[gentoo-dev] News item: GRUB security update

[gentoo-dev] News item: GRUB security update

[Mike Gilbert]

Hi, please review the news item below.


Title: GRUB security update
Author: Mike Gilbert <floppym@gentoo.org>
Content-Type: text/plain
Posted: 2015-12-18
Revision: 1
News-Item-Format: 1.0
Display-If-Installed: >=sys-boot/grub-2

A security flaw in GRUB's username/password authentication code has been
discovered. A user with access to the system console may bypass the
username prompt by entering a sequence of backspaces. See CVE-2015-8370.

This vulnerability has been fixed in sys-boot/grub-2.02_beta2-r8. If you
rely on GRUB's username/password functionality to secure systems, please
upgrade immediately.

After upgrading, make sure run the grub2-install command with options
appropriate for your system. See the GRUB2 Quick Start guide [1] for
examples. Your system will be vulerable until this action is performed.

[1] https://wiki.gentoo.org/wiki/GRUB2_Quick_Start

[gentoo-dev] Re: News item: GRUB security update

[Tobias Heinlein]

[-- Attachment #1: Type: text/plain, Size: 413 bytes --]

Hi,

On 18.12.2015 21:06, Mike Gilbert wrote:
> Hi, please review the news item below.

thanks for drafting this news item. However, the usual way to inform
users about security flaws is by sending a GLSA. :)

Based on your news item, we have drafted a GLSA now. It's currently
pending review by one other member of the security team and we will send
it in a few hours.

Thanks!

Cheers,
Tobias


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

[gentoo-dev] Re: News item: GRUB security update

[Kristian Fiskerstrand]

[-- Attachment #1: Type: text/plain, Size: 833 bytes --]

On 12/19/2015 02:44 PM, Rich Freeman wrote:
> On Sat, Dec 19, 2015 at 8:24 AM, Tobias Heinlein <keytoaster@gentoo.org> wrote:
>> Hi,
>>
>> On 18.12.2015 21:06, Mike Gilbert wrote:
>>> Hi, please review the news item below.
>>


..

> 
> I guess my point isn't that GLSAs are a bad thing, but users need a
> really high S/N ratio if we want them to pay attention.  We need to
> separate the mundane from the important.
> 

This sounds like something that might be appropriate for gentoo blog  of
some sort (GWN on a more ad-hoc basis?) linking to the GLSA. Even a blog
in private blog as part of Planet Gentoo would likely work (but official
blog would work nicer).

-- 
Kristian Fiskerstrand
Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 455 bytes --]

[gentoo-dev] Re: News item: GRUB security update

[Rich Freeman]

On Sat, Dec 19, 2015 at 8:24 AM, Tobias Heinlein <keytoaster@gentoo.org> wrote:
> Hi,
>
> On 18.12.2015 21:06, Mike Gilbert wrote:
>> Hi, please review the news item below.
>
> thanks for drafting this news item. However, the usual way to inform
> users about security flaws is by sending a GLSA. :)
>
> Based on your news item, we have drafted a GLSA now. It's currently
> pending review by one other member of the security team and we will send
> it in a few hours.
>

The only concerns I have with this approach are:
1.  In this case timing is fine, but sometimes GLSAs have a
significant delay, especially when minor archs are involved in
stabilization.
2.  Users probably don't regularly read GLSAs, since for the most part
it just tells them to update packages they've probably already
updated.  How do we make ones that actually have instructions beyond
updating stand out?

I know I stopped reading GLSAs ages ago, because they tended to tell
me to update to a package I had updated to a week before, and when
they said something else 90% of the time it was because there was an
error in the GLSA (usually this happened with subslots and the GLSA
just said <n is vulnerable and the reality is that there were a number
of ranges that were vulnerable vs fixed).  Granted, I have caught one
or two episodes over the years where the actual package might not have
been completely addressed and an older slot needed fixing.

I guess my point isn't that GLSAs are a bad thing, but users need a
really high S/N ratio if we want them to pay attention.  We need to
separate the mundane from the important.

