I am new to Ubuntu and have 18.04. How do I install the new update to fix the BootHole vulnerability on my 18.04? What commands, process, etc., should I use?
Asked
Active
Viewed 765 times
4
-
2This question is not unclear. – karel Jul 31 '20 at 14:53
1 Answers
4
Most folks don't need to do anything at all.
The Ubuntu Security Team has labored mightily to ensure that these CVEs can be fixed through normal security upgrades. For most folks, those occur automatically.
Ensure that you have the -security repository enabled for your release of Ubuntu. This is already enabled by default in all deb-based versions of Ubuntu. The following steps won't work without the -security repository enabled.
- Related: How to enable the -security repository (most folks do not need this)
Unattended Upgrades is also enabled by default. If it's enabled, then you don't need to do anything. The fixes will be automatically downloaded and installed automatically.
If you have disabled Unattended Upgrades, or don't want to wait a couple hours, then an ordinary
sudo apt updateandsudo apt upgradewill install the fixes.
To check if you have already received the security upgrade is a simple two-step process:
Look at this table to determine your NEW package version.
Example: on 20.04, the table says that the package
grub-efi-amd64-binis fixed with version2.04-1ubuntu26.1Query apt for the current installed version.
Example: On 20.04, the current version according to apt:
$ apt list grub-efi-amd64-bin Listing... Done grub-efi-amd64-bin/focal-updates,now 2.04-1ubuntu26.1 amd64 [installed,automatic]See how the version number matches the table? This system is already fixed (it was done by Unattended Upgrades automatically a few hours ago)
References:
Security Team Blog Post on the Boothole vulnerabilities.
Ubuntu Security Podcast Episode 84, a discussion from the Ubuntu Security Team of the vulnerability, how the fix works, and how the fix was coordinated across multiple distros.
Ubuntu Wiki Page detailing the CVEs
Ubuntu Security Notice for boothole, showing the fixed package versions.
user535733
- 62,253
-
I suggest that you automate the process with
apt list --installed | grep "^grub-*"which returns a list of all installed grub packages and their versions. – karel Jul 31 '20 at 14:50 -
Careful with grub updates, See https://access.redhat.com/solutions/5272311 Redhat's update leaves systems unbootable. – ubfan1 Jul 31 '20 at 16:09
-
@ubfan1 I am always wary of these as well, but so far no problems with this one. Whew! – Organic Marble Jul 31 '20 at 16:15