Details at URL. Note that: "Full mitigation against all CVEs will require updated shim with latest SBAT (Secure Boot Advanced Targeting) [2] data provided by distros and vendors. This time UEFI revocation list (dbx) will not be used and revocation of broken artifacts will be done with SBAT only. For information on how to apply the latest SBAT revocations, please see mokutil(1). Vendor shims may explicitly permit known older boot artifacts to boot." So I suppose we need an update for sys-boot/shim, too?
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7bbb9e2ce52ffd701c05daa3752f1fe11ec72f27 commit 7bbb9e2ce52ffd701c05daa3752f1fe11ec72f27 Author: Mike Gilbert <floppym@gentoo.org> AuthorDate: 2022-06-08 01:02:45 +0000 Commit: Mike Gilbert <floppym@gentoo.org> CommitDate: 2022-06-08 01:02:45 +0000 sys-boot/grub: backport many patches Bug: https://bugs.gentoo.org/850535 Closes: https://github.com/gentoo/gentoo/pull/25629 Signed-off-by: Mike Gilbert <floppym@gentoo.org> sys-boot/grub/Manifest | 1 + sys-boot/grub/grub-2.06-r2.ebuild | 319 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 320 insertions(+)
Thank you! Please stabilize when ready.
(In reply to John Helmert III from comment #0) > So I suppose we need an update for sys-boot/shim, too? I doubt there are many (any?) Gentoo users that attempt to use "secure boot" via sys-boot/shim.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=034c3eb523f406231aefe984560edf432b916f81 commit 034c3eb523f406231aefe984560edf432b916f81 Author: Mike Gilbert <floppym@gentoo.org> AuthorDate: 2022-09-02 15:39:11 +0000 Commit: Mike Gilbert <floppym@gentoo.org> CommitDate: 2022-09-02 15:39:11 +0000 sys-boot/grub: drop 2.06-r1 Bug: https://bugs.gentoo.org/850535 Signed-off-by: Mike Gilbert <floppym@gentoo.org> sys-boot/grub/grub-2.06-r1.ebuild | 318 -------------------------------------- 1 file changed, 318 deletions(-)
GLSA request filed
GLSA released, all done!
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=9800f4266b85bdfe9aee0d03b98448c864ee9537 commit 9800f4266b85bdfe9aee0d03b98448c864ee9537 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2022-09-25 13:35:30 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2022-09-25 13:42:21 +0000 [ GLSA 202209-12 ] GRUB: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/835082 Bug: https://bugs.gentoo.org/850535 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: John Helmert III <ajak@gentoo.org> glsa-202209-12.xml | 53 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 53 insertions(+)
