* Merge from Debian unstable; remaining changes:
- Add Ubuntu sbat data
- build-efi-images: do not produce -installer.efi.signed. LP: 1863994
- grub-common: Install canonical-uefi-ca.crt
- Check signatures
- Support installing to multiple ESP (LP: 1871821)
- Disable various bits on i386
- Split out unsigned artefacts into grub2-unsigned
- Vcs-Git: Point to ubuntu packaging branch
- Relax dependencies on grub-common and grub2-common
- grub-pc: Avoid the possibility of breaking grub on SRU update due
to ABI change
- UBUNTU: Default timeout changes
- Revert "Add jfs module to signed UEFI images. Closes: #950959"
- Revert "Add f2fs module to signed UEFI images"
- Install grub-initrd-fallback.service again
- Build using -O1 on s390x to avoid misoptimization
- grub-check-signatures: Support gzip compressed kernels (LP: #1954683)
- grub-multi-install: Reset partition type between partitions (LP: #1997795)
- Drop i386 from grub-efi-amd64* (LP: #2020907)
- Turn depends on grub-efi-amd64/arm64 unversioned
- forward port fix for LP: #1926748
- Make the grub2/no_efi_extra_removable setting work correctly
- Forward port the fix for LP: #1930742 and make it conditional (xenial/bionic only)
- Build grub2-unsigned packages with xz compression
- Revert: "Have -bin packages Break pre-2.12 -signed packages.", this is not
compatible with our versioning schemes.
- Install a /usr/lib/grub/grub-sort-version and use that to sort versions as
it respects GRUB_FLAVOUR_ORDER. Depend on python3 to do so.
- rules: Add DPKG_BUILDPACKAGE_OPTIONS to generate-grub2-unsigned
- Replaced patches:
- installe-signed.patched
- grub-install-extra-removable.patch
- grub-install-removable-shim.patch
- Added patches:
+ rhboot-f34-dont-use-int-for-efi-status.patch
+ rhboot-f34-make-exit-take-a-return-code.patch
+ suse-grub.texi-add-net_bootp6-document.patch
+ ubuntu-add-devicetree-command-support.patch
+ ubuntu-add-initrd-less-boot-fallback.patch
+ ubuntu-add-initrd-less-boot-messages.patch
+ ubuntu-boot-from-multipath-dependent-symlink.patch
+ ubuntu-dont-verify-loopback-images.patch
+ ubuntu-fix-lzma-decompressor-objcopy.patch
+ ubuntu-grub-install-extra-removable.patch
+ ubuntu-install-signed.patch
+ ubuntu-mkconfig-leave-breadcrumbs.patch
+ ubuntu-os-prober-auto.patch
+ ubuntu-recovery-dis_ucode_ldr.patch
+ ubuntu-resilient-boot-boot-order.patch
+ ubuntu-resilient-boot-ignore-alternative-esps.patch
+ ubuntu-shorter-version-info.patch
+ ubuntu-speed-zsys-history.patch
+ ubuntu-support-initrd-less-boot.patch
+ ubuntu-verifiers-last.patch
+ ubuntu-zfs-enhance-support.patch
+ ubuntu-zfs-gfxpayload-dynamic.patch
+ ubuntu-zfs-gfxpayload-keep-default.patch
+ ubuntu-zfs-insmod-xzio-and-lzopio-on-xen.patch
+ ubuntu-zfs-mkconfig-recovery-title.patch
+ ubuntu-zfs-mkconfig-signed-kernel.patch
+ ubuntu-zfs-mkconfig-ubuntu-distributor.patch
+ ubuntu-zfs-mkconfig-ubuntu-recovery.patch
+ ubuntu-zfs-vt-handoff.patch
* Removed luks2 from signed EFI binaries (LP: #2043101)
grub2 (2.12~rc1-12) unstable; urgency=medium
[ Mate Kukri ]
* Port UEFI based network stack to 2.12 (LP: #2039081)
* efi: Correct image unloading behavior
* Prevent the incorrect use of `UnloadImage()` by binaries loaded by peimage
* efinet: HTTP_MESSAGE fix field size (LP: #2043084)
[ Abe Wieland ]
* Maintain administrator value for os-prober
[ Mate Kukri ]
* SECURITY UPDATE: Crafted file system images can cause out-of-bounds write
and may leak sensitive information into the GRUB pager.
