From ${URL} : A vulnerability in Grub2 (Back to 28) has been found. Versions from 1.98 (December, 2009) to 2.02 (December, 2015) are affected. The vulnerability can be exploited under certain circumstances, allowing local attackers to bypass any kind of authentication (plain or hashed passwords). And so, the attacker may take control of the computer. More details at: http://hmarco.org/bugs/CVE-2015-8370-Grub2-authentication-bypass.html @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
I applied the "emergency patch" in grub-2.02_beta2-r8. Feel free to stabilize it.
amd64 stable
x86 stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one.
It isn't obvious from the upgrade whether grub2 requires a reinstall following the update (to modify any on-disk structures/etc). If that is necessary I'd suggest at least a warning of some kind if not a news item. If a reinstall is unnecessary I don't think any further notice is necessary.
(In reply to Richard Freeman from comment #4) Good point. The patch modifies files under grub-core, so a reinstall is definitely necessary. I will add a pkg_postinst message and draft a news item.
Cleanup is done.
This issue was resolved and addressed in GLSA 201512-03 at https://security.gentoo.org/glsa/201512-03 by GLSA coordinator Tobias Heinlein (keytoaster).
Arches and Maintainer(s), Thank you for your work.
