Why is the Linux kernel doing anything with HTTP?
In other critical vulnerability news, the Linux bootloader had an out of bounds write (attacker controlled length and data) in the HTTP boot code. Vuln has been there a decade. https://github.com/rhboot/shim/commit/0226b56513b2b8bd5fd281bce77c40c9bf07c66d
#infosec #cyber #security #cybersec #CyberSecutity #vuln #vulnerability #SecureBoot
Discussion
nostr:npub108pv4cg5ag52nq082kd5leu9ffrn2gdg6g4xdwatn73y36uzplmq9uyev6 nostr:npub16v82nr4xt62nlydtj0mtxr49r6enc5r0sl2f7cq2zwdw7q92j5gs8meqha I need a list of the Linux kernel modules that can do http that way I can uncheck them next time I compile my kernel.
You'll probably want to uncheck wireguard and the X.509 parsers in there too if you don't use them (they can be used to do things like verify signatures on an executable before running it, but very few people use that feature).
There are just SO MANY options in the kernel now, plan on taking a few hours to go through it. 🍵
I thought the *exact* *same* *thing* when I saw that code. I guess that's what people are doing these days instead of pxe boot?
It looks like that probably got started with UEFI, which makes sense since this all seems to be related to secure boot.