Change log for grub2 package in Debian
| 1 → 75 of 279 results | First • Previous • Next • Last |
grub2 (2.12-2) unstable; urgency=medium [ Mate Kukri ] * Revert peimage to re-use GRUB's image handle (LP: #2057679) (LP: #2054127) * d/build-efi-images: Make sure downstream didn't remove peimage SBAT entry * SECURITY UPDATE: Use-after-free in peimage module [LP: #2054127] - CVE-2024-2312 [ Julian Andres Klode ] * Bump SBAT level to `grub.peimage,2`; and also bump `grub.debian,5` to make sure we can revoke any downstream users of peimage that forgot to include the grub.peimage component if that should become necessary. -- Julian Andres Klode <email address hidden> Fri, 05 Apr 2024 20:45:55 +0200
grub2 (2.12-1.1) unstable; urgency=medium * Non-maintainer upload. * No change rebuild. (closes: #1067486) -- Bastian Blank <email address hidden> Mon, 01 Apr 2024 10:20:09 +0200
| Published in bullseye-release |
grub2 (2.06-3~deb11u6) bullseye-security; urgency=medium
[ Mate Kukri ]
* SECURITY UPDATE: Crafted file system images can cause out-of-bounds write
and may leak sensitive information into the GRUB pager.
- d/patches/ntfs-cve-fixes/fs-ntfs-Fix-an-OOB-read-when-parsing-a-volume-
label.patch:
fs/ntfs: Fix an OOB read when parsing a volume label
- d/patches/ntfs-cve-fixes/fs-ntfs-Fix-an-OOB-read-when-parsing-bs-for-
index-at.patch:
fs/ntfs: Fix an OOB read when parsing bitmaps for index attributes
- d/patches/ntfs-cve-fixes/fs-ntfs-Fix-an-OOB-read-when-parsing-dory-
entries-fr.patch:
fs/ntfs: Fix an OOB read when parsing directory entries from resident and
non-resident index attributes
- d/patches/ntfs-cve-fixes/fs-ntfs-Fix-an-OOB-read-when-reading-data-fhe-
reside.patch:
fs/ntfs: Fix an OOB read when reading data from the resident $DATA +
attribute
- CVE-2023-4693
* SECURITY UPDATE: Crafted file system images can cause heap-based buffer
overflow and may allow arbitrary code execution and secure boot bypass.
- d/patches/ntfs-cve-fixes/fs-ntfs-Fix-an-OOB-write-when-parsing-the-
ATTRIBUTE_LIST-.patch:
fs/ntfs: Fix an OOB write when parsing the $ATTRIBUTE_LIST attribute for
the $MFT file
- d/patches/ntfs-cve-fixes/fs-ntfs-Make-code-more-readable.patch
fs/ntfs: Make code more readable
- CVE-2023-4692
[ Julian Andres Klode ]
* Bump SBAT to grub,4
-- Julian Andres Klode <email address hidden> Mon, 02 Oct 2023 16:11:34 +0200
grub2 (2.12-1) unstable; urgency=medium
[ Mate Kukri ]
* New upstream version, 2.12
* d/patches: Rebase on `upstream/2.12` and drop superseded patches:
- Dropping patches now included upstream:
+ d/p/ntfs-cve-fixes/*: Fixes for NTFS OOB CVE
+ d/p/upstream/xfs-*: XFS parsing fixes
+ d/p/upstream/unmerged-usr-shebang.patch
- Dropping patch replaced with configure option:
+ d/p/dejavu-font-path.patch
* d/rules: Pass configure option '--enable-grub-themes'
* d/rules: Provide Debian specific DejaVu path via configure
* d/{control,rules}: Use default gcc version
* d/p/extra_deps_lst.patch:
Checkout "extra_deps.lst" from upstream/master
* d/p/sb/revert-efi-fallback-to-legacy.patch:
Also revert newer fallback patch
[ Julian Andres Klode ]
* Add Mate to Uploaders
-- Mate Kukri <email address hidden> Mon, 15 Jan 2024 09:54:55 +0000
| Superseded in sid-release |
grub2 (2.12~rc1-13) unstable; urgency=medium * No-change rebuild to retrigger signing following binNMU breakage -- Julian Andres Klode <email address hidden> Fri, 12 Jan 2024 19:00:41 +0100
grub2 (2.06-13+deb12u1) bookworm-security; urgency=medium
[ Mate Kukri ]
* SECURITY UPDATE: Crafted file system images can cause out-of-bounds write
and may leak sensitive information into the GRUB pager.
- d/patches/ntfs-cve-fixes/fs-ntfs-Fix-an-OOB-read-when-parsing-a-volume-
label.patch:
fs/ntfs: Fix an OOB read when parsing a volume label
- d/patches/ntfs-cve-fixes/fs-ntfs-Fix-an-OOB-read-when-parsing-bs-for-
index-at.patch:
fs/ntfs: Fix an OOB read when parsing bitmaps for index attributes
- d/patches/ntfs-cve-fixes/fs-ntfs-Fix-an-OOB-read-when-parsing-dory-
entries-fr.patch:
fs/ntfs: Fix an OOB read when parsing directory entries from resident and
non-resident index attributes
- d/patches/ntfs-cve-fixes/fs-ntfs-Fix-an-OOB-read-when-reading-data-fhe-
reside.patch:
fs/ntfs: Fix an OOB read when reading data from the resident $DATA +
attribute
- CVE-2023-4693
* SECURITY UPDATE: Crafted file system images can cause heap-based buffer
overflow and may allow arbitrary code execution and secure boot bypass.
- d/patches/ntfs-cve-fixes/fs-ntfs-Fix-an-OOB-write-when-parsing-the-
ATTRIBUTE_LIST-.patch:
fs/ntfs: Fix an OOB write when parsing the $ATTRIBUTE_LIST attribute for
the $MFT file
- d/patches/ntfs-cve-fixes/fs-ntfs-Make-code-more-readable.patch
fs/ntfs: Make code more readable
- CVE-2023-4692
[ Julian Andres Klode ]
* Bump SBAT to grub,4
-- Julian Andres Klode <email address hidden> Mon, 02 Oct 2023 16:11:34 +0200
| Superseded in sid-release |
grub2 (2.12~rc1-12) unstable; urgency=medium [ Mate Kukri ] * Port UEFI based network stack to 2.12 (LP: #2039081) * efi: Correct image unloading behavior * Prevent the incorrect use of `UnloadImage()` by binaries loaded by peimage * efinet: HTTP_MESSAGE fix field size (LP: #2043084) [ Abe Wieland ] * Maintain administrator value for os-prober [ Julian Andres Klode ] * Cherry-pick upstream XFS directory extent parsing fixes (Closes: #1051543) (LP: #2039172) -- Julian Andres Klode <email address hidden> Thu, 09 Nov 2023 14:13:44 +0200
| Superseded in sid-release |
grub2 (2.12~rc1-11) unstable; urgency=medium
[ Mate Kukri ]
* SECURITY UPDATE: Crafted file system images can cause out-of-bounds write
and may leak sensitive information into the GRUB pager.
