CentOS 7.x CentOS 8.x Redhat / CentOS 7 & 8 grub2 security vulnerability for BootHole (CVE-2020-10713)

eva2000 · Jul 30, 2020

Update: for grub2/shim reboot bug at CentOS 7.x - CentOS 8.x - Redhat / CentOS 7 & 8 grub2 security vulnerability for BootHole (CVE-2020-10713)

Yeah saw the news announcements. Luckily still haven't moved to RH8/CentOS 8 yet

grub2 security vulnerability is interesting for Redhat 8 / CentOS 8 at least for BootHole (CVE-2020-10713) Critical GRUB2 Bootloader Bug Affects Billions of Linux and Windows Systems if you hare using UEFI bios and Secure Boot enabled

A team of cybersecurity researchers today disclosed details of a new high-risk vulnerability affecting billions of devices worldwide—including servers and workstations, laptops, desktops, and IoT systems running nearly any Linux distribution or Windows system.

Dubbed 'BootHole' and tracked as CVE-2020-10713, the reported vulnerability resides in the GRUB2 bootloader, which, if exploited, could potentially let attackers bypass the Secure Boot feature and gain high-privileged persistent and stealthy access to the targeted systems.

Secure Boot is a security feature of the Unified Extensible Firmware Interface (UEFI) that uses a bootloader to load critical components, peripherals, and the operating system while ensuring that only cryptographically signed code executes during the boot process.
Click to expand...

Boot Hole Vulnerability - GRUB 2 boot loader - CVE-2020-10713 - Red Hat Customer Portal

Product impact
Red Hat Enterprise Linux (RHEL) 7 and 8, Red Hat Enterprise Atomic Host, and RHEL CoreOS (part of Openshift Container Platform 4) ship the vulnerable GRUB 2 version.

Red Hat Enterprise Linux 8
Due to hardening within the kernel, which is released as part of these updates, previous Red Hat Enterprise Linux 8 kernel versions have not been added to shim’s allow list. If you are running with Secure Boot enabled, and the user needs to boot to an older kernel version, its hash must be manually enrolled into the trust list. This is achieved by executing the following commands:

# pesign -P -h -i /boot/vmlinuz-<version>
# mokutil --import-hash <hash value returned from pesign>
# reboot

Red Hat Enterprise Linux 7
Red Hat has added previous Red Hat Enterprise Linux 7 kernel hashes into the shim’s allow database, allowing Secure Boot users to boot into older versions of the kernel.
Click to expand...

buik · Jul 31, 2020

eva2000 said: ↑

grub2 security vulnerability is interesting for Redhat 8 / CentOS 8 at least for BootHole (CVE-2020-10713) Critical GRUB2 Bootloader Bug Affects Billions of Linux and Windows Systems if you hare using UEFI bios and Secure Boot enabled

Boot Hole Vulnerability - GRUB 2 boot loader - CVE-2020-10713 - Red Hat Customer Portal
Click to expand...

A bit off topic related to the release of Red Hat Enterprise Linux 8.3 beta, but important enough for a new topic.
@eva2000 please move the BootHole-bug in Grub2 content into a new topic please.

One of the most important issues with security related IT infrastructure is to stay calm.

CVE-2020-10713 could labelled

eva2000 said: ↑

Critical
Click to expand...

code wise if you want, but in general it is security level: Moderate, rated by the Red Hat security team and that's reasonable in my opinion.

As the CVE is difficult to exploit in practice.
An attacker needs to modify the grub.cfg configuration file and in any case needs root access to a system or of course physical access.

This is not a remote code execution vulnerability; if it were, then I imagine, rather than being a high-rated vulnerability, it would be a critical one.
Click to expand...

Matt · Aug 1, 2020

Red Hat and CentOS systems aren’t booting due to BootHole patches

David Schargel · Aug 1, 2020

eva2000 said: ↑

for Redhat 8 / CentOS 8
Click to expand...

Looks like version 7 too.

eva2000 · Aug 1, 2020

Matt said: ↑

Red Hat and CentOS systems aren’t booting due to BootHole patches
Click to expand...

Ah beat me to it Red Hat and CentOS systems aren’t booting due to BootHole patches – Ars Technica

RHEL and CentOS
Unfortunately, Red Hat's patch to GRUB2 and the kernel, once applied, are leaving patched systems unbootable. The issue is confirmed to affect RHEL 7.8 and RHEL 8.2, and it may affect RHEL 8.1 and 7.9 as well. RHEL-derivative distribution CentOS is also affected.
Click to expand...

