CVE 2020-15705
GRUB2 fails to validate kernel signature when booted directly without shim, allowing secure boot to be bypassed. This only affects systems where the kernel signing certificate has been imported directly into the secure boot database and the GRUB image is booted directly without the use of shim. This issue affects GRUB2 version 2.04 and prior versions.
Related bugs and status
CVE-2020-15705 (Candidate) is related to these bugs:
Bug #1401532: GRUB's Secure Boot implementation loads unsigned kernel without warning
Bug #1872979: collectd core dump generated after lock/unlock controller-0
Summary | In | Importance | Status | |||
---|---|---|---|---|---|---|
1872979 | collectd core dump generated after lock/unlock controller-0 | StarlingX | Low | Fix Released |
Bug #1886064: Upgrades are not able to add new keystone users/services/endpoints
Summary | In | Importance | Status | |||
---|---|---|---|---|---|---|
1886064 | Upgrades are not able to add new keystone users/services/endpoints | StarlingX | Medium | Fix Released |
Bug #1887438: Controller-0 Not Ready after force rebooting active controller (Controller-1)
Summary | In | Importance | Status | |||
---|---|---|---|---|---|---|
1887438 | Controller-0 Not Ready after force rebooting active controller (Controller-1) | StarlingX | Medium | Fix Released |
Bug #1887677: stx-openstack: etcd 1MB size limit will prevent scaling up openstack workers
Summary | In | Importance | Status | |||
---|---|---|---|---|---|---|
1887677 | stx-openstack: etcd 1MB size limit will prevent scaling up openstack workers | StarlingX | Medium | Fix Released |
Bug #1892768: Containerd config needs a jinja template
Summary | In | Importance | Status | |||
---|---|---|---|---|---|---|
1892768 | Containerd config needs a jinja template | StarlingX | Low | Fix Released |
Bug #1893669: swact is not triggered after killing dnsmasq process within 90 seconds
Summary | In | Importance | Status | |||
---|---|---|---|---|---|---|
1893669 | swact is not triggered after killing dnsmasq process within 90 seconds | StarlingX | Medium | Fix Released |
Bug #1894870: etcd instance not secured
Summary | In | Importance | Status | |||
---|---|---|---|---|---|---|
1894870 | etcd instance not secured | StarlingX | High | Fix Released |
Bug #1895555: OAM IP change needs double lock/unlock controllers for IPV6 system
Summary | In | Importance | Status | |||
---|---|---|---|---|---|---|
1895555 | OAM IP change needs double lock/unlock controllers for IPV6 system | StarlingX | Medium | Fix Released |
Bug #1900920: pods do not get restarted in an AIO-DX system
Summary | In | Importance | Status | |||
---|---|---|---|---|---|---|
1900920 | pods do not get restarted in an AIO-DX system | StarlingX | Medium | Fix Released |
Bug #1901449: DC: rbd mounted devices becomes read only after enabling https on system controller
Summary | In | Importance | Status | |||
---|---|---|---|---|---|---|
1901449 | DC: rbd mounted devices becomes read only after enabling https on system controller | StarlingX | Medium | Fix Released |
Bug #1903994: Retain more puppet log files to help with debugging
Summary | In | Importance | Status | |||
---|---|---|---|---|---|---|
1903994 | Retain more puppet log files to help with debugging | StarlingX | Low | Fix Released |
Bug #1904739: kubernetes-nat rule not applied on controller following DOR
Summary | In | Importance | Status | |||
---|---|---|---|---|---|---|
1904739 | kubernetes-nat rule not applied on controller following DOR | StarlingX | Medium | Fix Released |
Bug #1904885: Failure to connect to registry.local due to DNS resolution issues
Summary | In | Importance | Status | |||
---|---|---|---|---|---|---|
1904885 | Failure to connect to registry.local due to DNS resolution issues | StarlingX | Medium | Fix Released |
Bug #1907678: New pip resolver breaks tox for some repos
Summary | In | Importance | Status | |||
---|---|---|---|---|---|---|
1907678 | New pip resolver breaks tox for some repos | StarlingX | High | Fix Released |
Bug #1914291: Failure changing kube-apiserver parameters
Summary | In | Importance | Status | |||
---|---|---|---|---|---|---|
1914291 | Failure changing kube-apiserver parameters | StarlingX | High | Fix Released |
Bug #1915050: IPv6: All hosts remain offline after booting off the controller-0