- d/patches/ntfs-cve-fixes/fs-ntfs-Fix-an-OOB-read-when-parsing-a-volume-
label.patch:
fs/ntfs: Fix an OOB read when parsing a volume label
- d/patches/ntfs-cve-fixes/fs-ntfs-Fix-an-OOB-read-when-parsing-bs-for-
index-at.patch:
fs/ntfs: Fix an OOB read when parsing bitmaps for index attributes
- d/patches/ntfs-cve-fixes/fs-ntfs-Fix-an-OOB-read-when-parsing-dory-
entries-fr.patch:
fs/ntfs: Fix an OOB read when parsing directory entries from resident and
non-resident index attributes
- d/patches/ntfs-cve-fixes/fs-ntfs-Fix-an-OOB-read-when-reading-data-fhe-
reside.patch:
fs/ntfs: Fix an OOB read when reading data from the resident $DATA +
attribute
- CVE-2023-4693
* SECURITY UPDATE: Crafted file system images can cause heap-based buffer
overflow and may allow arbitrary code execution and secure boot bypass.
- d/patches/ntfs-cve-fixes/fs-ntfs-Fix-an-OOB-write-when-parsing-the-
ATTRIBUTE_LIST-.patch:
fs/ntfs: Fix an OOB write when parsing the $ATTRIBUTE_LIST attribute for
the $MFT file
- d/patches/ntfs-cve-fixes/fs-ntfs-Make-code-more-readable.patch
fs/ntfs: Make code more readable
- CVE-2023-4692
* efi: Cleanup peimage.c
[ Julian Andres Klode ]
* Bump SBAT to grub,4
-- Julian Andres Klode <email address hidden> Mon, 02 Oct 2023 15:55:25 +0200
| Superseded in sid-release |
grub2 (2.12~rc1-10) unstable; urgency=medium [ Julian Andres Klode ] * Cherry pick fix for unmerged usr shebang (Closes: #1051251) * grub-common.dirs: Install empty /etc/default/grub.d (Closes: #1051412) [ Mate Kukri ] * efi: Eliminate globals from the `peimage.c` chainloader -- Julian Andres Klode <email address hidden> Mon, 18 Sep 2023 12:23:29 +0200
| Superseded in sid-release |
grub2 (2.12~rc1-9) unstable; urgency=medium * Correct the Breaks to include the ~rc1 bit of the version -- Julian Andres Klode <email address hidden> Tue, 05 Sep 2023 19:13:30 +0200
| Superseded in sid-release |
grub2 (2.12~rc1-7) unstable; urgency=medium * Upload to unstable -- Julian Andres Klode <email address hidden> Mon, 04 Sep 2023 20:03:09 +0200
| Deleted in experimental-release (Reason: None provided.) |
grub2 (2.12~rc1-6) experimental; urgency=medium
* Use rm_conffile instead of remove-on-upgrade.
This works with ftp-master's old lintian version and allows
easy backports
-- Julian Andres Klode <email address hidden> Mon, 04 Sep 2023 16:57:55 +0200
| Deleted in experimental-release (Reason: None provided.) |
grub2 (2.12~rc1-3) experimental; urgency=medium * Build peimage as a module and insert into signed images * peimage: Copy the image header and ensure it's not clobbered * Drop grub.cfg-400.patch, world-readable boot config violates several guidelines unfortunately * Drop mkconfig-other-inits.patch (alternative init boot options) * Order patches not used by Ubuntu last to simplify maintenance * Drop mkconfig-signed-kernel.patch, .signed kernels are no longer used -- Julian Andres Klode <email address hidden> Tue, 25 Jul 2023 16:44:12 +0200
| Superseded in experimental-release |
grub2 (2.12~rc1-2) experimental; urgency=medium [ Julian Andres Klode ] * Build-Depend on libsdl2-dev instead of libsdl1.2-dev (Closes: #1038035) * Link peimage into arm_efi target, fixes armhf/armel FTBFS * peimage: Add chainloader support [ Heinrich Schuchardt ] * Enable building for RISC-V (LP: #1876620) (Closes: #995718) -- Julian Andres Klode <email address hidden> Fri, 21 Jul 2023 18:02:28 +0200
| Superseded in experimental-release |
grub2 (2.12~rc1-1) experimental; urgency=medium
[ Julian Andres Klode ]
* New upstream version, 2.12~rc1
* build-efi-images: Drop linuxefi, using new loaders now
* Do not try to install gmodule.pl, it was rewritten in Python
* Rebase patches
- Temporarily drop -dpkg-version-comparison.patch, needs to be adjusted
for switch from comparison to sort -V
- Drop -linuxefi.patch, fix-lockdown.patch, arm64-handover-to-kernel-if-sb-enabled.patch;
we will be using the upstream loader now, with an additional compat
layer for shim tbd
- Apply new network patch set from mailing list (no additional patches yet)
- Drop ton of patches applied upstream
* Implement an alternative approach to secure boot, using the upstream EFI
loader, and temporarily emulating load_image() and friends using Ubuntu's
peimage file while a image protocol is being added to shim.
* Build-Depend on gawk, it fails to compile with mawk
* Fix lzo test and xfail tests requiring root
* Fix lintian overrides
* Add grub,debian13,1 and grub.peimage,1 SBAT levels, this allows
individually revoking the parts affecting only trixie or the new
shared peimage loader.
[ Dimitri John Ledkov ]
* Include fdt modules in arm64 EFI images, tpm in all archs (LP: #2008950)
-- Julian Andres Klode <email address hidden> Wed, 19 Jul 2023 19:21:17 +0200
| Superseded in experimental-release |
grub2 (2.06-14) experimental; urgency=medium [ Julian Andres Klode ] * "Upstreaming" Ubuntu changes, part 1. * Fixup filename for debian/patches/gcc12_build_dangling_pointer.patch * Disable os-prober for ppc64el on the PowerNV platform (for Petitboot) * Build with FUSE3 (LP: #1935659) * build-efi-images: Add http to netboot images * Bundle unicode.pf2 in a squashfs memdisk attached to the signed EFI binary * Automatic patch queue rebase [ Dimitri John Ledkov ] * minilzo: built using the distribution's minilzo * dirs.in: create var/lib/grub/ucf in grub-efi-amd64 (and similar) * grub-common.service: port init.d script to systemd unit. Add warning message, when initrdless boot fails triggering fallback. LP: #1901553 * Make prebuilt netboot image look for grub.cfg-$deb_arch * Link grub-efi-{amd64,arm64}-bin docs directory [ Jeffery To ] * Add hibernation resumption support to grub-common.service -- Julian Andres Klode <email address hidden> Mon, 19 Jun 2023 17:26:49 +0200
grub2 (2.06-13) unstable; urgency=medium
[ Steve McIntyre ]
* When *also* installing to the removable media path, include the
relevant mokmanager binary. Closes: #1034409
[ General Chaos ]
* Allow initrd to contain spaces. Closes: #838177, #820838.
