SUSE-SU-2025:01961-1: important: Security update for grub2
SLE-SECURITY-UPDATES
null at suse.de
Mon Jun 16 12:30:28 UTC 2025
# Security update for grub2
Announcement ID: SUSE-SU-2025:01961-1
Release Date: 2025-06-16T10:03:23Z
Rating: important
References:
* bsc#1215935
* bsc#1215936
* bsc#1233606
* bsc#1233608
* bsc#1233609
* bsc#1233610
* bsc#1233612
* bsc#1233613
* bsc#1233614
* bsc#1233615
* bsc#1233616
* bsc#1233617
* bsc#1234958
* bsc#1236316
* bsc#1236317
* bsc#1237002
* bsc#1237006
* bsc#1237008
* bsc#1237009
* bsc#1237010
* bsc#1237011
* bsc#1237012
* bsc#1237013
* bsc#1237014
Cross-References:
* CVE-2023-4692
* CVE-2023-4693
* CVE-2024-45774
* CVE-2024-45775
* CVE-2024-45776
* CVE-2024-45777
* CVE-2024-45778
* CVE-2024-45779
* CVE-2024-45780
* CVE-2024-45781
* CVE-2024-45782
* CVE-2024-45783
* CVE-2024-56737
* CVE-2025-0622
* CVE-2025-0624
* CVE-2025-0677
* CVE-2025-0678
* CVE-2025-0684
* CVE-2025-0685
* CVE-2025-0686
* CVE-2025-0689
* CVE-2025-0690
* CVE-2025-1118
* CVE-2025-1125
CVSS scores:
* CVE-2023-4692 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
* CVE-2023-4692 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
* CVE-2023-4692 ( NVD ): 7.5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
* CVE-2023-4693 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
* CVE-2023-4693 ( NVD ): 4.6 CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
* CVE-2023-4693 ( NVD ): 5.3 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N
* CVE-2024-45774 ( SUSE ): 6.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
* CVE-2024-45774 ( NVD ): 6.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
* CVE-2024-45775 ( SUSE ): 6.4 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
* CVE-2024-45775 ( NVD ): 5.2 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:H
* CVE-2024-45776 ( SUSE ): 6.4 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
* CVE-2024-45776 ( NVD ): 6.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
* CVE-2024-45777 ( SUSE ): 6.4 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
* CVE-2024-45777 ( NVD ): 6.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
* CVE-2024-45778 ( SUSE ): 3.9 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L
* CVE-2024-45778 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
* CVE-2024-45778 ( NVD ): 4.1 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H
* CVE-2024-45779 ( SUSE ): 6.4 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
* CVE-2024-45779 ( NVD ): 6.0 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H
* CVE-2024-45779 ( NVD ): 6.0 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H
* CVE-2024-45780 ( SUSE ): 6.4 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
* CVE-2024-45780 ( NVD ): 6.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
* CVE-2024-45781 ( SUSE ): 6.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
* CVE-2024-45781 ( NVD ): 6.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
* CVE-2024-45782 ( SUSE ): 6.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
* CVE-2024-45782 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
* CVE-2024-45782 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
* CVE-2024-45783 ( SUSE ): 6.4 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
* CVE-2024-45783 ( NVD ): 4.4 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
* CVE-2024-56737 ( SUSE ): 8.4
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
* CVE-2024-56737 ( SUSE ): 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2024-56737 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
* CVE-2025-0622 ( SUSE ): 6.4 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
* CVE-2025-0622 ( NVD ): 6.4 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
* CVE-2025-0624 ( SUSE ): 7.6 CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
* CVE-2025-0624 ( NVD ): 7.6 CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
* CVE-2025-0677 ( SUSE ): 8.9
CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
* CVE-2025-0677 ( SUSE ): 6.4 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
* CVE-2025-0677 ( NVD ): 6.4 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
* CVE-2025-0678 ( SUSE ): 8.9
CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