Red Hat is currently advising users not to apply the GRUB2 security patches (RHSA-2020:3216 or RHSA-2020:3217) until these issues have been resolved. If you administer a RHEL or CentOS system and believe you may have installed these patches, do not reboot your system. Downgrade the affected packages using sudo yum downgrade shim\* grub2\* mokutil and configure yum not to upgrade those packages by temporarily adding exclude=grub2* shim* mokutil to /etc/yum.conf.
Click to expand...

If you've already applied the patches and attempted (and failed) to reboot, boot from an RHEL or CentOS DVD in Troubleshooting mode, set up the network, then perform the same steps outlined above in order to restore functionality to your system.
Click to expand...

eva2000 · Aug 1, 2020

According to Red Hat Customer Portal, the bad update packages preventing CentOS 7 and 8 from rebooting are

Code (Text):

x86_64
fwupdate-12-6.el7_8.x86_64.rpm
fwupdate-debuginfo-12-6.el7_8.x86_64.rpm
fwupdate-debuginfo-12-6.el7_8.x86_64.rpm
fwupdate-devel-12-6.el7_8.x86_64.rpm
fwupdate-efi-12-6.el7_8.x86_64.rpm
fwupdate-libs-12-6.el7_8.x86_64.rpm
grub2-2.02-0.86.el7_8.x86_64.rpm
grub2-common-2.02-0.86.el7_8.noarch.rpm
grub2-debuginfo-2.02-0.86.el7_8.x86_64.rpm
grub2-debuginfo-2.02-0.86.el7_8.x86_64.rpm
grub2-efi-aa64-modules-2.02-0.86.el7_8.noarch.rpm
grub2-efi-ia32-2.02-0.86.el7_8.x86_64.rpm
grub2-efi-ia32-cdboot-2.02-0.86.el7_8.x86_64.rpm
grub2-efi-ia32-modules-2.02-0.86.el7_8.noarch.rpm
grub2-efi-x64-2.02-0.86.el7_8.x86_64.rpm
grub2-efi-x64-cdboot-2.02-0.86.el7_8.x86_64.rpm
grub2-efi-x64-modules-2.02-0.86.el7_8.noarch.rpm
grub2-pc-2.02-0.86.el7_8.x86_64.rpm
grub2-pc-modules-2.02-0.86.el7_8.noarch.rpm
grub2-ppc-modules-2.02-0.86.el7_8.noarch.rpm
grub2-ppc64-modules-2.02-0.86.el7_8.noarch.rpm
grub2-ppc64le-modules-2.02-0.86.el7_8.noarch.rpm
grub2-tools-2.02-0.86.el7_8.x86_64.rpm
grub2-tools-extra-2.02-0.86.el7_8.x86_64.rpm
grub2-tools-minimal-2.02-0.86.el7_8.x86_64.rpm
mokutil-15-7.el7_8.x86_64.rpm
mokutil-debuginfo-15-7.el7_8.x86_64.rpm
shim-ia32-15-7.el7_8.x86_64.rpm
shim-unsigned-ia32-15-7.el7_9.x86_64.rpm
shim-unsigned-x64-15-7.el7_9.x86_64.rpm
shim-x64-15-7.el7_8.x86_64.rpm

On my CentOS 7 system I have yet to run yum update so grub2 packages are still previous 2.0.2-0.81.el7 versions and not the updated bad packages grub2 2.0.2-0.86.el7

Code (Text):