[ Translators ]
* Update lots of translations of debconf templates, thanks to the
following:
+ Welsh (Dafydd Tomos)
+ German (Helge Kreutzmann). Closes: #1034850
+ Croatian (Tomislav Krznar)
+ Greek (Emmanuel Galatoulas)
+ Esperanto (Felipe Castro)
+ French (Baptiste Jammet). Closes: #1035761
+ Italian (Luca Monducci). Closes: #1034825
+ Kazakh (Baurzhan Muftakhidinov)
+ Korean (Changwoo Ryu). Closes: #1034868
+ Latvian (Rudolfs Mazurs)
+ Dutch (Frans Spiesschaert). Closes: #1035399
+ Norwegian Bokmål (Petter Reinholdtsen, Sverre Vaabenoe)
+ Brazilian Portuguese (Adriano Rafael Gomes). Closes: #1035905
+ Romanian (Remus-Gabriel Chelu)
+ Russian (Yuri Kozlov). Closes: #1035294
+ Turkish (Atila KOÇ). Closes: #1035846
+ Swedish (Luna Jernberg)
-- Steve McIntyre <email address hidden> Sun, 23 Apr 2023 20:55:54 +0100
grub2 (2.06-12) unstable; urgency=medium * Fix up arm64 SB patch to fix build failure on 32-bit arm systems -- Steve McIntyre <email address hidden> Fri, 21 Apr 2023 13:30:26 +0100
grub2 (2.06-11) unstable; urgency=medium * And try again... :-/ -- Steve McIntyre <email address hidden> Fri, 21 Apr 2023 01:50:26 +0100
grub2 (2.06-10) unstable; urgency=medium * Fix 32-bit build with the osdep/devmapper/getroot patches. -- Steve McIntyre <email address hidden> Fri, 21 Apr 2023 01:14:13 +0100
grub2 (2.06-9) unstable; urgency=medium
[ Steve McIntyre ]
* postinst: make config_item() more robust
* Add debconf logic for GRUB_DISABLE_OS_PROBER to make it easier to
control things here. Particularly useful for the installer.
Closes: #1031594, #1012865, #1025698.
* Add luks2 to the signed grub efi images. Closes: #1001248
[ Ben Hutchings ]
* Fix probing of LUKS2 devices (Closes: #1028301):
- disk/cryptodisk: When cheatmounting, use the sector info of the cheat
device
- osdep/devmapper/getroot: Have devmapper recognize LUKS2
- osdep/devmapper/getroot: Set up cheated LUKS2 cryptodisk mount from DM
parameters
[ Emanuele Rocca ]
* Add arm64-handover-to-kernel-if-sb-enabled.patch to fix Secure Boot on
arm64 (Closes: #1033657)
[ Mattia Rizzolo ]
* Don't warn about os-prober if it's not installed. Closes: #1020769
-- Steve McIntyre <email address hidden> Thu, 20 Apr 2023 20:35:11 +0100
| Deleted in experimental-release (Reason: None provided.) |
grub2 (2.06-8.1) experimental; urgency=medium
* Non-maintainer upload.
* Fix an issue where a logical volume rename would lead grub to fail to
boot (Closes: #987008)
-- Antoine Beaupré <email address hidden> Sat, 25 Feb 2023 15:16:55 -0500
grub2 (2.06-8) unstable; urgency=medium
[ Steve McIntyre ]
* Fix an issue in an f2fs security fix which caused mount
failures. Closes: #1021846. Thanks to программист некто for helping
to debug the problem!
* Switch build-deps from gcc-10 to gcc-12. Closes: #1022184
* Include upstream patch to enable EFI zboot support on arm64.
Closes: #1026092
* grub-mkconfig: Restore umask for the grub.cfg. CVE-2021-3981
Closes: #1001414
* postinst: be more verbose when using grub-install to install onto
devices.
* /etc/default/grub: Fix comment about text-mode console.
Fixes #845683
* grub-install: Don't install the shim fallback program when called
with --removable. Closes: #1016737
* grub-install: Don't use our grub CD EFI image for --removable.
Closes: #1026915. Thanks to Pascal Hambourg for the patch.
* Ignore some new ext2 flags to stay compatible with latest mke2fs
defaults. Closes: #1030846
[ Colin Watson ]
* Remove myself from Uploaders.
-- Steve McIntyre <email address hidden> Thu, 09 Feb 2023 01:09:00 +0000
| Superseded in bullseye-release |
grub2 (2.06-3~deb11u5) bullseye; urgency=high
[ Steve McIntyre ]
* Include fonts in the memdisk build for EFI images.
* Bump Debian SBAT level to 4
- Due to a mistake in the buster upload (2.06-3~deb10u2) that left
the CVE-2022-2601 bugs in place, we need to bump SBAT for all of
the Debian GRUB binaries. :-(
* Fix bug in core file code so errors are handled better. This makes
the above font-handling patch work!
-- Steve McIntyre <email address hidden> Thu, 08 Nov 2022 17:29:17 +0000
grub2 (2.06-7) unstable; urgency=medium
[ Steve McIntyre ]
* Fix bug in core file code so errors are handled better. This makes
the fallback font-handling patch work properly.
Closes: #1025469, #1025477.
-- Steve McIntyre <email address hidden> Tue, 06 Dec 2022 03:14:53 +0000
grub2 (2.06-6) unstable; urgency=medium
[ Steve McIntyre ]
* Include fonts in the memdisk build for EFI images.
Closes: #1024395, #1025352, #1024447
* Bump Debian SBAT level to 4
- Due to a mistake in the buster upload (2.06-3~deb10u2) that left
the CVE-2022-2601 bugs in place, we need to bump SBAT for all of
the Debian GRUB binaries. :-(
* Switch away from git-dpm
-- Steve McIntyre <email address hidden> Sun, 04 Dec 2022 20:42:23 +0000
grub2 (2.06-5) unstable; urgency=high
[ Steve McIntyre ]
* Explicitly unset SOURCE_DATE_EPOCH before running fs tests
* Pull in upstream patches to harden font and image handling -
CVE-2022-2601, CVE-2022-3775.
* Bump SBAT level to 3 for grub-efi packages
-- Steve McIntyre <email address hidden> Sun, 13 Nov 2022 00:33:35 +0000
grub2 (2.06-4) unstable; urgency=high
[ Steve McIntyre ]
* Updated the 2.06-3 changelog to mention closure of CVE-2022-28736
* Add a commented-out GRUB_DISABLE_OS_PROBER section to
/etc/default/grub to make it easier for users to turn os-prober
back on if they want it. Closes: #1013797, #1009336
* Add smbios to the signed grub efi images. Closes: #1008106
* Add serial to the signed grub efi images. Closes: #1013962
* grub2-common: Remove dependency on install-info, it's apparently
not needed. Closes: #1013698
* Don't strip Xen binaries so they work again. Closes: #1017944.
Thanks to Valentin Kleibel for the patch.
-- Steve McIntyre <email address hidden> Wed, 14 Sep 2022 22:35:49 +0100
| Published in buster-release |
grub2 (2.06-3~deb10u1) buster; urgency=medium
[ Steve McIntyre ]
* Switch to upstream 2.06 release, and rebuild for buster.
- Tweak build-deps etc. for the rebuild.
* Updated the 2.06-3 changelog to mention closure of CVE-2022-28736
* Re-enable os-prober by default, don't make that change in a stable
update.
-- Steve McIntyre <email address hidden> Mon, 01 Aug 2022 20:26:34 +0100
grub2 (2.06-3~deb11u1) bullseye; urgency=medium
[ Steve McIntyre ]
* Rebuild for bullseye.
* Updated the 2.06-3 changelog to mention closure of CVE-2022-28736
* Re-enable os-prober by default, don't make that change in a stable
update.
