Recommended update for shim SUSE Patch security@suse.de SUSE Security Team SUSE-RU-2026:20004-1 Final 1 1 2025-12-30T16:20:45Z current 2025-12-30T16:20:45Z 2025-12-30T16:20:45Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Recommended update for shim This update for shim fixes the following issues: This update for shim fixes the following issues: shim is updated to version 16.1: - shim_start_image(): fix guid/handle pairing when uninstalling protocols - Fix uncompressed ipv6 netboot - fix test segfaults caused by uninitialized memory - SbatLevel_Variable.txt: minor typo fix. - Realloc() needs to allocate one more byte for sprintf() - IPv6: Add more check to avoid multiple double colon and illegal char - Loader proto v2 - loader-protocol: add workaround for EDK2 2025.02 page fault on FreePages - Generate Authenticode for the entire PE file - README: mention new loader protocol and interaction with UKIs - shim: change automatically enable MOK_POLICY_REQUIRE_NX - Save var info - add SbatLevel entry 2025051000 for PSA-2025-00012-1 - Coverity fixes 20250804 - fix http boot - Fix double free and leak in the loader protocol shim is updated to version 16.0: - Validate that a supplied vendor cert is not in PEM format - sbat: Add grub.peimage,2 to latest (CVE-2024-2312) - sbat: Also bump latest for grub,4 (and to todays date) - undo change that limits certificate files to a single file - shim: don't set second_stage to the empty string - Fix SBAT.md for today's consensus about numbers - Update Code of Conduct contact address - make-certs: Handle missing OpenSSL installation - Update MokVars.txt - export DEFINES for sub makefile - Drop unused EFI_IMAGE_SECURITY_DATABASE_GUID definition - Null-terminate 'arguments' in fallback - Fix "Verifiying" typo in error message - Update Fedora CI targets - Force gcc to produce DWARF4 so that gdb can use it - Minor housekeeping 2024121700 - Discard load-options that start with WINDOWS - Fix the issue that the gBS->LoadImage pointer was empty. - shim: Allow data after the end of device path node in load options - Handle network file not found like disks - Update gnu-efi submodule for EFI_HTTP_ERROR - Increase EFI file alignment - avoid EFIv2 runtime services on Apple x86 machines - Improve shortcut performance when comparing two boolean expressions - Provide better error message when MokManager is not found - tpm: Boot with a warning if the event log is full - MokManager: remove redundant logical constraints - Test import_mok_state() when MokListRT would be bigger than available size - test-mok-mirror: minor bug fix - Fix file system browser hang when enrolling MOK from disk - Ignore a minor clang-tidy nit - Allow fallback to default loader when encountering errors on network boot - test.mk: don't use a temporary random.bin - pe: Enhance debug report for update_mem_attrs - Multiple certificate handling improvements - Generate SbatLevel Metadata from SbatLevel_Variable.txt - Apply EKU check with compile option - Add configuration option to boot an alternative 2nd stage - Loader protocol (with Device Path resolution support) - netboot cleanup for additional files - Document how revocations can be delivered - post-process-pe: add tests to validate NX compliance - regression: CopyMem() in ad8692e copies out of bounds - Save the debug and error logs in mok-variables - Add features for the Host Security ID program - Mirror some more efi variables to mok-variables - This adds DXE Services measurements to HSI and uses them for NX - Add shim's current NX_COMPAT status to HSIStatus - README.tpm: reflect that vendor_db is in fact logged as "vendor_db" - Reject HTTP message with duplicate Content-Length header fields - Disable log saving - fallback: don't add new boot order entries backwards - README.tpm: Update MokList entry to MokListRT - SBAT Level update for February 2025 GRUB CVEs The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-SLE-Micro-6.0-541 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement//suse-ru-202620004-1/ Link for SUSE-RU-2026:20004-1 https://lists.suse.com/pipermail/sle-updates/2026-January/043419.html E-Mail link for SUSE-RU-2026:20004-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1205588 SUSE Bug 1205588 https://bugzilla.suse.com/1247432 SUSE Bug 1247432 https://bugzilla.suse.com/1254336 SUSE Bug 1254336 https://bugzilla.suse.com/1254679 SUSE Bug 1254679 https://www.suse.com/security/cve/CVE-2024-2312/ SUSE CVE CVE-2024-2312 page SUSE Linux Micro 6.0 shim-16.1-1.1 shim-16.1-1.1 as a component of SUSE Linux Micro 6.0 GRUB2 does not call the module fini functions on exit, leading to Debian/Ubuntu's peimage GRUB2 module leaving UEFI system table hooks after exit. This lead to a use-after-free condition, and could possibly lead to secure boot bypass. CVE-2024-2312 SUSE Linux Micro 6.0:shim-16.1-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement//suse-ru-202620004-1/ https://www.suse.com/security/cve/CVE-2024-2312.html CVE-2024-2312 https://bugzilla.suse.com/1222868 SUSE Bug 1222868