Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-announce

From: glsamaker@g.o
To: gentoo-announce@l.g.o
Subject: [gentoo-announce] [ GLSA 202209-12 ] GRUB: Multiple Vulnerabilities
Date: Sun, 25 Sep 2022 13:48:25
Message-Id: 166411293515.9.2662004947160746435@90bb6a0775af
1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 Gentoo Linux Security Advisory GLSA 202209-12
3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4 https://security.gentoo.org/
5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7 Severity: High
8 Title: GRUB: Multiple Vulnerabilities
9 Date: September 25, 2022
10 Bugs: #850535, #835082
11 ID: 202209-12
12
13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15 Synopsis
16 ========
17
18 Multiple vulnerabilities have been discovered in GRUB, the worst of
19 which may allow for secureboot bypass.
20
21 Background
22 ==========
23
24 GNU GRUB is a multiboot boot loader used by most Linux systems.
25
26 Affected packages
27 =================
28
29 -------------------------------------------------------------------
30 Package / Vulnerable / Unaffected
31 -------------------------------------------------------------------
32 1 sys-boot/grub < 2.06 >= 2.06
33
34 Description
35 ===========
36
37 Multiple vulnerabilities have been discovered in GRUB. Please review the
38 CVE identifiers referenced below for details.
39
40 Impact
41 ======
42
43 Please review the referenced CVE identifiers for details.
44
45 Workaround
46 ==========
47
48 There is no known workaround at this time.
49
50 Resolution
51 ==========
52
53 All GRUB users should upgrade to the latest version:
54
55 # emerge --sync
56 # emerge --ask --oneshot --verbose ">=sys-boot/grub-2.06-r3"
57
58 After upgrading, make sure to run the grub-install command with options
59 appropriate for your system. See the GRUB2 Gentoo Wiki page for
60 directions. Your system will be vulnerable until this action is
61 performed.
62
63 References
64 ==========
65
66 [ 1 ] CVE-2021-3695
67 https://nvd.nist.gov/vuln/detail/CVE-2021-3695
68 [ 2 ] CVE-2021-3696
69 https://nvd.nist.gov/vuln/detail/CVE-2021-3696
70 [ 3 ] CVE-2021-3697
71 https://nvd.nist.gov/vuln/detail/CVE-2021-3697
72 [ 4 ] CVE-2021-3981
73 https://nvd.nist.gov/vuln/detail/CVE-2021-3981
74 [ 5 ] CVE-2022-28733
75 https://nvd.nist.gov/vuln/detail/CVE-2022-28733
76 [ 6 ] CVE-2022-28734
77 https://nvd.nist.gov/vuln/detail/CVE-2022-28734
78 [ 7 ] CVE-2022-28735
79 https://nvd.nist.gov/vuln/detail/CVE-2022-28735
80 [ 8 ] CVE-2022-28736
81 https://nvd.nist.gov/vuln/detail/CVE-2022-28736
82 [ 9 ] CVE-2022-28737
83 https://nvd.nist.gov/vuln/detail/CVE-2022-28737
84
85 Availability
86 ============
87
88 This GLSA and any updates to it are available for viewing at
89 the Gentoo Security Website:
90
91 https://security.gentoo.org/glsa/202209-12
92
93 Concerns?
94 =========
95
96 Security is a primary focus of Gentoo Linux and ensuring the
97 confidentiality and security of our users' machines is of utmost
98 importance to us. Any security concerns should be addressed to
99 security@g.o or alternatively, you may file a bug at
100 https://bugs.gentoo.org.
101
102 License
103 =======
104
105 Copyright 2022 Gentoo Foundation, Inc; referenced text
106 belongs to its owner(s).
107
108 The contents of this document are licensed under the
109 Creative Commons - Attribution / Share Alike license.
110
111 https://creativecommons.org/licenses/by-sa/2.5

Attachments

File name MIME type
signature.asc application/pgp-signature
Report Message
Find on MARC Find on Google Groups