-- Steve McIntyre <email address hidden> Mon, 01 Aug 2022 20:26:34 +0100
grub2 (2.06-3) unstable; urgency=medium
[ Colin Watson ]
* Update a few leftover uses of "which" to use "command -v" instead.
* Remove some old Lintian overrides.
* Trim trailing whitespace.
* debian/copyright: use spaces rather than tabs to start continuation lines.
* Add missing ${misc:Depends} to Depends for grub-efi-ia32-signed-template,
grub-efi-amd64-signed-template, grub-efi-arm64-signed-template.
* Bump debhelper from old 10 to 13.
* Set upstream metadata fields: Bug-Submit (from ./configure), Repository,
Repository-Browse.
* Drop now-unnecessary sparc PIE workaround from debian/rules (thanks,
John Paul Adrian Glaubitz; closes: #952815).
[ Debconf translations ]
* [id] Indonesian (Andika Triwidada; closes: #1007706).
[ Julian Andres Klode ]
* Add Julian Andres Klode to uploaders
* Disable building with LTO, as used in Ubuntu and possibly other
downstreams (maybe Debian one day), as that breaks the build.
* SECURITY UPDATE: Crafted PNG grayscale images may lead to out-of-bounds
write in heap.
- 0070-video-readers-png-Drop-greyscale-support-to-fix-heap.patch:
video/readers/png: Drop greyscale support to fix heap out-of-bounds write
- CVE-2021-3695
* SECURITY UPDATE: Crafted PNG image may lead to out-of-bound write during
huffman table handling.
- 0071-video-readers-png-Avoid-heap-OOB-R-W-inserting-huff-.patch:
video/readers/png: Avoid heap OOB R/W inserting huff table items
- CVE-2021-3696
* SECURITY UPDATE: Crafted JPEG image can lead to buffer underflow write in
the heap.
- 0076-video-readers-jpeg-Block-int-underflow-wild-pointer-.patch:
video/readers/jpeg: Block int underflow -> wild pointer write
- CVE-2021-3697
* SECURITY UPDATE: Integer underflow in grub_net_recv_ip4_packets
- 0079-net-ip-Do-IP-fragment-maths-safely.patch: net/ip: Do IP fragment
maths safely
- CVE-2022-28733
* SECURITY UPDATE: Out-of-bounds write when handling split HTTP headers
- 0085-net-http-Fix-OOB-write-for-split-http-headers.patch: net/http: Fix
OOB write for split http headers
- CVE-2022-28734
* SECURITY UPDATE: shim_lock verifier allows non-kernel files to be loaded
- 0066-kern-efi-sb-Reject-non-kernel-files-in-the-shim_lock.patch:
kern/efi/sb: Reject non-kernel files in the shim_lock verifier
- CVE-2022-28735
- Closes: #1001057
* SECURITY UPDATE: use-after-free in grub_cmd_chainloader()
- 0063-loader-efi-chainloader-Simplify-the-loader-state.patch:
loader/efi/chainloader: simplify the loader state
- 0064-commands-boot-Add-API-to-pass-context-to-loader.patch: commands/boot:
Add API to pass context to loader
- 0065-loader-efi-chainloader-Use-grub_loader_set_ex.patch:
loader/efi/chainloader: Use grub_loader_set_ex
- 0066-loader-i386-efi-linux-Use-grub_loader_set_ex.patch:
loader/i386/efi/linux: Use grub_loader_set_ex
* Various fixes as a result of fuzzing and static analysis:
- 0067-kern-file-Do-not-leak-device_name-on-error-in-grub_f.patch:
kern/file: Do not leak device_name on error in grub_file_open()
- 0068-video-readers-png-Abort-sooner-if-a-read-operation-f.patch:
video/readers/png: Abort sooner if a read operation fails
- 0069-video-readers-png-Refuse-to-handle-multiple-image-he.patch:
video/readers/png: Refuse to handle multiple image headers
- 0072-video-readers-png-Sanity-check-some-huffman-codes.patch:
video/readers/png: Sanity check some huffman codes
- 0073-video-readers-jpeg-Abort-sooner-if-a-read-operation-.patch:
video/readers/jpeg: Abort sooner if a read operation fails
- 0074-video-readers-jpeg-Do-not-reallocate-a-given-huff-ta.patch:
video/readers/jpeg: Do not reallocate a given huff table
- 0075-video-readers-jpeg-Refuse-to-handle-multiple-start-o.patch:
video/readers/jpeg: Refuse to handle multiple start of streams
- 0077-normal-charset-Fix-array-out-of-bounds-formatting-un.patch:
normal/charset: Fix array out-of-bounds formatting unicode for display
- 0078-net-netbuff-Block-overly-large-netbuff-allocs.patch:
net/netbuff: Block overly large netbuff allocs
- 0080-net-dns-Fix-double-free-addresses-on-corrupt-DNS-res.patch:
net/dns: Fix double-free addresses on corrupt DNS response
- 0081-net-dns-Don-t-read-past-the-end-of-the-string-we-re-.patch:
net/dns: Don't read past the end of the string we're checking against
- 0082-net-tftp-Prevent-a-UAF-and-double-free-from-a-failed.patch:
net/tftp: Prevent a UAF and double-free from a failed seek
- 0083-net-tftp-Avoid-a-trivial-UAF.patch: net/tftp: Avoid a trivial UAF
- 0084-net-http-Do-not-tear-down-socket-if-it-s-already-bee.patch:
net/http: Do not tear down socket if it's already been torn down
- 0086-net-http-Error-out-on-headers-with-LF-without-CR.patch:
net/http: Error out on headers with LF without CR
- 0087-fs-f2fs-Do-not-read-past-the-end-of-nat-journal-entr.patch:
fs/f2fs: Do not read past the end of nat journal entries
- 0088-fs-f2fs-Do-not-read-past-the-end-of-nat-bitmap.patch:
fs/f2fs: Do not read past the end of nat bitmap
- 0089-fs-f2fs-Do-not-copy-file-names-that-are-too-long.patch:
fs/f2fs: Do not copy file names that are too long
- 0090-fs-btrfs-Fix-several-fuzz-issues-with-invalid-dir-it.patch:
fs/btrfs: Fix several fuzz issues with invalid dir item sizing
- 0091-fs-btrfs-Fix-more-ASAN-and-SEGV-issues-found-with-fu.patch:
fs/btrfs: Fix more ASAN and SEGV issues found with fuzzing
- 0092-fs-btrfs-Fix-more-fuzz-issues-related-to-chunks.patch:
fs/btrfs: Fix more fuzz issues related to chunks
* Bump SBAT generation:
- update debian/sbat.debian.csv.in
-- Julian Andres Klode <email address hidden> Fri, 10 Jun 2022 11:15:11 +0200
grub2 (2.06-2) unstable; urgency=medium
* Update to minilzo-2.10, fixing build failures on armel, mips64el,
mipsel, and ppc64el.
-- Colin Watson <email address hidden> Mon, 29 Nov 2021 00:10:09 +0000
grub2 (2.06-1) unstable; urgency=medium
* Use "command -v" in maintainer scripts rather than "which".
* New upstream release.
- Switch to the upstream shim_lock verifier, dropping several more
manual checks for UEFI Secure Boot.
* Cherry-pick from upstream:
- fs/xfs: Fix unreadable filesystem with v4 superblock
- tests/ahci: Change "ide-drive" deprecated QEMU device name to "ide-hd"
(closes: #997100)
* Remove dir_to_symlink maintainer script code, which was only needed for
upgrades from before jessie.
