Summary: | <sys-boot/grub-2.02_beta2-r8:2 - authentication bypass (CVE-2015-8370) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | base-system, floppym, gentoo |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.openwall.com/lists/oss-security/2015/12/15/6 | ||
Whiteboard: | A2 [glsa cve] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2015-12-15 13:09:43 UTC
I applied the "emergency patch" in grub-2.02_beta2-r8. Feel free to stabilize it. amd64 stable x86 stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one. It isn't obvious from the upgrade whether grub2 requires a reinstall following the update (to modify any on-disk structures/etc). If that is necessary I'd suggest at least a warning of some kind if not a news item. If a reinstall is unnecessary I don't think any further notice is necessary. (In reply to Richard Freeman from comment #4) Good point. The patch modifies files under grub-core, so a reinstall is definitely necessary. I will add a pkg_postinst message and draft a news item. Cleanup is done. This issue was resolved and addressed in GLSA 201512-03 at https://security.gentoo.org/glsa/201512-03 by GLSA coordinator Tobias Heinlein (keytoaster). Arches and Maintainer(s), Thank you for your work. |