yum -q list shim\* grub2\* mokutil | tr -s ' ' | column -t
Installed                      Packages
grub2.x86_64                   1:2.02-0.81.el7.centos  @base
grub2-common.noarch            1:2.02-0.81.el7.centos  @base
grub2-efi-x64.x86_64           1:2.02-0.81.el7.centos  @base
grub2-pc.x86_64                1:2.02-0.81.el7.centos  @base
grub2-pc-modules.noarch        1:2.02-0.81.el7.centos  @base
grub2-tools.x86_64             1:2.02-0.81.el7.centos  @base
grub2-tools-extra.x86_64       1:2.02-0.81.el7.centos  @base
grub2-tools-minimal.x86_64     1:2.02-0.81.el7.centos  @base
Available                      Packages
grub2-efi-aa64-modules.noarch  1:2.02-0.81.el7.centos  base
grub2-efi-ia32.x86_64          1:2.02-0.81.el7.centos  base
grub2-efi-ia32-cdboot.x86_64   1:2.02-0.81.el7.centos  base
grub2-efi-ia32-modules.noarch  1:2.02-0.81.el7.centos  base
grub2-efi-x64-cdboot.x86_64    1:2.02-0.81.el7.centos  base
grub2-efi-x64-modules.noarch   1:2.02-0.81.el7.centos  base
grub2-i386-modules.noarch      1:2.02-0.81.el7.centos  base
grub2-ppc-modules.noarch       1:2.02-0.81.el7.centos  base
grub2-ppc64-modules.noarch     1:2.02-0.81.el7.centos  base
grub2-ppc64le-modules.noarch   1:2.02-0.81.el7.centos  base
mokutil.x86_64                 15-2.el7.centos         base
shim-ia32.x86_64               15-2.el7.centos         base
shim-unsigned-ia32.x86_64      15-2.el7.centos         base
shim-unsigned-x64.x86_64       15-2.el7.centos         base
shim-x64.x86_64                15-2.el7.centos         base

If you see bad 2.0.2-.086.el7 grub2 packages installed from above command, you need to downgrade to previous version first

Code (Text):

yum downgrade shim\* grub2\* mokutil

List available updates listed include the updated bad packages grub2 2.0.2-0.86.el7

Code (Text):

yum -q list updates shim\* grub2\* mokutil | tr -s ' ' | column -t
Updated                     Packages
grub2.x86_64                1:2.02-0.86.el7.centos  updates
grub2-common.noarch         1:2.02-0.86.el7.centos  updates
grub2-efi-x64.x86_64        1:2.02-0.86.el7.centos  updates
grub2-pc.x86_64             1:2.02-0.86.el7.centos  updates
grub2-pc-modules.noarch     1:2.02-0.86.el7.centos  updates
grub2-tools.x86_64          1:2.02-0.86.el7.centos  updates
grub2-tools-extra.x86_64    1:2.02-0.86.el7.centos  updates
grub2-tools-minimal.x86_64  1:2.02-0.86.el7.centos  updates

so for now going to lock in my working 2.0.2-0.81.el7 packages via yum versionlock plugin which Centmin Mod installed rather than do yum.conf excludes - just easier to manage this way for now

Code (Text):

yum versionlock shim\* grub2\* mokutil

output

Code (Text):

yum versionlock shim\* grub2\* mokutil
Loaded plugins: fastestmirror, priorities, versionlock
Adding versionlock on: 1:grub2-tools-minimal-2.02-0.81.el7.centos
Adding versionlock on: 1:grub2-tools-extra-2.02-0.81.el7.centos
Adding versionlock on: 1:grub2-efi-x64-2.02-0.81.el7.centos
Adding versionlock on: 1:grub2-common-2.02-0.81.el7.centos
Adding versionlock on: 1:grub2-2.02-0.81.el7.centos
Adding versionlock on: 1:grub2-pc-2.02-0.81.el7.centos
Adding versionlock on: 1:grub2-tools-2.02-0.81.el7.centos
Adding versionlock on: 1:grub2-pc-modules-2.02-0.81.el7.centos
versionlock added: 8

once locked yum update won't see available updates for locked packages

Code (Text):

yum -q list updates shim\* grub2\* mokutil | tr -s ' ' | column -t
Error: No matching Packages to list

Later when Redhat/CentOS release a fixed grub2 2.0.2-0.87+ or higher version, you can remove the yum versionlock via command below which will allow yum updates to pick up the updated grub2 packages

Code (Text):

yum versionlock delete shim\* grub2\* mokutil                          
Loaded plugins: fastestmirror, priorities, versionlock
Deleting versionlock for: 1:grub2-tools-minimal-2.02-0.81.el7.centos.*
Deleting versionlock for: 1:grub2-tools-extra-2.02-0.81.el7.centos.*
Deleting versionlock for: 1:grub2-efi-x64-2.02-0.81.el7.centos.*
Deleting versionlock for: 1:grub2-common-2.02-0.81.el7.centos.*
Deleting versionlock for: 1:grub2-2.02-0.81.el7.centos.*
Deleting versionlock for: 1:grub2-pc-2.02-0.81.el7.centos.*
Deleting versionlock for: 1:grub2-tools-2.02-0.81.el7.centos.*
Deleting versionlock for: 1:grub2-pc-modules-2.02-0.81.el7.centos.*
versionlock deleted: 8