-- Colin Watson <email address hidden> Sun, 28 Nov 2021 13:30:32 +0000
grub2 (2.04-20) unstable; urgency=medium
[ Mathieu Trudel-Lapierre ]
* tpm: Pass unknown error as non-fatal, but debug print the error we got
(closes: #940911, LP: #1848892).
-- Colin Watson <email address hidden> Sun, 11 Jul 2021 00:37:36 +0100
grub2 (2.04-19) unstable; urgency=medium
* Resync grub-install backup and restore patches from upstream, fixing
problems that left the system unbootable after certain kinds of failure
(closes: #983435).
-- Colin Watson <email address hidden> Sat, 19 Jun 2021 13:04:38 +0100
grub2 (2.04-18) unstable; urgency=medium
[ Steve McIntyre ]
* Enable the shim_lock and tpm modules for i386-efi too. Ensure that
tpm is included in our EFI images.
* List the modules we include the EFI images - make it easier to
debug things.
* Add debug to display what's going on with verifiers
[ Colin Watson ]
* util/mkimage: Some fixes to PE binaries section size calculation
(closes: #987103).
-- Colin Watson <email address hidden> Sun, 25 Apr 2021 16:20:17 +0100
grub2 (2.02+dfsg1-20+deb10u4) buster-security; urgency=high
* Fix broken advice in message when the postinst has to bail out (thanks
to Daniel Leidert for pointing out the problem).
* Backport security patch series from upstream:
- kern: Add lockdown support
- kern/lockdown: Set a variable if the GRUB is locked down
- efi: Lockdown the GRUB when the UEFI Secure Boot is enabled
- efi: Use grub_is_lockdown() instead of hardcoding a disabled modules
list
- CVE-2020-14372: acpi: Don't register the acpi command when locked down
- CVE-2020-27779: mmap: Don't register cutmem and badram commands when
lockdown is enforced
- commands: Restrict commands that can load BIOS or DT blobs when locked
down
- commands/setpci: Restrict setpci command when locked down
- commands/hdparm: Restrict hdparm command when locked down
- gdb: Restrict GDB access when locked down
- loader/xnu: Don't allow loading extension and packages when locked
down
- docs: Document the cutmem command
- CVE-2020-25632: dl: Only allow unloading modules that are not
dependencies
- CVE-2020-25647: usb: Avoid possible out-of-bound accesses caused by
malicious devices
- mmap: Fix memory leak when iterating over mapped memory
- net/net: Fix possible dereference to of a NULL pointer
- net/tftp: Fix dangling memory pointer
- kern/parser: Fix resource leak if argc == 0
- kern/efi: Fix memory leak on failure
- kern/efi/mm: Fix possible NULL pointer dereference
- gnulib/regexec: Resolve unused variable
- gnulib/regcomp: Fix uninitialized token structure
- gnulib/argp-help: Fix dereference of a possibly NULL state
- gnulib/regexec: Fix possible null-dereference
- gnulib/regcomp: Fix uninitialized re_token
- io/lzopio: Resolve unnecessary self-assignment errors
- kern/partition: Check for NULL before dereferencing input string
- disk/ldm: Make sure comp data is freed before exiting from make_vg()
- disk/ldm: If failed then free vg variable too
- disk/ldm: Fix memory leak on uninserted lv references
- disk/cryptodisk: Fix potential integer overflow
- hfsplus: Check that the volume name length is valid
- zfs: Fix possible negative shift operation
- zfs: Fix resource leaks while constructing path
- zfs: Fix possible integer overflows
- zfsinfo: Correct a check for error allocating memory
- affs: Fix memory leaks
- libgcrypt/mpi: Fix possible unintended sign extension
- libgcrypt/mpi: Fix possible NULL dereference
- syslinux: Fix memory leak while parsing
- normal/completion: Fix leaking of memory when processing a completion
- commands/hashsum: Fix a memory leak
- video/efi_gop: Remove unnecessary return value of
grub_video_gop_fill_mode_info()
- video/fb/fbfill: Fix potential integer overflow
- video/fb/video_fb: Fix multiple integer overflows
- video/fb/video_fb: Fix possible integer overflow
- video/readers/jpeg: Test for an invalid next marker reference from a
jpeg file
- gfxmenu/gui_list: Remove code that coverity is flagging as dead
- loader/bsd: Check for NULL arg up-front
- loader/xnu: Fix memory leak
- loader/xnu: Free driverkey data when an error is detected in
grub_xnu_writetree_toheap()
- loader/xnu: Check if pointer is NULL before using it
- util/grub-install: Fix NULL pointer dereferences
- util/grub-editenv: Fix incorrect casting of a signed value
- util/glue-efi: Fix incorrect use of a possibly negative value
- script/execute: Fix NULL dereference in grub_script_execute_cmdline()
- commands/ls: Require device_name is not NULL before printing
- script/execute: Avoid crash when using "$#" outside a function scope
- CVE-2021-20225: lib/arg: Block repeated short options that require an
argument
- script/execute: Don't crash on a "for" loop with no items
- CVE-2021-20233: commands/menuentry: Fix quoting in setparams_prefix()
- kern/misc: Always set *end in grub_strtoull()
- video/readers/jpeg: Catch files with unsupported quantization or
Huffman tables
- video/readers/jpeg: Catch OOB reads/writes in grub_jpeg_decode_du()
- video/readers/jpeg: Don't decode data before start of stream
- term/gfxterm: Don't set up a font with glyphs that are too big
- fs/fshelp: Catch impermissibly large block sizes in read helper
- fs/hfsplus: Don't fetch a key beyond the end of the node
- fs/hfsplus: Don't use uninitialized data on corrupt filesystems
- fs/hfs: Disable under lockdown
- fs/sfs: Fix over-read of root object name
- fs/jfs: Do not move to leaf level if name length is negative
- fs/jfs: Limit the extents that getblk() can consider
- fs/jfs: Catch infinite recursion
- fs/nilfs2: Reject too-large keys
- fs/nilfs2: Don't search children if provided number is too large
- fs/nilfs2: Properly bail on errors in grub_nilfs2_btree_node_lookup()
- io/gzio: Bail if gzio->tl/td is NULL
- io/gzio: Add init_dynamic_block() clean up if unpacking codes fails
- io/gzio: Catch missing values in huft_build() and bail
- io/gzio: Zero gzio->tl/td in init_dynamic_block() if huft_build()
fails
- disk/lvm: Don't go beyond the end of the data we read from disk
- disk/lvm: Don't blast past the end of the circular metadata buffer
- disk/lvm: Bail on missing PV list
- disk/lvm: Do not crash if an expected string is not found
- disk/lvm: Do not overread metadata
- disk/lvm: Sanitize rlocn->offset to prevent wild read
- disk/lvm: Do not allow a LV to be it's own segment's node's LV
- kern/parser: Fix a memory leak
- kern/parser: Introduce process_char() helper
- kern/parser: Introduce terminate_arg() helper
- kern/parser: Refactor grub_parser_split_cmdline() cleanup
- kern/buffer: Add variable sized heap buffer
- CVE-2020-27749: kern/parser: Fix a stack buffer overflow
- kern/efi: Add initial stack protector implementation
- util/mkimage: Remove unused code to add BSS section
- util/mkimage: Use grub_host_to_target32() instead of
grub_cpu_to_le32()
- util/mkimage: Always use grub_host_to_target32() to initialize PE
stack and heap stuff
- util/mkimage: Unify more of the PE32 and PE32+ header set-up
- util/mkimage: Reorder PE optional header fields set-up
- util/mkimage: Improve data_size value calculation
- util/mkimage: Refactor section setup to use a helper
- util/mkimage: Add an option to import SBAT metadata into a .sbat
section
- grub-install-common: Add --sbat option
- kern/misc: Split parse_printf_args() into format parsing and va_list
handling
- kern/misc: Add STRING type for internal printf() format handling
- kern/misc: Add function to check printf() format against expected
format
- gfxmenu/gui: Check printf() format in the gui_progress_bar and
gui_label
- kern/mm: Fix grub_debug_calloc() compilation error
* Add SBAT section (thanks, Chris Coulson).
