swtpm-0.7.1-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:11870 Final 1 1 2024-06-17T21:45:33Z current 2024-06-17T21:45:33Z 2024-06-17T21:45:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z swtpm-0.7.1-1.1 on GA media These are all security issues fixed in the swtpm-0.7.1-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-11870 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) E-Mail link for openSUSE-SU-2024:11870 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2022-23645/ SUSE CVE CVE-2022-23645 page openSUSE Tumbleweed swtpm-0.7.1-1.1 swtpm-devel-0.7.1-1.1 swtpm-selinux-0.7.1-1.1 swtpm-0.7.1-1.1 as a component of openSUSE Tumbleweed swtpm-devel-0.7.1-1.1 as a component of openSUSE Tumbleweed swtpm-selinux-0.7.1-1.1 as a component of openSUSE Tumbleweed swtpm is a libtpms-based TPM emulator with socket, character device, and Linux CUSE interface. Versions prior to 0.5.3, 0.6.2, and 0.7.1 are vulnerable to out-of-bounds read. A specially crafted header of swtpm's state, where the blobheader's hdrsize indicator has an invalid value, may cause an out-of-bounds access when the byte array representing the state of the TPM is accessed. This will likely crash swtpm or prevent it from starting since the state cannot be understood. Users should upgrade to swtpm v0.5.3, v0.6.2, or v0.7.1 to receive a patch. There are currently no known workarounds. CVE-2022-23645 openSUSE Tumbleweed:swtpm-0.7.1-1.1 openSUSE Tumbleweed:swtpm-devel-0.7.1-1.1 openSUSE Tumbleweed:swtpm-selinux-0.7.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-23645.html CVE-2022-23645 https://bugzilla.suse.com/1196240 SUSE Bug 1196240