BamaStangGuy · Aug 2, 2020

Subscribed. Had a few servers where it was updated.

pamamolf · Aug 2, 2020

Is this problematic update removed now from the updates list?

eva2000 · Aug 2, 2020

pamamolf said: ↑

Is this problematic update removed now from the updates list?
Click to expand...

nope yum update will update to bad packages grub2 2.0.2-0.86.el7 unless you do above and versionlock to good 2.0.2-0.81.el7

Jon Snow · Aug 2, 2020

I haven't updated to the bad package yet:

Code (Text):

yum -q list shim\* grub2\* mokutil | tr -s ' ' | column -t
Installed                      Packages
grub2.x86_64                   1:2.02-0.81.el7.centos  @base
grub2-common.noarch            1:2.02-0.81.el7.centos  @base
grub2-pc.x86_64                1:2.02-0.81.el7.centos  @base
grub2-pc-modules.noarch        1:2.02-0.81.el7.centos  @base
grub2-tools.x86_64             1:2.02-0.81.el7.centos  @base
grub2-tools-extra.x86_64       1:2.02-0.81.el7.centos  @base
grub2-tools-minimal.x86_64     1:2.02-0.81.el7.centos  @base
Available                      Packages
grub2-efi-aa64-modules.noarch  1:2.02-0.81.el7.centos  base
grub2-efi-ia32.x86_64          1:2.02-0.81.el7.centos  base
grub2-efi-ia32-cdboot.x86_64   1:2.02-0.81.el7.centos  base
grub2-efi-ia32-modules.noarch  1:2.02-0.81.el7.centos  base
grub2-efi-x64.x86_64           1:2.02-0.81.el7.centos  base
grub2-efi-x64-cdboot.x86_64    1:2.02-0.81.el7.centos  base
grub2-efi-x64-modules.noarch   1:2.02-0.81.el7.centos  base
grub2-i386-modules.noarch      1:2.02-0.81.el7.centos  base
grub2-ppc-modules.noarch       1:2.02-0.81.el7.centos  base
grub2-ppc64-modules.noarch     1:2.02-0.81.el7.centos  base
grub2-ppc64le-modules.noarch   1:2.02-0.81.el7.centos  base
mokutil.x86_64                 15-2.el7.centos         base
shim-ia32.x86_64               15-2.el7.centos         base
shim-unsigned-ia32.x86_64      15-2.el7.centos         base
shim-unsigned-x64.x86_64       15-2.el7.centos         base
shim-x64.x86_64                15-2.el7.centos         base

So when this is released, we should update?

buik · Aug 2, 2020

About lessons learned.
My contribution: Never just install updates and always test on test servers first.

Matt · Aug 2, 2020

Just looking at my CentOS8 server, and grub2 is on a newer version.

Code:

[mworthington@jmp1 ~]$ sudo dnf update
Last metadata expiration check: 1:43:32 ago on Sun 02 Aug 2020 06:37:18 AM UTC.
Dependencies resolved.
==========================================================================================================================================================================================================================================================================
 Package                                                               Architecture                                             Version                                                                    Repository                                                Size
==========================================================================================================================================================================================================================================================================
Installing:
 kernel                                                                x86_64                                                   4.18.0-193.14.2.el8_2                                                      BaseOS                                                   2.8 M
 kernel-core                                                           x86_64                                                   4.18.0-193.14.2.el8_2                                                      BaseOS                                                    28 M
 kernel-modules                                                        x86_64                                                   4.18.0-193.14.2.el8_2                                                      BaseOS                                                    23 M
Upgrading:
 grub2-common                                                          noarch                                                   1:2.02-87.el8_2                                                            BaseOS                                                   882 k
 grub2-pc                                                              x86_64                                                   1:2.02-87.el8_2                                                            BaseOS                                                    37 k
 grub2-pc-modules                                                      noarch                                                   1:2.02-87.el8_2                                                            BaseOS                                                   863 k
 grub2-tools                                                           x86_64                                                   1:2.02-87.el8_2                                                            BaseOS                                                   2.0 M
 grub2-tools-efi                                                       x86_64                                                   1:2.02-87.el8_2                                                            BaseOS                                                   467 k
 grub2-tools-extra                                                     x86_64                                                   1:2.02-87.el8_2                                                            BaseOS                                                   1.1 M
 grub2-tools-minimal                                                   x86_64                                                   1:2.02-87.el8_2                                                            BaseOS                                                   202 k
 kernel-tools                                                          x86_64                                                   4.18.0-193.14.2.el8_2                                                      BaseOS                                                   3.0 M
 kernel-tools-libs                                                     x86_64                                                   4.18.0-193.14.2.el8_2                                                      BaseOS                                                   2.8 M
 python3-perf                                                          x86_64                                                   4.18.0-193.14.2.el8_2                                                      BaseOS                                                   2.9 M