-- Colin Watson <email address hidden> Mon, 01 Mar 2021 22:50:45 +0000
grub2 (2.04-17) unstable; urgency=medium
* Pass --sbat when building the d-i netboot image as well.
* i386-pc: build verifiers API as module (thanks, Michael Chang; closes:
#984488, #985374).
-- Colin Watson <email address hidden> Fri, 19 Mar 2021 10:41:41 +0000
grub2 (2.04-16) unstable; urgency=medium
* Fix broken advice in message when the postinst has to bail out (thanks
to Daniel Leidert for pointing out the problem).
* Backport security patch series from upstream:
- verifiers: Move verifiers API to kernel image
- kern: Add lockdown support
- kern/lockdown: Set a variable if the GRUB is locked down
- efi: Lockdown the GRUB when the UEFI Secure Boot is enabled
- efi: Use grub_is_lockdown() instead of hardcoding a disabled modules
list
- CVE-2020-14372: acpi: Don't register the acpi command when locked down
- CVE-2020-27779: mmap: Don't register cutmem and badram commands when
lockdown is enforced
- commands: Restrict commands that can load BIOS or DT blobs when locked
down
- commands/setpci: Restrict setpci command when locked down
- commands/hdparm: Restrict hdparm command when locked down
- gdb: Restrict GDB access when locked down
- loader/xnu: Don't allow loading extension and packages when locked
down
- docs: Document the cutmem command
- CVE-2020-25632: dl: Only allow unloading modules that are not
dependencies
- CVE-2020-25647: usb: Avoid possible out-of-bound accesses caused by
malicious devices
- mmap: Fix memory leak when iterating over mapped memory
- net/net: Fix possible dereference to of a NULL pointer
- net/tftp: Fix dangling memory pointer
- kern/parser: Fix resource leak if argc == 0
- kern/efi: Fix memory leak on failure
- kern/efi/mm: Fix possible NULL pointer dereference
- gnulib/regexec: Resolve unused variable
- gnulib/regcomp: Fix uninitialized token structure
- gnulib/argp-help: Fix dereference of a possibly NULL state
- gnulib/regexec: Fix possible null-dereference
- gnulib/regcomp: Fix uninitialized re_token
- io/lzopio: Resolve unnecessary self-assignment errors
- zstd: Initialize seq_t structure fully
- kern/partition: Check for NULL before dereferencing input string
- disk/ldm: Make sure comp data is freed before exiting from make_vg()
- disk/ldm: If failed then free vg variable too
- disk/ldm: Fix memory leak on uninserted lv references
- disk/cryptodisk: Fix potential integer overflow
- hfsplus: Check that the volume name length is valid
- zfs: Fix possible negative shift operation
- zfs: Fix resource leaks while constructing path
- zfs: Fix possible integer overflows
- zfsinfo: Correct a check for error allocating memory
- affs: Fix memory leaks
- libgcrypt/mpi: Fix possible unintended sign extension
- libgcrypt/mpi: Fix possible NULL dereference
- syslinux: Fix memory leak while parsing
- normal/completion: Fix leaking of memory when processing a completion
- commands/hashsum: Fix a memory leak
- video/efi_gop: Remove unnecessary return value of
grub_video_gop_fill_mode_info()
- video/fb/fbfill: Fix potential integer overflow
- video/fb/video_fb: Fix multiple integer overflows
- video/fb/video_fb: Fix possible integer overflow
- video/readers/jpeg: Test for an invalid next marker reference from a
jpeg file
- gfxmenu/gui_list: Remove code that coverity is flagging as dead
- loader/bsd: Check for NULL arg up-front
- loader/xnu: Fix memory leak
- loader/xnu: Free driverkey data when an error is detected in
grub_xnu_writetree_toheap()
- loader/xnu: Check if pointer is NULL before using it
- util/grub-install: Fix NULL pointer dereferences
- util/grub-editenv: Fix incorrect casting of a signed value
- util/glue-efi: Fix incorrect use of a possibly negative value
- script/execute: Fix NULL dereference in grub_script_execute_cmdline()
- commands/ls: Require device_name is not NULL before printing
- script/execute: Avoid crash when using "$#" outside a function scope
- CVE-2021-20225: lib/arg: Block repeated short options that require an
argument
- script/execute: Don't crash on a "for" loop with no items
- CVE-2021-20233: commands/menuentry: Fix quoting in setparams_prefix()
- kern/misc: Always set *end in grub_strtoull()
- video/readers/jpeg: Catch files with unsupported quantization or
Huffman tables
- video/readers/jpeg: Catch OOB reads/writes in grub_jpeg_decode_du()
- video/readers/jpeg: Don't decode data before start of stream
- term/gfxterm: Don't set up a font with glyphs that are too big
- fs/fshelp: Catch impermissibly large block sizes in read helper
- fs/hfsplus: Don't fetch a key beyond the end of the node
- fs/hfsplus: Don't use uninitialized data on corrupt filesystems
- fs/hfs: Disable under lockdown
- fs/sfs: Fix over-read of root object name
- fs/jfs: Do not move to leaf level if name length is negative
- fs/jfs: Limit the extents that getblk() can consider
- fs/jfs: Catch infinite recursion
- fs/nilfs2: Reject too-large keys
- fs/nilfs2: Don't search children if provided number is too large
- fs/nilfs2: Properly bail on errors in grub_nilfs2_btree_node_lookup()
- io/gzio: Bail if gzio->tl/td is NULL
- io/gzio: Add init_dynamic_block() clean up if unpacking codes fails
- io/gzio: Catch missing values in huft_build() and bail
- io/gzio: Zero gzio->tl/td in init_dynamic_block() if huft_build()
fails
- disk/lvm: Don't go beyond the end of the data we read from disk
- disk/lvm: Don't blast past the end of the circular metadata buffer
- disk/lvm: Bail on missing PV list
- disk/lvm: Do not crash if an expected string is not found
- disk/lvm: Do not overread metadata
- disk/lvm: Sanitize rlocn->offset to prevent wild read
- disk/lvm: Do not allow a LV to be it's own segment's node's LV
- fs/btrfs: Validate the number of stripes/parities in RAID5/6
- fs/btrfs: Squash some uninitialized reads
- kern/parser: Fix a memory leak
- kern/parser: Introduce process_char() helper
- kern/parser: Introduce terminate_arg() helper
- kern/parser: Refactor grub_parser_split_cmdline() cleanup
- kern/buffer: Add variable sized heap buffer
- CVE-2020-27749: kern/parser: Fix a stack buffer overflow
- kern/efi: Add initial stack protector implementation
- util/mkimage: Remove unused code to add BSS section
- util/mkimage: Use grub_host_to_target32() instead of
grub_cpu_to_le32()
- util/mkimage: Always use grub_host_to_target32() to initialize PE
stack and heap stuff
- util/mkimage: Unify more of the PE32 and PE32+ header set-up
- util/mkimage: Reorder PE optional header fields set-up
- util/mkimage: Improve data_size value calculation
- util/mkimage: Refactor section setup to use a helper
- util/mkimage: Add an option to import SBAT metadata into a .sbat
section
- grub-install-common: Add --sbat option
- kern/misc: Split parse_printf_args() into format parsing and va_list
handling
- kern/misc: Add STRING type for internal printf() format handling
- kern/misc: Add function to check printf() format against expected
format
- gfxmenu/gui: Check printf() format in the gui_progress_bar and
gui_label
- kern/mm: Fix grub_debug_calloc() compilation error
* Add SBAT section (thanks, Chris Coulson).