* CVE-2025-0678 ( SUSE ): 6.4 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
* CVE-2025-0678 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
* CVE-2025-0678 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
* CVE-2025-0684 ( SUSE ): 6.4 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
* CVE-2025-0684 ( NVD ): 6.4 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
* CVE-2025-0685 ( SUSE ): 8.9
CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
* CVE-2025-0685 ( SUSE ): 6.4 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
* CVE-2025-0685 ( NVD ): 6.4 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
* CVE-2025-0686 ( SUSE ): 8.9
CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
* CVE-2025-0686 ( SUSE ): 6.4 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
* CVE-2025-0686 ( NVD ): 6.4 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
* CVE-2025-0689 ( SUSE ): 8.9
CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
* CVE-2025-0689 ( SUSE ): 6.4 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
* CVE-2025-0689 ( NVD ): 6.4 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
* CVE-2025-0690 ( SUSE ): 7.3
CVSS:4.0/AV:P/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
* CVE-2025-0690 ( SUSE ): 6.1 CVSS:3.1/AV:P/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H
* CVE-2025-0690 ( NVD ): 6.1 CVSS:3.1/AV:P/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H
* CVE-2025-1118 ( SUSE ): 6.7
CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
* CVE-2025-1118 ( SUSE ): 4.4 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
* CVE-2025-1118 ( NVD ): 4.4 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
* CVE-2025-1125 ( SUSE ): 8.7
CVSS:4.0/AV:L/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
* CVE-2025-1125 ( SUSE ): 6.4 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
* CVE-2025-1125 ( NVD ): 6.4 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
Affected Products:
* SUSE Linux Enterprise Micro 5.1
An update that solves 24 vulnerabilities can now be installed.
## Description:
This update for grub2 fixes the following issues:
* CVE-2023-4692: nfs: out-of-bounds write at fs/ntfs.c may lead to unsigned
code execution (bsc#1215935).
* CVE-2023-4693: nfs: out-of-bounds read at fs/ntfs.c (bsc#1215936).
* CVE-2024-45774: heap overflows in JPEG parser (bsc#1233609).
* CVE-2024-45775: missing NULL check in extcmd parser (bsc#1233610).
* CVE-2024-45776: overflow in .MO file (gettext) handling (bsc#1233612).
* CVE-2024-45777: integer overflow in gettext (bsc#1233613).
* CVE-2024-45778: bfs filesystem not fuzzing stable (bsc#1233606).
* CVE-2024-45779: bfs: heap overflow (bsc#1233608).
* CVE-2024-45780: overflow in tar/cpio (bsc#1233614).
* CVE-2024-45781: ufs: strcpy overflow (bsc#1233617).
* CVE-2024-45782: hfs: strcpy overflow (bsc#1233615).
* CVE-2024-45783: hfsplus: refcount overflow (bsc#1233616).
* CVE-2024-56737: heap-based buffer overflow in fs/hfs.c via crafted sblock
data in an HFS filesystem (bsc#1234958).
* CVE-2025-0622: command/gpg: Use-after-free due to hooks not being removed on
module unload (bsc#1236317).
* CVE-2025-0624: net: Out-of-bounds write in grub_net_search_config_file()
(bsc#1236316).
* CVE-2025-0677: ufs: Integer overflow may lead to heap based out-of-bounds
write when handling symlinks (bsc#1237002).
* CVE-2025-0678: squash4: Integer overflow may lead to heap based out-of-
bounds write when reading data (bsc#1237006).
* CVE-2025-0684: reiserfs: Integer overflow when handling symlinks may lead to
heap based out-of-bounds write when reading data (bsc#1237008).
* CVE-2025-0685: jfs: Integer overflow when handling symlinks may lead to heap
based out-of-bounds write when reading data (bsc#1237009).
* CVE-2025-0686: romfs: Integer overflow when handling symlinks may lead to
heap based out-of-bounds write when reading data (bsc#1237010).
* CVE-2025-0689: udf: Heap based buffer overflow in grub_udf_read_block() may
lead to arbitrary code execution (bsc#1237011).
* CVE-2025-0690: read: Integer overflow may lead to out-of-bounds write
(bsc#1237012).
* CVE-2025-1118: commands/dump: The dump command is not in lockdown when
secure boot is enabled (bsc#1237013).
* CVE-2025-1125: fs/hfs: Interger overflow may lead to heap based out-of-
bounds write (bsc#1237014).