Transaction Summary
==========================================================================================================================================================================================================================================================================
Install   3 Packages
Upgrade  10 Packages

Total download size: 68 M
Is this ok [y/N]:

Code:

Installed Packages
Name         : grub2-common
Epoch        : 1
Version      : 2.02
Release      : 87.el8_2
Architecture : noarch
Size         : 4.8 M
Source       : grub2-2.02-87.el8_2.src.rpm
Repository   : @System
From repo    : BaseOS
Summary      : grub2 common layout
URL          : http://www.gnu.org/software/grub/
License      : GPLv3+
Description  : This package provides some directories which are required by various grub2
             : subpackages.

Code:

[mworthington@jmp1 ~]$ rpm -q --changelog grub2-common | less
* Tue Jul 28 2020 Peter Jones <pjones@redhat.com> - 2.02-87
- Fix several CVEs
  Resolves: CVE-2020-10713
  Resolves: CVE-2020-14308
  Resolves: CVE-2020-14309
  Resolves: CVE-2020-14310
  Resolves: CVE-2020-14311

eva2000 · Aug 2, 2020

Jon Snow said: ↑

So when this is released, we should update?
Click to expand...

Yes but as @buik stated best to test on a test VPS/server first so do version unlock as outlined above and then yum update and reboot test server and see if it reboots. Though probably also good idea to wait for general media and other users to report when it's fixed too.

buik said: ↑

About lessons learned.
My contribution: Never just install updates and always test on test servers first.
Click to expand...

Indeed best thing to do if you can

Matt said: ↑

Just looking at my CentOS8 server, and grub2 is on a newer version.
Click to expand...

CentOS 8 fixed version with bug = grub2-2.02-87.el8 is different from CentOS 7 fixed version with bug = 2.0.2-0.86.el7.

CentOS 8 security vulernability Boothole fixed version with reboot bug is your version = grub2-2.02-87.el8 Red Hat Customer Portal so you'd need to rollback on CentOS AFAIK. Though Centmin Mod users don't have to worry about CentOS 8.x grub2. Just CentOS 7.x grub2 versions outlined in post 6 above

Matt · Aug 2, 2020

Good job it's just my testing / jump server

Code:

