On Tue, Nov 15, 2022 at 07:00:20PM +0100, Daniel Kiper wrote: > Hi all, > > This patch set contains a bundle of fixes for various security flaws > discovered > in the GRUB2 font code during last few months. The most severe ones, i.e. > potentially > exploitable, have CVEs assigned and are listed at the end of this email. > > Details of exactly what needs updating will be provided by the respective > distros and vendors when updates become available. Here [1] we are listing at > least some links to the messaging known at the time of this posting. > > Full mitigation against all CVEs will require updated shim with latest SBAT > (Secure Boot Advanced Targeting) [2] data provided by distros and vendors. > This time UEFI revocation list (dbx) will not be used and revocation of broken > artifacts will be done with SBAT only. For information on how to apply the > latest SBAT revocations, please see mokutil(1). Vendor shims may explicitly > permit known older boot artifacts to boot. > > Updated GRUB2, shim and other boot artifacts from all the affected vendors > will > be made available when the embargo lifts or some time thereafter. > > I am posting all the GRUB2 upstream patches which fix all security bugs found > and reported up until now. Major Linux distros carry or will carry soon one > form or another of these patches. Now all the GRUB2 upstream patches are in > the GRUB2 git repository [3] too. > > I would like to thank, in alphabetical order, the following people who were > working > really hard on the GRUB, shim and other things related to these issues: > - Alexander Burmashev (Oracle), > - Chris Coulson (Canonical), > - D. Jared Dominguez (Red Hat), > - Daniel Axtens, > - Eric Snowberg (Oracle), > - Ilya Okomin (Oracle), > - Jan Setje-Eilers (Oracle), > - Julian Andres Klode (Canonical), > - Marco A Benatto (Red Hat), > - Marta Lewandowska (Red Hat), > - Peter Jones (Red Hat), > - Robbie Harwood (Red Hat), > - Steve McIntyre (Debian), > - Zhang Boyang.
I was told Petr Janda (Red Hat) should be added to this list. Sorry about that. This was not intentional omission. Daniel _______________________________________________ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