Summary | In | Importance | Status | |||
---|---|---|---|---|---|---|
1915050 | IPv6: All hosts remain offline after booting off the controller-0 | StarlingX | Critical | Fix Released |
Bug #1915951: Shared NIC: System doesn't retain the rate-limit config when a pod is deleted
Summary | In | Importance | Status | |||
---|---|---|---|---|---|---|
1915951 | Shared NIC: System doesn't retain the rate-limit config when a pod is deleted | StarlingX | Medium | Fix Released |
Bug #1916620: Worker fails reboot recovery due to SRIOV timeout
Summary | In | Importance | Status | |||
---|---|---|---|---|---|---|
1916620 | Worker fails reboot recovery due to SRIOV timeout | StarlingX | Medium | Fix Released |
Bug #1916946: CVE-2021-3156 sudo privilege escalation
Summary | In | Importance | Status | |||
---|---|---|---|---|---|---|
1916946 | CVE-2021-3156 sudo privilege escalation | StarlingX | Medium | Fix Released |
Bug #1917229: worker runtime config missed system.yaml hiera
Summary | In | Importance | Status | |||
---|---|---|---|---|---|---|
1917229 | worker runtime config missed system.yaml hiera | StarlingX | Medium | Fix Released |
Bug #1917308: Stx-openstack apply-fail after swact standby controller, lock, unlock standby controller
Summary | In | Importance | Status | |||
---|---|---|---|---|---|---|
1917308 | Stx-openstack apply-fail after swact standby controller, lock, unlock standby controller | StarlingX | Critical | Fix Released |
Bug #1917781: Controller-0 showing disabled/offline in dm while it is unlocked/available in sysinv
Summary | In | Importance | Status | |||
---|---|---|---|---|---|---|
1917781 | Controller-0 showing disabled/offline in dm while it is unlocked/available in sysinv | StarlingX | Low | Fix Released |
Bug #1918139: On AIO hosts, kuberenetes is starting before key resources are initialized
Summary | In | Importance | Status | |||
---|---|---|---|---|---|---|
1918139 | On AIO hosts, kuberenetes is starting before key resources are initialized | StarlingX | Medium | Fix Released |
Bug #1919274: Adding bare-metal Ceph storage backend at runtime fails
Summary | In | Importance | Status | |||
---|---|---|---|---|---|---|
1919274 | Adding bare-metal Ceph storage backend at runtime fails | StarlingX | High | Fix Released |
Bug #1919276: Bare-metal Ceph Metadata servers are not started by the Ceph runtime manifests
Summary | In | Importance | Status | |||
---|---|---|---|---|---|---|
1919276 | Bare-metal Ceph Metadata servers are not started by the Ceph runtime manifests | StarlingX | Medium | Fix Released |
Bug #1920245: drbd filesystems not resized during bootstrap
Summary | In | Importance | Status | |||
---|---|---|---|---|---|---|
1920245 | drbd filesystems not resized during bootstrap | StarlingX | Medium | Fix Released |
Bug #1923510: admin endpoint certificate overwritten by expired copy
Summary | In | Importance | Status | |||
---|---|---|---|---|---|---|
1923510 | admin endpoint certificate overwritten by expired copy | StarlingX | High | Fix Released |
Bug #1923665: No LLDP information available for Fortville i40e NIC
Summary | In | Importance | Status | |||
---|---|---|---|---|---|---|
1923665 | No LLDP information available for Fortville i40e NIC | StarlingX | Medium | Fix Released |
Bug #1923879: crash kernel fails to boot with ice network hw
Summary | In | Importance | Status | |||
---|---|---|---|---|---|---|
1923879 | crash kernel fails to boot with ice network hw | StarlingX | High | Fix Released |
Bug #1924209: Storage-0 went offline due to NIC driver continuousely failed to allocate memory
Summary | In | Importance | Status | |||
---|---|---|---|---|---|---|
1924209 | Storage-0 went offline due to NIC driver continuousely failed to allocate memory | StarlingX | Low | Fix Released |
Bug #1924579: armada-api container not using the correct user
Summary | In | Importance | Status | |||
---|---|---|---|---|---|---|
1924579 | armada-api container not using the correct user | StarlingX | Low | Fix Released |
Bug #1924686: systemd excessively reads mountinfo and udev in dense container environments
Summary | In | Importance | Status | |||
---|---|---|---|---|---|---|
1924686 | systemd excessively reads mountinfo and udev in dense container environments | StarlingX | Medium | Fix Released |
