Code review comment for ~eslerm/ubuntu-cve-tracker:grub2-boilerplate
Revision history for this message
| Mark Esler (eslerm) wrote | # |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
0e1f616
(Get the code!)
CVE-2020-15705 [0] and CVE-2021-3418 [1] are duplicates, except they are related to Grub prior to 2.04 and 2.06 respectively. Each are for evil housekeeper attacks based on shims (i.e., BlackLotus like). They are assigned after a grub2 CVE is discovered in the previous version.
These CVEs should be used to track secureboot-db and shim.
Canonical is the CNA for CVE-2020-15705. I believe we need to amend our CVE publication. CVE-2021-3418 was assigned by RedHat and follows the previous CVEs description. Ubuntu is affected by both, but UCT does not track this yet.
Tooling is needed to explain the difference between grub2 and secureboot-db differences to CVE triagers.
[0] https:/
[1] https:/