Better not import: Updates against the BootHole vulnerabilities for RHEL, CentOS, Debian and Ubuntu cause serious problems on some systems.
Actually, two security updates provided by the Red Hat Enterprise Linux (RHEL) developers were supposed to fix the Grub2 vulnerability "BootHole" shut down. However, it has now turned out that the updates RHSA_2020:3216 and RHSA_2020:3217 can themselves cause damage: Apparently many users can no longer boot at all after the application, the Grub menu does not load.
The same problem exists also with the free RHEL clone CentOS. As it turned out later, it sometimes also exists on Debian and Ubuntu systems. Updated security instructions and some fixed packages are available for the various distributions.
We have described the BootHole bugs in a separate article:
RHSA_2020:3216 and RHSA_2020:3217 Do not import!
The Red Hat team has published a security advisory regarding the broken updates. It confirms the issue for RHEL versions 7.8 and 8.2. Only "potentially affected" (problem not confirmed) are the versions 7.9 and 8.1 EUS. With RHEL, the problem generally only occurs in UEFI mode and not in classic BIOS mode.
Update 8/3/20, 2:00 p.m. + 2:15 p.m.:
Red Hat has provided updated packages of the secure boot loader Shim and updated the security advisory again. From the comments section there it can be seen that users (possibly initially on a test system) can now update without worry.
Updated Grub packages are no longer to be expected: according to developer Renaud Metrich, the problem is caused by faulty shim packages passed. Accordingly, the safety notice now also includes "Diagnostic steps" for detecting the problematic shim packages.
- RHEL 7.8: RHBA-2020:3265
- RHEL 8.0.0: RHBA-2020 :3264
- RHEL 8.1.0: RHBA-2020:3263
- RHEL 8.2.0: RHBA-2020:3262
There are also updated versions for CentOS Shim packages in the form of shim-x64-15-8.el7_8.x86_64.rpm (CentOS 7) or shim-x64-15-15.el8_2.x86_64.rpm (CentOS 8).
Fixes and Notes for Debian and Ubuntu
Unlike RHEL/CentOS, the boot problems on Debian and Ubuntu systems seem, if any, to be only occur when using BIOS and dual boot (Linux/Windows). For Debian Stable (Buster and Sid), the updated Grub2 package 2.02+dfsg1-20+deb10u2 fixes the bug.
The Ubuntu team has added a troubleshooting section to their BootHole article. Here too, as the text says, "improbable" Suggested package downgrade in case of boot issues after installing previously released Grub2 updates. Otherwise, it is important to look out for new, repaired packages.