-- Colin Watson <email address hidden> Tue, 02 Mar 2021 18:00:00 +0000
grub2 (2.04-15) unstable; urgency=medium
* Demote grub-common → mtools dependency to Suggests, to go with xorriso;
explain the situation in the package description (closes: #982313).
-- Colin Watson <email address hidden> Mon, 08 Feb 2021 21:39:24 +0000
grub2 (2.04-14) unstable; urgency=medium
[ Raphaël Hertzog ]
* Extend grub-efi to also cover arm64/ia64/arm (closes: #981819).
[ Colin Watson ]
* Cherry-pick from upstream:
- grub-install: Fix inverted test for NLS enabled when copying locales
(closes: #979754).
* Fix handling of trailing commas in grub-pc/install_devices (closes:
#913928).
* Make grub-firmware-qemu Recommend/Enhance qemu-system-x86, not qemu
(closes: #966243).
* Make grub-common depend on mtools on EFI platforms, for grub-mkrescue
(closes: #774910).
-- Colin Watson <email address hidden> Sun, 07 Feb 2021 15:23:51 +0000
grub2 (2.04-13) unstable; urgency=medium
[ Steve McIntyre ]
* Switch to using the efivarfs interface for detecting "system setup"
(Closes: #979299)
-- Colin Watson <email address hidden> Sat, 06 Feb 2021 17:30:38 +0000
grub2 (2.02+dfsg1-20+deb10u3) buster; urgency=high
[ Colin Watson ]
* When upgrading grub-pc noninteractively, bail out if grub-install fails.
It's better to fail the upgrade than to produce a possibly-unbootable
system.
* Explicitly check whether the target device exists before running
grub-install, since grub-install copies modules to /boot/grub/ before
installing the core image, and the new modules might be incompatible
with the old core image (closes: #966575).
* Backport from upstream:
- unix exec: avoid atexit handlers when child exits
[ Dimitri John Ledkov ]
* grub-install: Add backup and restore.
* Don't call grub-install on fresh install of grub-pc. It's the job of
installers to do that after a fresh install.
-- Colin Watson <email address hidden> Mon, 28 Dec 2020 22:53:47 +0000
grub2 (2.04-12) unstable; urgency=medium
* Cherry-pick from upstream:
- mdraid1x_linux: Fix gcc10 error -Werror=array-bounds
- zfs: Fix gcc10 error -Werror=zero-length-bounds
* Build with GCC 10 (closes: #978515).
-- Colin Watson <email address hidden> Mon, 28 Dec 2020 22:33:23 +0000
grub2 (2.04-11) unstable; urgency=medium * grub-install: Fix backup restoration on i386. -- Colin Watson <email address hidden> Sun, 06 Dec 2020 18:29:51 +0000
grub2 (2.04-10) unstable; urgency=medium
[ Ian Campbell ]
* Remove myself from uploaders.
[ Colin Watson ]
* When upgrading grub-pc noninteractively, bail out if grub-install fails.
It's better to fail the upgrade than to produce a possibly-unbootable
system.
* Explicitly check whether the target device exists before running
grub-install, since grub-install copies modules to /boot/grub/ before
installing the core image, and the new modules might be incompatible
with the old core image (closes: #966575).
* Cherry-pick from upstream:
- tftp: Roll-over block counter to prevent data packets timeouts
(LP: #1892290).
[ Dimitri John Ledkov ]
* grub-install: Add backup and restore.
* Don't call grub-install on fresh install of grub-pc. It's the job of
installers to do that after a fresh install.
-- Colin Watson <email address hidden> Sun, 08 Nov 2020 16:26:08 +0000
grub2 (2.02+dfsg1-20+deb10u2) buster-security; urgency=high
* Fix a regression caused by "efi: fix some malformed device path
arithmetic errors" (thanks, Chris Coulson and Steve McIntyre; closes:
#966554).
-- Colin Watson <email address hidden> Thu, 30 Jul 2020 20:19:53 +0100
grub2 (2.04-9) unstable; urgency=high
* Backport security patch series from upstream:
- CVE-2020-10713: yylex: Make lexer fatal errors actually be fatal
- safemath: Add some arithmetic primitives that check for overflow
- calloc: Make sure we always have an overflow-checking calloc()
available
- CVE-2020-14308: calloc: Use calloc() at most places
- CVE-2020-14309, CVE-2020-14310, CVE-2020-14311: malloc: Use overflow
checking primitives where we do complex allocations
- iso9660: Don't leak memory on realloc() failures
- font: Do not load more than one NAME section
- gfxmenu: Fix double free in load_image()
- xnu: Fix double free in grub_xnu_devprop_add_property()
- lzma: Make sure we don't dereference past array
- term: Fix overflow on user inputs
- udf: Fix memory leak
- multiboot2: Fix memory leak if grub_create_loader_cmdline() fails
- tftp: Do not use priority queue
- relocator: Protect grub_relocator_alloc_chunk_addr() input args
against integer underflow/overflow
- relocator: Protect grub_relocator_alloc_chunk_align() max_addr against
integer underflow
- script: Remove unused fields from grub_script_function struct
- CVE-2020-15706: script: Avoid a use-after-free when redefining a
function during execution
- relocator: Fix grub_relocator_alloc_chunk_align() top memory
allocation
- hfsplus: fix two more overflows
- lvm: fix two more potential data-dependent alloc overflows
- emu: make grub_free(NULL) safe
- efi: fix some malformed device path arithmetic errors
- Fix a regression caused by "efi: fix some malformed device path
arithmetic errors"
- update safemath with fallback code for gcc older than 5.1
- efi: Fix use-after-free in halt/reboot path
- linux loader: avoid overflow on initrd size calculation
* CVE-2020-15707: linux: Fix integer overflows in initrd size handling
* Apply overflow checking to allocations in Debian patches:
- bootp: Fix integer overflow in parse_dhcp6_option
- unix/config: Fix integer overflow in grub_util_load_config
- deviceiter: Fix integer overflow in grub_util_iterate_devices
-- Colin Watson <email address hidden> Wed, 29 Jul 2020 17:58:37 +0100
grub2 (2.04-8) unstable; urgency=medium
[ Vincent Lefevre ]
* Fix typos in /etc/grub.d/05_debian_theme. Closes: #959484
[ Fabian Greffrath ]
* Change font dependency to fonts-dejavu-core. Closes: #912846
[ Colin Watson ]
* Cherry-pick from upstream:
- templates/20_linux_xen: Ignore xenpolicy and config files too.
