A long list of GRUB2 secure-boot holes

Several vulnerabilities have been disclosed in the GRUB2 bootloader; theyenable the circumvention of the UEFI secure boot mechanism and thepersistent installation of hostile software. Fixing the problem is not justa matter of getting a new GRUB2 installation, unfortunately."It is important to note that updating the exploitablebinaries does not in fact mitigate the CVE, since an attacker couldbring an old, exploitable, signed copy of a grub binary onto a systemwith whatever kernel they wished to load. In order to mitigate, theUEFI Revocation List (dbx) must be updated on a system. Once the UEFIRevocation List is updated on a system, it will no longer bootbinaries that pre-date these fixes. This includes old install media."