- d/patches/ntfs-cve-fixes/fs-ntfs-Fix-an-OOB-read-when-parsing-a-volume-
label.patch:
fs/ntfs: Fix an OOB read when parsing a volume label
- d/patches/ntfs-cve-fixes/fs-ntfs-Fix-an-OOB-read-when-parsing-bs-for-
index-at.patch:
fs/ntfs: Fix an OOB read when parsing bitmaps for index attributes
- d/patches/ntfs-cve-fixes/fs-ntfs-Fix-an-OOB-read-when-parsing-dory-
entries-fr.patch:
fs/ntfs: Fix an OOB read when parsing directory entries from resident and
non-resident index attributes
- d/patches/ntfs-cve-fixes/fs-ntfs-Fix-an-OOB-read-when-reading-data-fhe-
reside.patch:
fs/ntfs: Fix an OOB read when reading data from the resident $DATA +
attribute
- CVE-2023-4693
* SECURITY UPDATE: Crafted file system images can cause heap-based buffer
overflow and may allow arbitrary code execution and secure boot bypass.
- d/patches/ntfs-cve-fixes/fs-ntfs-Fix-an-OOB-write-when-parsing-the-
ATTRIBUTE_LIST-.patch:
fs/ntfs: Fix an OOB write when parsing the $ATTRIBUTE_LIST attribute for
the $MFT file
- d/patches/ntfs-cve-fixes/fs-ntfs-Make-code-more-readable.patch
fs/ntfs: Make code more readable
- CVE-2023-4692
* efi: Cleanup peimage.c
This bug was fixed in the package grub2 - 2.12~rc1-12ubuntu2
--------------- 12ubuntu2) noble; urgency=medium
grub2 (2.12~rc1-
* Merge from Debian unstable; remaining changes: efi.signed. LP: 1863994 uefi-ca. crt fallback. service again signatures: Support gzip compressed kernels (LP: #1954683) amd64/arm64 unversioned efi_extra_ removable setting work correctly grub/grub- sort-version and use that to sort versions as GE_OPTIONS to generate- grub2-unsigned signed. patched extra-removable .patch removable- shim.patch f34-dont- use-int- for-efi- status. patch f34-make- exit-take- a-return- code.patch texi-add- net_bootp6- document. patch add-devicetree- command- support. patch add-initrd- less-boot- fallback. patch add-initrd- less-boot- messages. patch boot-from- multipath- dependent- symlink. patch dont-verify- loopback- images. patch fix-lzma- decompressor- objcopy. patch grub-install- extra-removable .patch install- signed. patch mkconfig- leave-breadcrum bs.patch os-prober- auto.patch recovery- dis_ucode_ ldr.patch resilient- boot-boot- order.patch resilient- boot-ignore- alternative- esps.patch shorter- version- info.patch speed-zsys- history. patch support- initrd- less-boot. patch verifiers- last.patch zfs-enhance- support. patch zfs-gfxpayload- dynamic. patch zfs-gfxpayload- keep-default. patch zfs-insmod- xzio-and- lzopio- on-xen. patch zfs-mkconfig- recovery- title.patch zfs-mkconfig- signed- kernel. patch zfs-mkconfig- ubuntu- distributor. patch zfs-mkconfig- ubuntu- recovery. patch zfs-vt- handoff. patch
- Add Ubuntu sbat data
- build-efi-images: do not produce -installer.