-- 
Rich

Re: [gentoo-dev] Re: News item: GRUB security update

[Mike Gilbert]

On Sat, Dec 19, 2015 at 8:44 AM, Rich Freeman <rich0@gentoo.org> wrote:
> On Sat, Dec 19, 2015 at 8:24 AM, Tobias Heinlein <keytoaster@gentoo.org> wrote:
>> Hi,
>>
>> On 18.12.2015 21:06, Mike Gilbert wrote:
>>> Hi, please review the news item below.
>>
>> thanks for drafting this news item. However, the usual way to inform
>> users about security flaws is by sending a GLSA. :)
>>
>> Based on your news item, we have drafted a GLSA now. It's currently
>> pending review by one other member of the security team and we will send
>> it in a few hours.
>>
>
> The only concerns I have with this approach are:
> 1.  In this case timing is fine, but sometimes GLSAs have a
> significant delay, especially when minor archs are involved in
> stabilization.
> 2.  Users probably don't regularly read GLSAs, since for the most part
> it just tells them to update packages they've probably already
> updated.  How do we make ones that actually have instructions beyond
> updating stand out?
>
> I know I stopped reading GLSAs ages ago, because they tended to tell
> me to update to a package I had updated to a week before, and when
> they said something else 90% of the time it was because there was an
> error in the GLSA (usually this happened with subslots and the GLSA
> just said <n is vulnerable and the reality is that there were a number
> of ranges that were vulnerable vs fixed).  Granted, I have caught one
> or two episodes over the years where the actual package might not have
> been completely addressed and an older slot needed fixing.
>
> I guess my point isn't that GLSAs are a bad thing, but users need a
> really high S/N ratio if we want them to pay attention.  We need to
> separate the mundane from the important.

I had that same thought when keytoaster first replied to this.

Realistically, I suspect very few Gentoo users are using
authentication in GRUB. Those who do are certainly more security
conscious than the average user, and more likely to read GLSAs and
other security announcements.

I think the pkg_postinst message and the GLSA are sufficient coverage
for this issue.

Re: [gentoo-dev] Re: News item: GRUB security update

[Dale]

Rich Freeman wrote:
> On Sat, Dec 19, 2015 at 8:24 AM, Tobias Heinlein <keytoaster@gentoo.org> wrote:
>> Hi,
>>
>> On 18.12.2015 21:06, Mike Gilbert wrote:
>>> Hi, please review the news item below.
>> thanks for drafting this news item. However, the usual way to inform
>> users about security flaws is by sending a GLSA. :)
>>
>> Based on your news item, we have drafted a GLSA now. It's currently
>> pending review by one other member of the security team and we will send
>> it in a few hours.
>>
> << SNIP >>
> 2.  Users probably don't regularly read GLSAs, since for the most part
> it just tells them to update packages they've probably already
> updated.  How do we make ones that actually have instructions beyond
> updating stand out?
>
> I know I stopped reading GLSAs ages ago, because they tended to tell
> me to update to a package I had updated to a week before, and when
> they said something else 90% of the time it was because there was an
> error in the GLSA (usually this happened with subslots and the GLSA
> just said <n is vulnerable and the reality is that there were a number
> of ranges that were vulnerable vs fixed).  Granted, I have caught one
> or two episodes over the years where the actual package might not have
> been completely addressed and an older slot needed fixing.
>
> I guess my point isn't that GLSAs are a bad thing, but users need a
> really high S/N ratio if we want them to pay attention.  We need to
> separate the mundane from the important.
>


+1.  Given all the changes that have been done, I don't even know how to
read them any more because I stopped a long time ago. 

I might add, I also don't read blogs about this sort of thing.  About
the only time I read a blog is if it is linked to here or on -user. 
Other than that, rarely if ever. 

All things considered, if it isn't a news item or something I follow on
this list, I may never know about it.  I really depend on the news
items.  Just keep the noise down or folks will start to ignore them too,
although y'all are good at it only telling us about things that affect us.

Dale

:-)  :-)