This bug was fixed in the package grub2 - 2.02+dfsg1-5ubuntu1

---------------
grub2 (2.02+dfsg1-5ubuntu1) cosmic; urgency=medium

  [ Mathieu Trudel-Lapierre]
  * Merge against Debian unstable; remaining changes:
    - debian/control: Update Vcs fields for code location on Ubuntu.
    - debian/control: Breaks shim (<< 13).
    - Secure Boot support: use newer patchset from rhboot repo:
      - many linuxefi_* patches added and modified
      - dropped debian/patches/linuxefi_require_shim.patch
      - renamed: debian/patches/no_insmod_on_sb.patch ->
        debian/patches/linuxefi_no_insmod_on_sb.patch
    - debian/patches/install_signed.patch, grub-install-extra-removable.patch:
      - Make sure if we install shim; it should also be exported as the default
        bootloader to install later to a removable path, if we do.
      - Rework grub-install-extra-removable.patch to reverse its logic: in the
        default case, install the bootloader to /EFI/BOOT, unless we're trying
        to install on a removable device, or explicitly telling grub *not* to
        do it.
      - Move installing fb$arch.efi to --no-extra-removable; as we don't want
        fallback to be installed unless we're also installing to /EFI/BOOT.
        (LP: #1684341)
      - Install a BOOT.CSV for fallback to use.
      - Make sure postinst and templates know about the replacement of
        --force-extra-removable with --no-extra-removable.
    - debian/patches/add-an-auto-nvram-option-to-grub-install.patch: Add the
      --auto-nvram option to grub-install for auto-detecting NVRAM availability
      before attempting NVRAM updates.
    - debian/build-efi-images: provide a new grub EFI image which enforces that
      loaded kernels are signed for Secure Boot: build gsb$arch.efi; which is
      the same as grub$arch.efi minus the 'linux' module. Without fallback to
      'linux' for unsigned loading, this makes it effectively enforce having a
      signed kernel. (LP: #1401532)
    - Verify that the current and newer kernels are signed when grub is
      updated, to make sure people do not accidentally shutdown without a
      signed kernel.
    - debian/default/grub: replace GRUB_HIDDEN_* variables with the less
      confusing GRUB_TIMEOUT_STYLE=hidden. (LP: #1258597)
    - debian/patches/support_initrd-less_boot.patch: Added knobs to allow
      non-initrd boot config. (LP: #1640878)
    - Disable os-prober for ppc64el on the PowerNV platform, to reduce the
      number of entries/clutter from other OSes in Petitboot (LP: #1447500)
    - debian/patches/shorter_version_info.patch: Only show the upstream version
      in menu and console, and hide the package one in a package_version
      variable. (LP: #1723434)
    - debian/patches/skip_text_gfxpayload_where_not_supported.patch: Skip the
      'text' payload if it's not supported but present in gfxpayload, such as
      on EFI systems. (LP: #1711452)
    - debian/patches/bufio_sensible_block_sizes.patch: Don't use arbitrary file
      fizes as block sizes in bufio: this avoids potentially seeking back in
      the files unnecessarily, which may require re-open files that cannot be
      seeked into, such as via TFTP. (LP: #1743249)
    * util/grub-install.c: Drop extra handling for x.efi.signed files for mok
      and fallback binaries: shim now installs them without the .signed
      extension. (LP: #1708245)
    - debian/patches/dont-fail-efi-warnings.patch: handle linuxefi patches and
      the casting they do on some architectures: we don't want to fail build
      because of some of the warnings that can show up since we otherwise build
      with -Werror.
  * debian/rules: shuffle files around for now to keep putting build artefacts
    for signing at the same location as they were expected by Launchpad.