[root@jmp1 log]# dnf history info 11
Transaction ID : 11
Begin time     : Sun 02 Aug 2020 08:22:35 AM UTC
Begin rpmdb    : 448:dd9d8ab61e44ec6d29fef7026852c21d99d0be1b
End time       : Sun 02 Aug 2020 08:24:29 AM UTC (114 seconds)
End rpmdb      : 451:d8613bb5eeb862ee571e184ee06ba348d9ed0f6d
User           :  <mworthington>
Return-Code    : Success
Releasever     : 8
Command Line   : update
Packages Altered:
    Install  kernel-4.18.0-193.14.2.el8_2.x86_64            @BaseOS
    Install  kernel-core-4.18.0-193.14.2.el8_2.x86_64       @BaseOS
    Install  kernel-modules-4.18.0-193.14.2.el8_2.x86_64    @BaseOS
    Upgrade  grub2-common-1:2.02-87.el8_2.noarch            @BaseOS
    Upgraded grub2-common-1:2.02-81.el8.noarch              @@System
    Upgrade  grub2-pc-1:2.02-87.el8_2.x86_64                @BaseOS
    Upgraded grub2-pc-1:2.02-81.el8.x86_64                  @@System
    Upgrade  grub2-pc-modules-1:2.02-87.el8_2.noarch        @BaseOS
    Upgraded grub2-pc-modules-1:2.02-81.el8.noarch          @@System
    Upgrade  grub2-tools-1:2.02-87.el8_2.x86_64             @BaseOS
    Upgraded grub2-tools-1:2.02-81.el8.x86_64               @@System
    Upgrade  grub2-tools-efi-1:2.02-87.el8_2.x86_64         @BaseOS
    Upgraded grub2-tools-efi-1:2.02-81.el8.x86_64           @@System
    Upgrade  grub2-tools-extra-1:2.02-87.el8_2.x86_64       @BaseOS
    Upgraded grub2-tools-extra-1:2.02-81.el8.x86_64         @@System
    Upgrade  grub2-tools-minimal-1:2.02-87.el8_2.x86_64     @BaseOS
    Upgraded grub2-tools-minimal-1:2.02-81.el8.x86_64       @@System
    Upgrade  kernel-tools-4.18.0-193.14.2.el8_2.x86_64      @BaseOS
    Upgraded kernel-tools-4.18.0-193.6.3.el8_2.x86_64       @@System
    Upgrade  kernel-tools-libs-4.18.0-193.14.2.el8_2.x86_64 @BaseOS
    Upgraded kernel-tools-libs-4.18.0-193.6.3.el8_2.x86_64  @@System
    Upgrade  python3-perf-4.18.0-193.14.2.el8_2.x86_64      @BaseOS
    Upgraded python3-perf-4.18.0-193.6.3.el8_2.x86_64       @@System
[root@jmp1 log]# dnf history undo 11
Last metadata expiration check: 2:21:43 ago on Sun 02 Aug 2020 09:38:17 AM UTC.
Undoing transaction 11, from Sun 02 Aug 2020 08:22:35 AM UTC
    Install  kernel-4.18.0-193.14.2.el8_2.x86_64            @BaseOS
    Install  kernel-core-4.18.0-193.14.2.el8_2.x86_64       @BaseOS
    Install  kernel-modules-4.18.0-193.14.2.el8_2.x86_64    @BaseOS
    Upgrade  grub2-common-1:2.02-87.el8_2.noarch            @BaseOS
    Upgraded grub2-common-1:2.02-81.el8.noarch              @@System
    Upgrade  grub2-pc-1:2.02-87.el8_2.x86_64                @BaseOS
    Upgraded grub2-pc-1:2.02-81.el8.x86_64                  @@System
    Upgrade  grub2-pc-modules-1:2.02-87.el8_2.noarch        @BaseOS
    Upgraded grub2-pc-modules-1:2.02-81.el8.noarch          @@System
    Upgrade  grub2-tools-1:2.02-87.el8_2.x86_64             @BaseOS
    Upgraded grub2-tools-1:2.02-81.el8.x86_64               @@System
    Upgrade  grub2-tools-efi-1:2.02-87.el8_2.x86_64         @BaseOS
    Upgraded grub2-tools-efi-1:2.02-81.el8.x86_64           @@System
    Upgrade  grub2-tools-extra-1:2.02-87.el8_2.x86_64       @BaseOS
    Upgraded grub2-tools-extra-1:2.02-81.el8.x86_64         @@System
    Upgrade  grub2-tools-minimal-1:2.02-87.el8_2.x86_64     @BaseOS
    Upgraded grub2-tools-minimal-1:2.02-81.el8.x86_64       @@System
    Upgrade  kernel-tools-4.18.0-193.14.2.el8_2.x86_64      @BaseOS
    Upgraded kernel-tools-4.18.0-193.6.3.el8_2.x86_64       @@System
    Upgrade  kernel-tools-libs-4.18.0-193.14.2.el8_2.x86_64 @BaseOS
    Upgraded kernel-tools-libs-4.18.0-193.6.3.el8_2.x86_64  @@System
    Upgrade  python3-perf-4.18.0-193.14.2.el8_2.x86_64      @BaseOS
    Upgraded python3-perf-4.18.0-193.6.3.el8_2.x86_64       @@System
No package grub2-common-1:2.02-81.el8.noarch available.
No package grub2-pc-modules-1:2.02-81.el8.noarch available.
No package grub2-pc-1:2.02-81.el8.x86_64 available.
No package grub2-tools-efi-1:2.02-81.el8.x86_64 available.
No package grub2-tools-extra-1:2.02-81.el8.x86_64 available.
No package grub2-tools-minimal-1:2.02-81.el8.x86_64 available.
No package grub2-tools-1:2.02-81.el8.x86_64 available.
No package kernel-tools-libs-4.18.0-193.6.3.el8_2.x86_64 available.
No package kernel-tools-4.18.0-193.6.3.el8_2.x86_64 available.
No package python3-perf-4.18.0-193.6.3.el8_2.x86_64 available.
Error: no package matched
[root@jmp1 log]#

Hopefully it won't reboot until they release a proper fix!

eva2000 · Aug 2, 2020

Matt said: ↑

Hopefully it won't reboot until they release a proper fix!
Click to expand...