- grub-common: Install canonical-
- Check signatures
- Support installing to multiple ESP (LP: 1871821)
- Disable various bits on i386
- Split out unsigned artefacts into grub2-unsigned
- Vcs-Git: Point to ubuntu packaging branch
- Relax dependencies on grub-common and grub2-common
- grub-pc: Avoid the possibility of breaking grub on SRU update due
to ABI change
- UBUNTU: Default timeout changes
- Revert "Add jfs module to signed UEFI images. Closes: #950959"
- Revert "Add f2fs module to signed UEFI images"
- Install grub-initrd-
- Build using -O1 on s390x to avoid misoptimization
- grub-check-
- grub-multi-install: Reset partition type between partitions (LP: #1997795)
- Drop i386 from grub-efi-amd64* (LP: #2020907)
- Turn depends on grub-efi-
- forward port fix for LP: #1926748
- Make the grub2/no_
- Forward port the fix for LP: #1930742 and make it conditional (xenial/bionic only)
- Build grub2-unsigned packages with xz compression
- Revert: "Have -bin packages Break pre-2.12 -signed packages.", this is not
compatible with our versioning schemes.
- Install a /usr/lib/
it respects GRUB_FLAVOUR_ORDER. Depend on python3 to do so.
- rules: Add DPKG_BUILDPACKA
- Replaced patches:
- installe-
- grub-install-
- grub-install-
- Added patches:
+ rhboot-
+ rhboot-
+ suse-grub.
+ ubuntu-
+ ubuntu-
+ ubuntu-
+ ubuntu-
+ ubuntu-
+ ubuntu-
+ ubuntu-
+ ubuntu-
+ ubuntu-
+ ubuntu-
+ ubuntu-
+ ubuntu-
+ ubuntu-
+ ubuntu-
+ ubuntu-
+ ubuntu-
+ ubuntu-
+ ubuntu-
+ ubuntu-
+ ubuntu-
+ ubuntu-
+ ubuntu-
+ ubuntu-
+ ubuntu-
+ ubuntu-
+ ubuntu-
* Removed luks2 from signed EFI binaries (LP: #2043101)
grub2 (2.12~rc1-12) unstable; urgency=medium
[ Mate Kukri ]
* Port UEFI based network stack to 2.12 (LP: #2039081)
* efi: Correct image unloading behavior
* Prevent the incorrect use of `UnloadImage()` by binaries loaded by peimage
* efinet: HTTP_MESSAGE fix field size (LP: #2043084)
[ Abe Wieland ]
* Maintain administrator value for os-prober
[ Julian Andres Klode ]
* Cherry-pick upstream XFS directory extent parsing fixes (Closes: #1051543)
(LP: #2039172)
grub2 (2.12~rc1-11) unstable; urgency=medium
[ Mate Kukri ] ntfs-cve- fixes/fs- ntfs-Fix- an-OOB- read-when- parsing- a-volume- ntfs-cve- fixes/fs- ntfs-Fix- an-OOB- read-when- parsing- bs-for- at.patch: ntfs-cve- fixes/fs- ntfs-Fix- an-OOB- read-when- parsing- dory- fr.patch: ntfs-cve- fixes/fs- ntfs-Fix- an-OOB- read-when- reading- data-fhe- ntfs-cve- fixes/fs- ntfs-Fix- an-OOB- write-when- parsing- the- _LIST-. patch: ntfs-cve- fixes/fs- ntfs-Make- code-more- readable. patch
* SECURITY UPDATE: Crafted file system images can cause out-of-bounds write
and may leak sensitive information into the GRUB pager.
- d/patches/
label.patch:
fs/ntfs: Fix an OOB read when parsing a volume label
- d/patches/
index-
fs/ntfs: Fix an OOB read when parsing bitmaps for index attributes
- d/patches/
entries-
fs/ntfs: Fix an OOB read when parsing directory entries from resident and
non-resident index attributes
- d/patches/
reside.patch:
fs/ntfs: Fix an OOB read when reading data from the resident $DATA +
attribute
- CVE-2023-4693
* SECURITY UPDATE: Crafted file system images can cause heap-based buffer
overflow and may allow arbitrary code execution and secure boot bypass.
- d/patches/
ATTRIBUTE
fs/ntfs: Fix an OOB write when parsing the $ATTRIBUTE_LIST attribute for
the $MFT file
- d/patches/
fs/ntfs: Make code more readable
- CVE-2023-4692
* efi: Cleanup peimage.c
[ Julian Andres Klode ]
* Bump SBAT to grub,4
-- Mate Kukri <email address hidden> Thu, 09 Nov 2023 16:16:56 +0200