Other bugfixes:
* Bump upstream SBAT generation to 5
## Patch Instructions:
To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
* SUSE Linux Enterprise Micro 5.1
zypper in -t patch SUSE-SUSE-MicroOS-5.1-2025-1961=1
## Package List:
* SUSE Linux Enterprise Micro 5.1 (aarch64 s390x x86_64)
* grub2-debugsource-2.04-150300.3.11.1
* grub2-debuginfo-2.04-150300.3.11.1
* grub2-2.04-150300.3.11.1
* SUSE Linux Enterprise Micro 5.1 (noarch)
* grub2-x86_64-xen-2.04-150300.3.11.1
* grub2-i386-pc-2.04-150300.3.11.1
* grub2-arm64-efi-2.04-150300.3.11.1
* grub2-x86_64-efi-2.04-150300.3.11.1
* grub2-snapper-plugin-2.04-150300.3.11.1
* SUSE Linux Enterprise Micro 5.1 (s390x)
* grub2-s390x-emu-2.04-150300.3.11.1
## References:
* https://www.suse.com/security/cve/CVE-2023-4692.html
* https://www.suse.com/security/cve/CVE-2023-4693.html
* https://www.suse.com/security/cve/CVE-2024-45774.html
* https://www.suse.com/security/cve/CVE-2024-45775.html
* https://www.suse.com/security/cve/CVE-2024-45776.html
* https://www.suse.com/security/cve/CVE-2024-45777.html
* https://www.suse.com/security/cve/CVE-2024-45778.html
* https://www.suse.com/security/cve/CVE-2024-45779.html
* https://www.suse.com/security/cve/CVE-2024-45780.html
* https://www.suse.com/security/cve/CVE-2024-45781.html
* https://www.suse.com/security/cve/CVE-2024-45782.html
* https://www.suse.com/security/cve/CVE-2024-45783.html
* https://www.suse.com/security/cve/CVE-2024-56737.html
* https://www.suse.com/security/cve/CVE-2025-0622.html
* https://www.suse.com/security/cve/CVE-2025-0624.html
* https://www.suse.com/security/cve/CVE-2025-0677.html
* https://www.suse.com/security/cve/CVE-2025-0678.html
* https://www.suse.com/security/cve/CVE-2025-0684.html
* https://www.suse.com/security/cve/CVE-2025-0685.html
* https://www.suse.com/security/cve/CVE-2025-0686.html
* https://www.suse.com/security/cve/CVE-2025-0689.html
* https://www.suse.com/security/cve/CVE-2025-0690.html
* https://www.suse.com/security/cve/CVE-2025-1118.html
* https://www.suse.com/security/cve/CVE-2025-1125.html
* https://bugzilla.suse.com/show_bug.cgi?id=1215935
* https://bugzilla.suse.com/show_bug.cgi?id=1215936
* https://bugzilla.suse.com/show_bug.cgi?id=1233606
* https://bugzilla.suse.com/show_bug.cgi?id=1233608
* https://bugzilla.suse.com/show_bug.cgi?id=1233609
* https://bugzilla.suse.com/show_bug.cgi?id=1233610
* https://bugzilla.suse.com/show_bug.cgi?id=1233612
* https://bugzilla.suse.com/show_bug.cgi?id=1233613
* https://bugzilla.suse.com/show_bug.cgi?id=1233614
* https://bugzilla.suse.com/show_bug.cgi?id=1233615
* https://bugzilla.suse.com/show_bug.cgi?id=1233616
* https://bugzilla.suse.com/show_bug.cgi?id=1233617
* https://bugzilla.suse.com/show_bug.cgi?id=1234958
* https://bugzilla.suse.com/show_bug.cgi?id=1236316
* https://bugzilla.suse.com/show_bug.cgi?id=1236317
* https://bugzilla.suse.com/show_bug.cgi?id=1237002
* https://bugzilla.suse.com/show_bug.cgi?id=1237006
* https://bugzilla.suse.com/show_bug.cgi?id=1237008
* https://bugzilla.suse.com/show_bug.cgi?id=1237009
* https://bugzilla.suse.com/show_bug.cgi?id=1237010
* https://bugzilla.suse.com/show_bug.cgi?id=1237011
* https://bugzilla.suse.com/show_bug.cgi?id=1237012
* https://bugzilla.suse.com/show_bug.cgi?id=1237013
* https://bugzilla.suse.com/show_bug.cgi?id=1237014
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.suse.com/pipermail/sle-security-updates/attachments/20250616/fb15b9cf/attachment.htm>
More information about the sle-security-updates
mailing list