Bug 30527 - grub2 new security issues CVE-2021-369[5-7], CVE-2022-2601, CVE-2022-3775, CVE-2022-2873[3-7]
Summary: grub2 new security issues CVE-2021-369[5-7], CVE-2022-2601, CVE-2022-3775, CV...
Status: RESOLVED OLD
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: Thierry Vignaud
QA Contact: Sec team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks: 29762
  Show dependency treegraph
 
Reported: 2022-06-08 18:28 CEST by David Walser
Modified: 2024-03-13 14:17 CET (History)
1 user (show)

See Also:
Source RPM: grub2-2.06-16.mga9.src.rpm
CVE:
Status comment: Patches available from upstream

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2022-06-08 18:28:05 CEST 
Security issues fixed upstream in GRUB2 have been announced on June 7:
https://www.openwall.com/lists/oss-security/2022/06/07/5

Mageia 8 is also affected.
David Walser 2022-06-08 18:28:24 CEST

Blocks: (none) => 29762
Status comment: (none) => Patches available from upstream
Whiteboard: (none) => MGA8TOO

Comment 1 David Walser 2022-06-09 16:40:09 CEST 
Patch backports from a couple other distro maintainers:
https://dev.gentoo.org/~floppym/dist/grub-2.06-backports.tar.xz
https://github.com/Foxboron/grub/commits/morten/2.06-backport-security
Comment 2 David Walser 2022-06-10 17:18:56 CEST 
openSUSE has issued an advisory for this today (June 10):
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/5IS74LC4GHJQY7AUZBIDXFKHKIROVLHS/
Comment 3 David Walser 2022-06-10 17:24:03 CEST 
Fedora has issued an advisory for this today (June 10):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/FGYCNFAG7E6EPHZ4MFBJZE3ZDEOCLW7N/
Comment 4 Lewis Smith 2022-06-10 20:48:07 CEST 
Assigning to tv who has been the principle maintainer of grub2 for some time.

Assignee: bugsquad => thierry.vignaud

Comment 5 David Walser 2022-06-16 14:23:54 CEST 
grub2-2.06-17.mga9 has patches for CVEs.  Commit message mentions everything but CVE-2022-28737.  Oversight or missing patch?
Comment 6 David Walser 2022-06-16 22:28:44 CEST 
RedHat has issued an advisory for this today (June 16):
https://access.redhat.com/errata/RHSA-2022:5099
Comment 7 David Walser 2022-11-15 21:14:12 CET 
More GRUB2 security issues:
https://lists.gnu.org/archive/html/grub-devel/2022-11/msg00059.html
Comment 8 David Walser 2022-11-16 17:15:26 CET 
Debian has issued an advisory for two new issues on November 15:
https://www.debian.org/security/2022/dsa-5280

Summary: grub2 new security issues CVE-2021-369[5-7], CVE-2022-2873[3-7] => grub2 new security issues CVE-2021-369[5-7], CVE-2022-2601, CVE-2022-3775, CVE-2022-2873[3-7]

Comment 9 David Walser 2022-11-21 22:52:00 CET 
(In reply to David Walser from comment #8)
> Debian has issued an advisory for two new issues on November 15:
> https://www.debian.org/security/2022/dsa-5280

openSUSE has issued an advisory for this today (November 21):
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/MRFPY5QYSYU264DBMYC26WSXJ2PTUVVY/
Comment 10 David Walser 2022-11-21 23:02:48 CET 
(In reply to David Walser from comment #8)
> Debian has issued an advisory for two new issues on November 15:
> https://www.debian.org/security/2022/dsa-5280

Fedora has issued an advisory for this on November 20:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ZJAWN5S3M3DAZIITKXB7OCBPCYJKH2ST/
Comment 11 Nicolas Salguero 2024-03-13 14:17:52 CET 
Mageia 8 EOL.

Resolution: (none) => OLD
Whiteboard: MGA8TOO => (none)
Version: Cauldron => 8
CC: (none) => nicolas.salguero
Status: NEW => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.