Bug 30527

Summary: grub2 new security issues CVE-2021-369[5-7], CVE-2022-2601, CVE-2022-3775, CVE-2022-2873[3-7]
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: Thierry Vignaud <thierry.vignaud>
Status: RESOLVED OLD QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: nicolas.salguero
Version: 8   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: grub2-2.06-16.mga9.src.rpm CVE:
Status comment: Patches available from upstream
Bug Depends on:    
Bug Blocks: 29762    

Description David Walser 2022-06-08 18:28:05 CEST 
Security issues fixed upstream in GRUB2 have been announced on June 7:
https://www.openwall.com/lists/oss-security/2022/06/07/5

Mageia 8 is also affected.
David Walser 2022-06-08 18:28:24 CEST

Blocks: (none) => 29762
Status comment: (none) => Patches available from upstream
Whiteboard: (none) => MGA8TOO

Comment 1 David Walser 2022-06-09 16:40:09 CEST 
Patch backports from a couple other distro maintainers:
https://dev.gentoo.org/~floppym/dist/grub-2.06-backports.tar.xz
https://github.com/Foxboron/grub/commits/morten/2.06-backport-security
Comment 2 David Walser 2022-06-10 17:18:56 CEST 
openSUSE has issued an advisory for this today (June 10):
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/5IS74LC4GHJQY7AUZBIDXFKHKIROVLHS/
Comment 3 David Walser 2022-06-10 17:24:03 CEST 
Fedora has issued an advisory for this today (June 10):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/FGYCNFAG7E6EPHZ4MFBJZE3ZDEOCLW7N/
Comment 4 Lewis Smith 2022-06-10 20:48:07 CEST 
Assigning to tv who has been the principle maintainer of grub2 for some time.

Assignee: bugsquad => thierry.vignaud

Comment 5 David Walser 2022-06-16 14:23:54 CEST 
grub2-2.06-17.mga9 has patches for CVEs.  Commit message mentions everything but CVE-2022-28737.  Oversight or missing patch?
Comment 6 David Walser 2022-06-16 22:28:44 CEST 
RedHat has issued an advisory for this today (June 16):
https://access.redhat.com/errata/RHSA-2022:5099
Comment 7 David Walser 2022-11-15 21:14:12 CET 
More GRUB2 security issues:
https://lists.gnu.org/archive/html/grub-devel/2022-11/msg00059.html
Comment 8 David Walser 2022-11-16 17:15:26 CET 
Debian has issued an advisory for two new issues on November 15:
https://www.debian.org/security/2022/dsa-5280

Summary: grub2 new security issues CVE-2021-369[5-7], CVE-2022-2873[3-7] => grub2 new security issues CVE-2021-369[5-7], CVE-2022-2601, CVE-2022-3775, CVE-2022-2873[3-7]

Comment 9 David Walser 2022-11-21 22:52:00 CET 
(In reply to David Walser from comment #8)
> Debian has issued an advisory for two new issues on November 15:
> https://www.debian.org/security/2022/dsa-5280

openSUSE has issued an advisory for this today (November 21):
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/MRFPY5QYSYU264DBMYC26WSXJ2PTUVVY/
Comment 10 David Walser 2022-11-21 23:02:48 CET 
(In reply to David Walser from comment #8)
> Debian has issued an advisory for two new issues on November 15:
> https://www.debian.org/security/2022/dsa-5280

Fedora has issued an advisory for this on November 20:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ZJAWN5S3M3DAZIITKXB7OCBPCYJKH2ST/
Comment 11 Nicolas Salguero 2024-03-13 14:17:52 CET 
Mageia 8 EOL.

Resolution: (none) => OLD
Whiteboard: MGA8TOO => (none)
Version: Cauldron => 8
CC: (none) => nicolas.salguero
Status: NEW => RESOLVED