Should be able to a downgrade and then use CentOS 8 dnf versionlock to prevent it updating I think
Code (Text):
dnf install python3-dnf-plugin-versionlock
dnf downgrade shim\* grub2\* mokutil
dnf versionlock shim\* grub2\* mokutil

Matt · Aug 2, 2020

eva2000 said: ↑
Should be able to a downgrade and then use CentOS 8 dnf versionlock to prevent it updating I think
Code (Text):
dnf install python3-dnf-plugin-versionlock
dnf downgrade shim\* grub2\* mokutil
dnf versionlock shim\* grub2\* mokutil
Click to expand...
Should be able to, but looks like the old packages have been removed from the repo files and the dnf cache, so can't downgrade or rollback.

I've excluded the packages from all my production systems anyway

eva2000 · Aug 2, 2020

Matt said: ↑

but looks like the old packages have been removed from the repo files
Click to expand...

Interesting wonder if that is specific to CentOS 8 and/or Redhat 8

guess there's ways to prevent a reboot if need be How to Disable Shutdown and Reboot Commands in Linux

buik · Aug 3, 2020

eva2000 said: ↑

Indeed best thing to do if you can
Click to expand...

Anyone can do it
Each in their own way.

Ideally, you run test systems with the same specifications in both hardware and software.

If that is expensive you could virtualize and approach the real situation as much as possible.

If that doesn't work either, look at eBay.
Plenty of used servers that can be fetched for a few bucks. (if power usage costs is not a problem)

If that doesn't work either, install virtual software on your workstation, laptop or mac and at least simulate the software, software-updates and configuration.

buik · Aug 3, 2020

I know it's not nice to double-post.
But apparently the bug / security vulnerability for BootHole has been fixed by the upstream provider.
Since this bug can be pretty annoying. Seems to me a double post is justified in this case.

RHBA-2020:3265 Red Hat Customer Portal
RHBA-2020:3262 Red Hat Customer Portal

eva2000 · Aug 3, 2020

buik said: ↑

wrong errata so please remove this reply.
Click to expand...

should be able to remove your own posts if within a specific time limit ? or just edit your post as not sure which post you want removed ?

Log in / Register

Forums

Want to subscribe to topics you're interested in?

CentOS 7.x CentOS 8.x Redhat / CentOS 7 & 8 grub2 security vulnerability for BootHole (CVE-2020-10713)

eva2000 Administrator Staff Member

buik “The best traveler is one without a camera.”

Matt Well-Known Member

David Schargel Premium Member Premium Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

BamaStangGuy Active Member

pamamolf Premium Member Premium Member

eva2000 Administrator Staff Member

Jon Snow Active Member

buik “The best traveler is one without a camera.”

Matt Well-Known Member

eva2000 Administrator Staff Member

Matt Well-Known Member

eva2000 Administrator Staff Member

Matt Well-Known Member

eva2000 Administrator Staff Member

buik “The best traveler is one without a camera.”

buik “The best traveler is one without a camera.”

eva2000 Administrator Staff Member

.

Log in / Register

Useful Searches

Want to subscribe to topics you're interested in?

CentOS 7.x CentOS 8.x Redhat / CentOS 7 & 8 grub2 security vulnerability for BootHole (CVE-2020-10713)

eva2000 Administrator Staff Member

buik “The best traveler is one without a camera.”

Matt Well-Known Member

David Schargel Premium Member Premium Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

BamaStangGuy Active Member

pamamolf Premium Member Premium Member

eva2000 Administrator Staff Member

Jon Snow Active Member

buik “The best traveler is one without a camera.”

Matt Well-Known Member

eva2000 Administrator Staff Member

Matt Well-Known Member

eva2000 Administrator Staff Member

Matt Well-Known Member

eva2000 Administrator Staff Member

buik “The best traveler is one without a camera.”

buik “The best traveler is one without a camera.”

eva2000 Administrator Staff Member

.