Bug#1001057: grub2: hold 2.06 in unstable for now
Julian Andres Klode
jak at debian.org
Wed Jun 8 08:22:05 BST 2022
Control: retitle -1 grub2: CVE-2022-28735 grub2: shim_lock verifier allows non-kernel files to be loaded
On Fri, Dec 03, 2021 at 11:17:26AM +0000, Colin Watson wrote:
> Package: grub2
> Version: 2.06-2
> Severity: serious
> Justification: maintainer says so
>
> GRUB 2.06 is a pretty big change over 2.04. I'd like to hold this in
> unstable for a while longer to let things shake out before we allow it
> to move to testing.
Now that it's public, we can say that here's the real reason for this:
CVE-2022-28735 grub2: shim_lock verifier allows non-kernel files to be
loaded
6.7/CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
The GRUB2's shim_lock verifier allows non-kernel files to be loaded on
shim-powered
secure boot systems. Allowing such files to be loaded may lead to
unverified
code and modules to be loaded in GRUB2 breaking the secure boot
trust-chain.
https://lists.gnu.org/archive/html/grub-devel/2022-06/msg00035.html
That's why we wanted to keep it ouf of testing to not expose our testing
users to that.
Planning to have updates ready in the next couple days.
--
debian developer - deb.li/jak | jak-linux.org - free software dev
ubuntu core developer i speak de, en
More information about the Pkg-grub-devel
mailing list