ELSA-2015-2623

Опубликовано: 15 дек. 2015

Источник: oracle-oval

Платформа: Oracle Linux 7

Описание

ELSA-2015-2623: grub2 security and bug fix update (MODERATE)

[2.02-0.33.0.1]

Fix comparison in patch for 18504756
Remove symlink to grub environment file during uninstall on EFI platforms [bug 19231481]
update Oracle Linux certificates (Alexey Petrenko)
Put 'with' in menuentry instead of 'using' [bug 18504756]
Use different titles for UEK and RHCK kernels [bug 18504756]

[2.02-0.33]

Don't remove 01_users, it's the wrong thing to do. Related:rhbz1290089

[2.02-0.32]

Rebuild for .z so the release number is different. Related: rhbz#1290089

[2.02-0.31]

More work on handling of GRUB2_PASSWORD Resolves: rhbz#1290089

[2.02-0.30]

Fix security issue when reading username and password Resolves: CVE-2015-8370
Do a better job of handling GRUB_PASSWORD Resolves: rhbz#1290089

Обновленные пакеты

Oracle Linux 7

Oracle Linux x86_64

grub2

2.02-0.33.0.1.el7_2

grub2-efi

2.02-0.33.0.1.el7_2

grub2-efi-modules

2.02-0.33.0.1.el7_2

grub2-tools

2.02-0.33.0.1.el7_2

Связанные CVE

CVE-2015-8370

Ссылки на источники

Связанные уязвимости

CVE-2015-8370

CVSS3: 7.4

ubuntu

почти 10 лет назад

Multiple integer underflows in Grub2 1.98 through 2.02 allow physically proximate attackers to bypass authentication, obtain sensitive information, or cause a denial of service (disk corruption) via backspace characters in the (1) grub_username_get function in grub-core/normal/auth.c or the (2) grub_password_get function in lib/crypto.c, which trigger an "Off-by-two" or "Out of bounds overwrite" memory error.