Debian: Security Advisory for grub2 (DSA-4735-1)

The remote host is missing an update for the 'grub2' package(s) announced via the DSA-4735-1 advisory.

Several vulnerabilities have been discovered in the GRUB2 bootloader. CVE-2020-10713 A flaw in the grub.cfg parsing code was found allowing to break UEFI Secure Boot and load arbitrary code. Details can be found at at the linked references. It was discovered that grub_malloc does not validate the allocation size allowing for arithmetic overflow and subsequently a heap-based buffer overflow. CVE-2020-14309 An integer overflow in grub_squash_read_symlink may lead to a heap based buffer overflow. CVE-2020-14310 An integer overflow in read_section_from_string may lead to a heap based buffer overflow. CVE-2020-14311 An integer overflow in grub_ext2_read_link may lead to a heap-based buffer overflow. CVE-2020-15706 script: Avoid a use-after-free when redefining a function during execution. CVE-2020-15707 An integer overflow flaw was found in the initrd size handling. Further detailed information can be found at the linked references.

'grub2' package(s) on Debian Linux.

Checks if a vulnerable package version is present on the target host.

For the stable distribution (buster), these problems have been fixed in version 2.02+dfsg1-20+deb10u1. We recommend that you upgrade your grub2 packages.