Hi Thank you. I have marked this issue as minor issue. The Debian Security team did that decision and I find no reason why u-boot would be more important to fix than later releases.
Best regards // Ola On Sun, 5 Apr 2020 at 23:09, Vagrant Cascadian <vagr...@debian.org> wrote: > > On 2020-03-31, Holger Levsen wrote: > > looping the u-boot maintainer in... what's your opinion on this, Vagrant? > > > > On Tue, Mar 31, 2020 at 10:46:58PM +0200, Ola Lundqvist wrote: > >> I would like to have some advice about the u-boot triaging. > >> The problem is that someone can load an alternative configuration file > >> and by that boot arbitrary code. > >> I assume this means that the attacker must have physical access to the > >> device. > >> > >> As I see it, this can be used to root devices that should not be > >> possible to root. > >> > >> My question is whether you think this is worth fixing in Debian. > >> > >> I lean towards that we should consider this as a minor issue for > >> Jessie but here I would like your opinion. > >> > >> Thank you in advance > >> > >> // Ola > > > > (I'd agree this is not worth fixing in jessie if this needs physical > > access.) > > I haven't looked deeply into it, but from what I recall, I'm not sure > any of the platforms built in Debian make use of the verified boot > features. > > live well, > vagrant -- --- Inguza Technology AB --- MSc in Information Technology ---- | o...@inguza.com o...@debian.org | | http://inguza.com/ Mobile: +46 (0)70-332 1551 | ---------------------------------------------------------------
