Hi,
Fedora CoreOS recently added support for setting a GRUB password [1].
When this feature is enabled, GRUB requires a password to access the
GRUB command-line, modify kernel command-line arguments, or boot
non-default OSTree deployments.
Recent Fedora CoreOS releases have a misconfiguration which allows
booting non-default OSTree deployments without entering a password.
This allows someone with access to the GRUB menu to boot into an older
version of Fedora CoreOS. A password is still required to modify
kernel command-line arguments and to access the GRUB command line.
Machines provisioned from the following Fedora CoreOS releases are affected:
- stable 36.20220820.3.0 and later
- testing 36.20220906.2.0 and later
- next 36.20220906.1.0 and later
The following Fedora CoreOS releases will fix the problem for newly
deployed machines and automatically correct the misconfiguration for
existing machines:
- stable 36.20221014.3.0 (new machines), 36.20221030.3.0 (existing machines)
- testing 36.20221030.2.0 (new and existing machines)
- next 37.20221031.1.0 (new and existing machines)
If you do not use the GRUB password feature, or if you do use it and
have provisioned your machines from unaffected Fedora CoreOS images,
no action is required.
If your machines on the `next` or `testing` streams are affected, the
problem will be automatically corrected by this week's releases. On
the `stable` stream, newly created machines will be fixed by this
week's release, and existing machines will be fixed by the release on
the week of November 14. If you would like to correct the problem
before then, you can manually run the following commands on affected
machines:
sudo ostree config set sysroot.bls-append-except-default 'grub_users=""'
sudo unshare -mw /boot/loader/entries bash -c \
'mount -o rw,remount /boot &&
for f in $(ls -v ostree-*-fedora-coreos.conf | head -n -1); do
if ! grep -q grub_users "$f"; then
echo grub_users \"\" >> "$f";
fi;
done'
To check which version of Fedora CoreOS was used to provisioned a
machine, run the following command:
jq -r .build /sysroot/.coreos-aleph-version.json
For additional updates, follow the Fedora CoreOS tracker issue [2].
If you have any questions or concerns, post a comment in the issue or
contact us in #fedora-coreos on Libera.Chat.
--Benjamin Gilbert, for the Fedora CoreOS team
[1]: https://docs.fedoraproject.org/en-US/fedora-coreos/grub-password/
[2]: https://github.com/coreos/fedora-coreos-tracker/issues/1333
Hi,
OpenSSL has released fixes for two vulnerabilities in X.509
certificate verification. On affected releases, connecting to a
malicious HTTPS server can result in a crash or potentially in remote
code execution. The risk of remote code execution is believed to be
mitigated by multiple factors. For more information, see the upstream
[1] and Red Hat [2] advisories and the upstream blog post [3]. In
addition, software written in Go, including Ignition and the Podman
stack, is not affected.
Fedora CoreOS will roll out a fix later today in out-of-cycle `next`
(37.20221021.1.1) and `testing` (36.20221014.2.1) releases. These
will be followed by regular releases tomorrow, including a fixed
`stable` (36.20221014.3.0).
Updates will be posted in the Fedora CoreOS tracker issue [4]. If you
have any questions or concerns, post a comment in the issue or contact
us in #fedora-coreos on Libera.Chat.
--Benjamin Gilbert, for the Fedora CoreOS team
[1]: https://www.openssl.org/news/secadv/20221101.txt
[2]: https://access.redhat.com/security/cve/cve-2022-3602
[3]: https://www.openssl.org/blog/blog/2022/11/01/email-address-overflows/
[4]: https://github.com/coreos/fedora-coreos-tracker/issues/1329