Processed: Re: Bug#1001057: grub2: hold 2.06 in unstable for now
Processing control commands: > retitle -1 grub2: CVE-2022-28735 grub2: shim_lock verifier allows non-kernel > files to be loaded Bug #1001057 [grub2] grub2: hold 2.06 in unstable for now Changed Bug title to 'grub2: CVE-2022-28735 grub2: shim_lock verifier allows non-kernel files to be loaded' from 'grub2: hold 2.06 in unstable for now'. -- 1001057: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1001057 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1001057: grub2: hold 2.06 in unstable for now
Control: retitle -1 grub2: CVE-2022-28735 grub2: shim_lock verifier allows non-kernel files to be loaded On Fri, Dec 03, 2021 at 11:17:26AM +, Colin Watson wrote: > Package: grub2 > Version: 2.06-2 > Severity: serious > Justification: maintainer says so > > GRUB 2.06 is a pretty big change over 2.04. I'd like to hold this in > unstable for a while longer to let things shake out before we allow it > to move to testing. Now that it's public, we can say that here's the real reason for this: CVE-2022-28735 grub2: shim_lock verifier allows non-kernel files to be loaded 6.7/CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H The GRUB2's shim_lock verifier allows non-kernel files to be loaded on shim-powered secure boot systems. Allowing such files to be loaded may lead to unverified code and modules to be loaded in GRUB2 breaking the secure boot trust-chain. https://lists.gnu.org/archive/html/grub-devel/2022-06/msg00035.html That's why we wanted to keep it ouf of testing to not expose our testing users to that. Planning to have updates ready in the next couple days. -- debian developer - deb.li/jak | jak-linux.org - free software dev ubuntu core developer i speak de, en
Bug#1001057: grub2: hold 2.06 in unstable for now
Hi Colin, On Fri, 3 Dec 2021 11:17:26 + Colin Watson wrote: GRUB 2.06 is a pretty big change over 2.04. I'd like to hold this in unstable for a while longer to let things shake out before we allow it to move to testing. grub2 showed up in my out-of-sync tracking script output. Do you think it's about time you could let grub2 into testing? I'm not trying to hurry you, take your time, but I was just wondering if you forgot about this bug. Paul OpenPGP_signature Description: OpenPGP digital signature
Bug#1001057: grub2: hold 2.06 in unstable for now
Package: grub2 Version: 2.06-2 Severity: serious Justification: maintainer says so GRUB 2.06 is a pretty big change over 2.04. I'd like to hold this in unstable for a while longer to let things shake out before we allow it to move to testing. -- Colin Watson (he/him) [cjwat...@debian.org]