  [ Julian Andres Klode ]
  * debian/patches/ofnet-init-structs-in-bootpath-parser.patch: initialize
    structs in bootpath parser. Fixes netboot issues on ppc64el. (LP: #1785859)

grub2 (2.02+dfsg1-5) unstable; urgency=medium

  [ Colin Watson ]
  * Change Maintainer to <email address hidden>, following
    Alioth lists migration.
  * Backport from upstream:
    - Use grub-file to figure out whether multiboot2 should be used for
      Xen.gz (closes: #898947).
    - x86-64: Treat R_X86_64_PLT32 as R_X86_64_PC32.
  * Fix some test failures:
    - Disable sercon in SeaBIOS.
    - Fix qemu options for UHCI test.

  [ Philipp Hahn ]
  * Disallow unsigned kernels if UEFI Secure Boot is enabled
    (patch by Linn Crosetto <email address hidden>)
  * Add patch to fix lockdown mode
    (patch by Luca Boccassi <email address hidden>)
  * Build monolithic EFI binaries for signing (closes: #851994)
  * Add template for signing monolithic EFI binaries
  * debian/build-efi-images: Use correct EFI vendor (closes: #769172)

  [ Luca Boccassi ]
  * template packages: install changelog and copyright
  * Override lintian error about template rules file
  * Add XB-Efi-Vendor metadata to efi-*-bin packages

grub2 (2.02+dfsg1-4) unstable; urgency=medium

  * Adjust restore_mkdevicemap.patch to fix format-overflow warning with GCC
    7 (the overflow was in fact impossible in practice, but GCC couldn't
    prove that).
  * Cherry-pick upstream patch to disable -Wformat-truncation on GCC >= 7 in
    printf_unit_test.
  * Build with GCC 7 (closes: #892397).

grub2 (2.02+dfsg1-3) unstable; urgency=medium

  * sparc64: Don't use devspec to determine the OBP path (closes: #854568).
  * ieee1275: Fix crash in of_path_of_nvme when of_path is empty (closes:
    #891773).
  * sparc64: Limit nvme of_path_of_nvme to just SPARC.

grub2 (2.02+dfsg1-2) unstable; urgency=medium

  * Build-depend on libparted-dev on powerpc and ppc64 (closes: #891070).
  * Add support for modern sparc64 hardware (thanks, Eric Snowberg via John
    Paul Adrian Glaubitz; closes: #854568).
  * Build without PIE on sparc and sparc64 (thanks, John Paul Adrian
    Glaubitz; closes: #891733).

grub2 (2.02+dfsg1-1) unstable; urgency=medium

  * Switch to tracking debian/grub-extras/ using "git subtree" rather than
    submodules.
  * Update debian/README.source for Salsa migration.
  * Use pkg-config to find FreeType (closes: #887721).
  * Change various binary packages' priorities to optional, since "Priority:
    extra" is now deprecated.
  * Repack upstream tarball without grub-core/lib/libgcrypt*/cipher/crc.c,
    and provide a replacement implementation backported from more recent
    versions of libgcrypt (closes: #745409).
  * Cherry-pick upstream patch to avoid -Werror=unused-value build failure
    (closes: #890431).
  * Handle the case where udevadm exists but is non-functional, as warned
    about by Lintian 2.5.75.

grub2 (2.02-3) unstable; urgency=medium

  * Use current location for upstream signing key
    (debian/upstream/signing-key.asc).
  * Update upstream signing key to a non-expired version.
  * Install bootinfo.txt and grub.chrp in grub-ieee1275-bin for ppc64, and
    install and use prep-bootdev on powerpc and ppc64 as well as ppc64el
    (thanks, John Paul Adrian Glaubitz; closes: #881730).
  * Cherry-pick upstream patch to change the default TSC calibration method
    to pmtimer on EFI systems (closes: #883193).
  * Move VCS to salsa.debian.org.
  * Consistently create /boot/grub in the postinst of all grub-<platform>
    packages (closes: #884883).

  [ Debconf translations ]
  * [sq] Albanian (Silva Arapi; closes: #874497).

 -- Mathieu Trudel-Lapierre <email address hidden>  Thu, 23 Aug 2018 15:00:14 -0400