Brian Stinson
2020-Jul-29 17:38 UTC
[CentOS-announce] CentOS Linux, CentOS Stream and the Boot Hole vulnerability
We are aware of the Boot Hole vulnerability in grub2 (CVE-2020-1073) and
are working on releasing new packages for CentOS Linux 7, CentOS Linux 8
and CentOS Stream in response. These should make it out to a mirror near
you shortly.
/!\ Secureboot Systems - Please do a full update /!\
CentOS Linux 8 and CentOS Stream systems with secureboot enabled MUST
update the kernel, grub2, and shim packages together. As part of this
CVE, we have re-issued the kernel and shim signing certificate
authorities, and previously released EL8 kernels cannot boot in
secureboot mode with the newer shim/grub2.
The following packages boot together in secureboot mode on CentOS Stream:
*
kernel-4.18.0-227.el8 / kernel-rt-4.18.0-227.rt7.39.el8
*
grub2-2.02-87.el8_2
*
shim-x64-15-13.el8
The following packages boot together in secureboot mode on CentOS Linux 8:
*
kernel-4.18.0-193.14.2.el8_2
*
grub2-2.02-87.el8_2
*
shim-x64-15-13.el8
For systems with CentOS Linux 7 or with secureboot disabled, we strongly
recommend doing a full `dnf/yum update` to pick up all of the latest
patches at the same time.
On behalf of the CentOS Team,
--
Brian Stinson
Brian Stinson
2020-Jul-29 18:46 UTC
[CentOS-announce] [Correction/Additions] CentOS Linux, CentOS Stream and the Boot Hole vulnerability
On 7/29/20 12:38 PM, Brian Stinson wrote:> We are aware of the Boot Hole vulnerability in grub2 (CVE-2020-1073) and > are working on releasing new packages for CentOS Linux 7, CentOS Linux 8 > and CentOS Stream in response. These should make it out to a mirror near > you shortly. > > > /!\ Secureboot Systems - Please do a full update /!\ > > > CentOS Linux 8 and CentOS Stream systems with secureboot enabled MUST > update the kernel, grub2, and shim packages together. As part of this > CVE, we have re-issued the kernel and shim signing certificate > authorities, and previously released EL8 kernels cannot boot in > secureboot mode with the newer shim/grub2. > > > The following packages boot together in secureboot mode on CentOS Stream: > > * > > kernel-4.18.0-227.el8 / kernel-rt-4.18.0-227.rt7.39.el8 > > * > > grub2-2.02-87.el8_2 > > * > > shim-x64-15-13.el8 > > > The following packages boot together in secureboot mode on CentOS Linux 8: > > * > > kernel-4.18.0-193.14.2.el8_2 > > * > > grub2-2.02-87.el8_2 > > * > > shim-x64-15-13.el8 > > > For systems with CentOS Linux 7 or with secureboot disabled, we strongly > recommend doing a full `dnf/yum update` to pick up all of the latest > patches at the same time. > > On behalf of the CentOS Team, > > -- > > Brian Stinson > > > _______________________________________________ > CentOS-announce mailing list > CentOS-announce at centos.org > https://lists.centos.org/mailman/listinfo/centos-announceThis is a minor correction to the CVE number referenced in this earlier post. CVE-2020-10713 is the correct assignment. This is a link to the research article: https://eclypsium.com/2020/07/29/theres-a-hole-in-the-boot/ And a link to the post on OSS Security with details about related CVEs: https://www.openwall.com/lists/oss-security/2020/07/29/3 ?
Maybe Matching Threads
- CentOS-announce Digest, Vol 185, Issue 4
- After update to 8 (2004) ... system is unbootable - UEFI Secure boot
- After update to 8 (2004) ... system is unbootable - UEFI Secure boot
- After update to 8 (2004) ... system is unbootable - UEFI Secure boot
- 8.2.2004 Latest yum update renders machine unbootable