bug#47185: closed (grub2 package is vulnerable to CVE-2020-14372, CVE-20

emacs-bug-tracker

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#47185: closed (grub2 package is vulnerable to CVE-2020-14372, CVE-20

From:	GNU bug Tracking System
Subject:	bug#47185: closed (grub2 package is vulnerable to CVE-2020-14372, CVE-2020-25632, CVE-2020-25647, CVE-2020-27749, CVE-2020-27779, CVE-2021-20225, CVE-2021-20233 and CVE-2021-3418)
Date:	Wed, 23 Mar 2022 03:33:02 +0000

Your message dated Tue, 22 Mar 2022 23:32:50 -0400
with message-id <87r16txs0t.fsf@gmail.com>
and subject line Re: bug#47185: grub2 package is vulnerable to CVE-2020-14372, 
CVE-2020-25632, CVE-2020-25647, CVE-2020-27749, CVE-2020-27779, CVE-2021-20225, 
CVE-2021-20233 and CVE-2021-3418
has caused the debbugs.gnu.org bug report #47185,
regarding grub2 package is vulnerable to CVE-2020-14372, CVE-2020-25632, 
CVE-2020-25647, CVE-2020-27749, CVE-2020-27779, CVE-2021-20225, CVE-2021-20233 
and CVE-2021-3418
to be marked as done.

(If you believe you have received this mail in error, please contact
help-debbugs@gnu.org.)


-- 
47185: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=47185
GNU Bug Tracking System
Contact help-debbugs@gnu.org with problems

--- Begin Message --- Subject: grub2 package is vulnerable to CVE-2020-14372, CVE-2020-25632, CVE-2020-25647, CVE-2020-27749, CVE-2020-27779, CVE-2021-20225, CVE-2021-20233 and CVE-2021-3418 Date: Tue, 16 Mar 2021 09:08:31 +0100 User-agent: Evolution 3.34.2
As outlined by 
https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/GRUB2SecureBootBypass2021
we have a new wave of GRUB security vulnerabilities around SecureBoot.

There is no new upstream release so patching this appears to be some
kind of sport.

Debian has patched it in this commit: 
https://salsa.debian.org/grub-team/grub/-/commit/37c2a594625efba8b7f10d18a444393982d2e31f

I see also there's a new concept of SBAT section to ease administrative
efforts around certificate revocation when signed binaries such as some
GRUB2 things become vulnerable (and we don't want them to verify
successfully anymore).

This looks like a sizeable upgrade to a sensitive part of GNU Guix, so
we have to test carefully.
signature.asc
Description: This is a digitally signed message part

--- End Message ---

--- Begin Message --- Subject: Re: bug#47185: grub2 package is vulnerable to CVE-2020-14372, CVE-2020-25632, CVE-2020-25647, CVE-2020-27749, CVE-2020-27779, CVE-2021-20225, CVE-2021-20233 and CVE-2021-3418 Date: Tue, 22 Mar 2022 23:32:50 -0400 User-agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux)
Hello,

I'm closing this, since we're now using GRUB 2.06, released in June of
last year.

Thank you,

Maxim
--- End Message ---

[Prev in Thread]

Current Thread

[Next in Thread]

bug#47185: closed (grub2 package is vulnerable to CVE-2020-14372, CVE-2020-25632, CVE-2020-25647, CVE-2020-27749, CVE-2020-27779, CVE-2021-20225, CVE-2021-20233 and CVE-2021-3418), GNU bug Tracking System <=

Prev by Date: Processed: control message for bug #47606
Next by Date: bug#54503: closed ([PATCH] gnu: sbcl-ningle: Update to 2e85675.)
Previous by thread: Processed: control message for bug #47606
Next by thread: bug#54503: closed ([PATCH] gnu: sbcl-ningle: Update to 2e85675.)
Index(es):
- Date
- Thread