I haven’t been able to find if the boothole and related issues have been fixed for Fedora. Grub2 for CentOS seems to have been fixed (https://pkgs.org/). However, I don’t think the same update is available for Fedora. Also, Debian and Ubuntu have a detailed page on this issue, its effect and how it needs to be fixed. I haven’t come across anything like this for Fedora. Is something like that available?
If I am not wrong Grub2 still hasn’t been updated on Fedora (https://fedora.pkgs.org/32/fedora-aarch64/grub2-common-2.04-12.fc32.noarch.rpm.html). I was going to switch from Pop OS to Fedora, but I decided to wait until this whole issue stabilizes. Is the update in the pipeline? Or I am looking at something different.
Hi @mkgscott & welcome to the community.
A fix for this appears to be in 2.04-27 (Check CVEs in the Changelog section), which isn’t in the repos yet. We’re in the middle of rebuilds/branching etc. in preparation for the F33 release, so I don’t know when this update will be released to the repositories - but likely soon.
Regarding more information about this issue, you can check out the RedHat vulnerability site for this issue.
Thanks for the answer. It clarifies the situation for me.
This is really helpful.
I was going through the 2.04-27 changelogs. It says “minor” bug fixes for
Everyone made a big issue about all these vulnerabilities. I get that you need either physical or root access to exploit them. But I am confused why these are considered as “minor” updates when other distros are treating them as critical vulnerabilities?
The build containing the fix will vary between Fedora releases. 2.04-27 is correct for Fedora 33, but in Fedora 32 the fix is in 2.04-22.
You’d have to ask the maintainer of the grub2 package about that, but if I had to guess, I’d take the ‘minor’ to refer to the scale of the changes (i.e. doesn’t significantly impact user experience), rather than their importance. In any case, this is just the description the maintainer chose to give in the update, it has no impact on how quickly the fixes will available in the repositories.