Security update for dracut
SUSE Patch
security@suse.de
SUSE Security Team
openSUSE-SU-2017:1033-1
Final
1
1
2017-04-18T07:12:23Z
current
2017-04-18T07:12:23Z
2017-04-18T07:12:23Z
cve-database/bin/generate-cvrf.pl
2017-02-24T01:00:00Z
Security update for dracut
This update for dracut fixes the following issues:
Security issues fixed:
- CVE-2016-8637: When the early microcode loading was enabled during initrd creation, the initrd
would be read-only available for all users, allowing local users to retrieve secrets stored in
the initial ramdisk. (bsc#1008340)
Non security issues fixed:
- Remove zlib module as requirement. (bsc#1020063)
- Unlimit TaskMax for xfs_repair in emergency shell. (bsc#1019938)
- Resolve symbolic links for -i and -k parameters. (bsc#902375)
- Enhance purge-kernels script to handle kgraft patches. (bsc#1017141)
- Allow booting from degraded MD arrays with systemd. (bsc#1017695)
- Allow booting on s390x with fips=1 on the kernel command line. (bnc#1021687)
- Start multipath services before local-fs-pre.target. (bsc#1005410, bsc#1006118, bsc#1007925)
- Fix /sbin/installkernel to handle kernel packages built with 'make bin-rpmpkg'. (bsc#1008648)
This update was imported from the SUSE:SLE-12-SP2:Update update project.
The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0)
https://lists.opensuse.org/opensuse-updates/2017-04/msg00060.html
E-Mail link for openSUSE-SU-2017:1033-1
https://www.suse.com/support/security/rating/
SUSE Security Ratings
openSUSE Leap 42.2
dracut-044-16.3.1
dracut-fips-044-16.3.1
dracut-tools-044-16.3.1
dracut-044-16.3.1 as a component of openSUSE Leap 42.2
dracut-fips-044-16.3.1 as a component of openSUSE Leap 42.2
dracut-tools-044-16.3.1 as a component of openSUSE Leap 42.2
A local information disclosure issue was found in dracut before 045 when generating initramfs images with world-readable permissions when 'early cpio' is used, such as when including microcode updates. Local attacker can use this to obtain sensitive information from these files, such as encryption keys or credentials.
CVE-2016-8637
openSUSE Leap 42.2:dracut-044-16.3.1
openSUSE Leap 42.2:dracut-fips-044-16.3.1
openSUSE Leap 42.2:dracut-tools-044-16.3.1
moderate
2.1
AV:L/AC:L/Au:N/C:P/I:N/A:N
Please Install the update.
https://lists.opensuse.org/opensuse-updates/2017-04/msg00060.html
https://www.suse.com/security/cve/CVE-2016-8637.html
CVE-2016-8637
https://bugzilla.suse.com/1008340
SUSE Bug 1008340