6.1 (s390x) * grub2-s390x-emu-2.12-slfo.1.1_2.1 ## References: * https://www.suse.com/security/cve/CVE-2024-45774.html * https://www.suse.com/security/cve/CVE-2024-45775.html * https://www.suse.com/security/cve/CVE-2024-45776.html * https://www.suse.com/security/cve/CVE-2024-45777.html * https://www.suse.com/security/cve/CVE-2024-45778.html * https://www.suse.com/security/cve/CVE-2024-45779.html * https://www.suse.com/security/cve/CVE-2024-45780.html * https://www.suse.com/security/cve/CVE-2024-45781.html * https://www.suse.com/security/cve/CVE-2024-45782.html * https://www.suse.com/security/cve/CVE-2024-45783.html * https://www.suse.com/security/cve/CVE-2024-49504.html * https://www.suse.com/security/cve/CVE-2024-56737.html * https://www.suse.com/security/cve/CVE-2024-56738.html * https://www.suse.com/security/cve/CVE-2025-0622.html * https://www.suse.com/security/cve/CVE-2025-0624.html * https://www.suse.com/security/cve/CVE-2025-0677.html * https://www.suse.com/security/cve/CVE-2025-0678.html * https://www.suse.com/security/cve/CVE-2025-0684.html * https://www.suse.com/security/cve/CVE-2025-0685.html * https://www.suse.com/security/cve/CVE-2025-0686.html * https://www.suse.com/security/cve/CVE-2025-0689.html * https://www.suse.com/security/cve/CVE-2025-0690.html * https://www.suse.com/security/cve/CVE-2025-1118.html * https://www.suse.com/security/cve/CVE-2025-1125.html * https://www.suse.com/security/cve/CVE-2025-4382.html * https://bugzilla.suse.com/show_bug.cgi?id=1229163 * https://bugzilla.suse.com/show_bug.cgi?id=1229164 * https://bugzilla.suse.com/show_bug.cgi?id=1230840 * https://bugzilla.suse.com/show_bug.cgi?id=1231591 * https://bugzilla.suse.com/show_bug.cgi?id=1232411 * https://bugzilla.suse.com/show_bug.cgi?id=1233606 * https://bugzilla.suse.com/show_bug.cgi?id=1233608 * https://bugzilla.suse.com/show_bug.cgi?id=1233609 * https://bugzilla.suse.com/show_bug.cgi?id=1233610 * https://bugzilla.suse.com/show_bug.cgi?id=1233612 * https://bugzilla.suse.com/show_bug.cgi?id=1233613 * https://bugzilla.suse.com/show_bug.cgi?id=1233614 * https://bugzilla.suse.com/show_bug.cgi?id=1233615 * https://bugzilla.suse.com/show_bug.cgi?id=1233616 * https://bugzilla.suse.com/show_bug.cgi?id=1233617 * https://bugzilla.suse.com/show_bug.cgi?id=1234958 * https://bugzilla.suse.com/show_bug.cgi?id=1234959 * https://bugzilla.suse.com/show_bug.cgi?id=1236316 * https://bugzilla.suse.com/show_bug.cgi?id=1236317 * https://bugzilla.suse.com/show_bug.cgi?id=1237002 * https://bugzilla.suse.com/show_bug.cgi?id=1237006 * https://bugzilla.suse.com/show_bug.cgi?id=1237008 * https://bugzilla.suse.com/show_bug.cgi?id=1237009 * https://bugzilla.suse.com/show_bug.cgi?id=1237010 * https://bugzilla.suse.com/show_bug.cgi?id=1237011 * https://bugzilla.suse.com/show_bug.cgi?id=1237012 * https://bugzilla.suse.com/show_bug.cgi?id=1237013 * https://bugzilla.suse.com/show_bug.cgi?id=1237014 * https://bugzilla.suse.com/show_bug.cgi?id=1242971 * https://bugzilla.suse.com/show_bug.cgi?id=1247242 * https://bugzilla.suse.com/show_bug.cgi?id=1249140
Attachment: None (type=text/html)
(HTML attachment elided)