Bug #1924691: systemd sends tons of useless PropertiesChanged messages when a mount happens
Summary | In | Importance | Status | |||
---|---|---|---|---|---|---|
1924691 | systemd sends tons of useless PropertiesChanged messages when a mount happens | StarlingX | Medium | Fix Released |
Bug #1926172: Fail to run unit tests with pepe8/flake8
Summary | In | Importance | Status | |||
---|---|---|---|---|---|---|
1926172 | Fail to run unit tests with pepe8/flake8 | StarlingX | Low | Fix Released |
Bug #1926366: Two unlocks required when converting a single-nic system to enable SR-IOV on the underlying interface
Summary | In | Importance | Status | |||
---|---|---|---|---|---|---|
1926366 | Two unlocks required when converting a single-nic system to enable SR-IOV on the underlying interface | StarlingX | Low | Fix Released |
Bug #1926591: Unlock fails after restore when trying to resize docker-lv fs
Summary | In | Importance | Status | |||
---|---|---|---|---|---|---|
1926591 | Unlock fails after restore when trying to resize docker-lv fs | StarlingX | High | Fix Released |
Bug #1927153: intel-fpga/intel-gpu/intel-qat: docker images build errors
Summary | In | Importance | Status | |||
---|---|---|---|---|---|---|
1927153 | intel-fpga/intel-gpu/intel-qat: docker images build errors | StarlingX | Medium | Fix Released |
Bug #1927224: AIO-SX migration to AIO-DX failed on standalone system
Summary | In | Importance | Status | |||
---|---|---|---|---|---|---|
1927224 | AIO-SX migration to AIO-DX failed on standalone system | StarlingX | High | Fix Released |
Bug #1927275: AIO-SX reboots after change OAM ip address
Summary | In | Importance | Status | |||
---|---|---|---|---|---|---|
1927275 | AIO-SX reboots after change OAM ip address | StarlingX | High | Fix Released |
Bug #1927515: ETCD poor latency performance and failure under load
Summary | In | Importance | Status | |||
---|---|---|---|---|---|---|
1927515 | ETCD poor latency performance and failure under load | StarlingX | Medium | Fix Released |
Bug #1927730: Secure boot via pxeboot fails with updated grub2
Summary | In | Importance | Status | |||
---|---|---|---|---|---|---|
1927730 | Secure boot via pxeboot fails with updated grub2 | StarlingX | High | Fix Released |
Bug #1927758: AIO-SX failed to come up due to sriov rate limit config failures in puppet
Summary | In | Importance | Status | |||
---|---|---|---|---|---|---|
1927758 | AIO-SX failed to come up due to sriov rate limit config failures in puppet | StarlingX | High | Fix Released |
Bug #1927762: AIO-SX failed to start up after unlock due to lvm_global_filter.
Summary | In | Importance | Status | |||
---|---|---|---|---|---|---|
1927762 | AIO-SX failed to start up after unlock due to lvm_global_filter. | StarlingX | Medium | Fix Released |
Bug #1928018: AIO-SX: armada pod stuck in Unknown after host-lock/unlock
Summary | In | Importance | Status | |||
---|---|---|---|---|---|---|
1928018 | AIO-SX: armada pod stuck in Unknown after host-lock/unlock | StarlingX | Medium | Fix Released |
Bug #1928135: During upgrade activation, system controller swact and activation failed
Summary | In | Importance | Status | |||
---|---|---|---|---|---|---|
1928135 | During upgrade activation, system controller swact and activation failed | StarlingX | Medium | Fix Released |
Bug #1928141: AIO-SX upgrade_platform playbook fails waiting for armada-api pod
Summary | In | Importance | Status | |||
---|---|---|---|---|---|---|
1928141 | AIO-SX upgrade_platform playbook fails waiting for armada-api pod | StarlingX | Medium | Fix Released |
Bug #1928353: Bad behaving pod not well separated from the platform
Summary | In | Importance | Status | |||
---|---|---|---|---|---|---|
1928353 | Bad behaving pod not well separated from the platform | StarlingX | Medium | Fix Released |
Bug #1928934: Storage-services loss of redundancy after lock/unlock of standby controller
Summary | In | Importance | Status | |||
---|---|---|---|---|---|---|
1928934 | Storage-services loss of redundancy after lock/unlock of standby controller | StarlingX | Medium | Fix Released |
Bug #1933263: pxeboot_setup.sh copies wrong grubx64.efi
Summary | In | Importance | Status | |||
---|---|---|---|---|---|---|
1933263 | pxeboot_setup.sh copies wrong grubx64.efi | StarlingX | Medium | Fix Released |
See the
CVE page on Mitre.org
for more details.