- templates/20_linux_xen: Support Xen Security Modules (XSM/FLASK).
[ Ian Jackson ]
* 20_linux_xen: Do not load XSM policy in non-XSM options (closes:
#961673).
-- Colin Watson <email address hidden> Sun, 07 Jun 2020 10:06:37 +0100
grub2 (2.04-7) unstable; urgency=medium
[ Christian Göttsche ]
* Create grub default configuration with default SELinux context.
[ Steve McIntyre ]
* In the signed packages, change the version dependency on
grub-common to be >= and not =. This will allow for installation
in unstable to still work in the window while we wait for the
template package to do its second trip through the archive.
* Tweak the build-dep architecture listing for libefiboot-dev and
libefivar-dev. The linux-* wildcards don't work in the way
expected, and were missing out (at least) armhf and armel.
Closes: #958461
-- Colin Watson <email address hidden> Wed, 22 Apr 2020 14:52:13 +0100
grub2 (2.04-6) unstable; urgency=medium
[ Romain Perier ]
* Add f2fs module to signed UEFI images
[ Steve McIntyre ]
* Add jfs module to signed UEFI images. Closes: #950959
[ Colin Watson ]
* Drop mkconfig-mid-upgrade.patch; it was only needed for upgrades from
GRUB 1.99 (now a long time ago) and can inappropriately hide problems
when /etc/grub.d/00_header should have been updated but wasn't (closes:
#953201).
* Cherry-pick from upstream:
- btrfs: Add support for new RAID1C34 profiles (closes: #958236).
-- Colin Watson <email address hidden> Mon, 20 Apr 2020 01:03:08 +0100
grub2 (2.04-5) unstable; urgency=medium
* Cherry-pick from upstream:
- verifiers: Blocklist fallout cleanup (this was one cause of a build
failure on hurd-i386, though may not be the only one).
* Only recommend grub-efi-*-signed on the architectures where they exist.
-- Colin Watson <email address hidden> Mon, 16 Dec 2019 15:48:45 +0000
grub2 (2.04-4) unstable; urgency=medium
[ Thomas Gaugler ]
* Add leading / to prefix of network boot image for d-i.
[ Martin von Wittich ]
* upgrade-from-grub-legacy: Set DPKG_MAINTSCRIPT_NAME and
DPKG_MAINTSCRIPT_PACKAGE when calling grub-pc.postinst manually (closes:
#943387).
[ Colin Watson ]
* Use policy-compliant architecture wildcards in libefiboot-dev and
libefivar-dev build-dependencies.
* Build with GCC 9 (closes: #944166).
-- Colin Watson <email address hidden> Fri, 08 Nov 2019 10:58:30 +0000
| Published in stretch-release |
grub2 (2.02~beta3-5+deb9u2) stretch; urgency=medium
* Cherry-pick upstream patches for Xen UEFI support (closes: #930028):
- i386/relocator: Add grub_relocator64_efi relocator
- multiboot2: Add tags used to pass ImageHandle to loaded image
- multiboot2: Do not pass memory maps to image if EFI boot services are
enabled
- multiboot2: Add support for relocatable images
- Use grub-file to figure out whether multiboot2 should be used for
Xen.gz
-- Colin Watson <email address hidden> Wed, 12 Jun 2019 12:20:51 +0100
grub2 (2.04-3) unstable; urgency=medium
* Apply patch from James Clarke to fix BIOS Boot Partition support on
sparc64 (closes: #931969).
* Fix UEFI installation for Devuan (thanks, Ivan J.; closes: #932966).
* Add probe module to signed UEFI images (closes: #936082).
-- Colin Watson <email address hidden> Fri, 30 Aug 2019 13:50:41 +0100
grub2 (2.04-2) unstable; urgency=medium
[ James Clarke ]
* Only Build-Depend on libefiboot-dev and libefivar-dev on Linux
architectures, since they're Linux-only.
[ Colin Watson ]
* Use debhelper-compat instead of debian/compat.
* debian/apport/source_grub2.py:
- Avoid star import.
- Fix flake8 errors.
* Run gentpl.py with python3.
-- Colin Watson <email address hidden> Sat, 03 Aug 2019 13:42:49 +0100
grub2 (2.04-1) unstable; urgency=medium
* New upstream release.
* debian/upstream/signing-key.asc: Add signing key of new upstream
maintainer (Daniel Kiper).
-- Colin Watson <email address hidden> Tue, 09 Jul 2019 11:48:01 +0100
| Deleted in experimental-release (Reason: None provided.) |
grub2 (2.04~rc1-3) experimental; urgency=medium
[ Will Thompson ]
* Fix --disable-quiet-boot.
[ Steve Langasek ]
* If we don't have writable grubenv and we're on EFI, always show the menu
(merged from Ubuntu).
[ Steve McIntyre ]
* Make all the signed EFI arches have a Recommends: from
grub-efi-ARCH-signed to shim-signed, not just amd64.
Closes: #931038
* Add myself to Uploaders
[ Colin Watson ]
* Squash linuxefi* patches into a single patch.
-- Colin Watson <email address hidden> Thu, 27 Jun 2019 08:51:37 +0100
grub2 (2.02+dfsg1-20) unstable; urgency=medium
[ Steve McIntyre ]
* Make all the signed EFI arches have a Recommends: from
grub-efi-ARCH-signed to shim-signed, not just amd64.
Closes: #931038
* Add myself to Uploaders
-- Steve McIntyre <email address hidden> Tue, 25 Jun 2019 10:11:12 +0100
| Superseded in experimental-release |
grub2 (2.04~rc1-2) experimental; urgency=medium
[ Colin Watson ]
* debian/build-efi-images: Add tpm on x86_64-efi (thanks, Chris Coulson).
[ Steve McIntyre ]
* Add the ntfs module to signed UEFI images. Closes: #923855
* Add the cpuid module to signed UEFI images. Closes: #928628
* Add the play module to signed UEFI images. Closes: #930290
* Add an extra di-specific version of the UEFI netboot image with a
different baked-in prefix value. Helps to fix #928750.
* Deal with --force-extra-removable with signed shim too. Closes: #930531
-- Colin Watson <email address hidden> Sat, 15 Jun 2019 09:41:19 +0100
grub2 (2.02+dfsg1-19) unstable; urgency=medium
[ Colin Watson ]
* Fix format of debian/copyright.
[ Steve McIntyre ]
* Add the ntfs module to signed UEFI images. Closes: #923855
* Add the cpuid module to signed UEFI images. Closes: #928628
* Add the play module to signed UEFI images. Closes: #930290
* Add an extra di-specific version of the UEFI netboot image with a
different baked-in prefix value. Helps to fix #928750.
* Deal with --force-extra-removable with signed shim too. Closes: #930531
-- Colin Watson <email address hidden> Fri, 14 Jun 2019 19:04:01 +0100
| Superseded in experimental-release |
grub2 (2.04~rc1-1) experimental; urgency=medium
* New upstream release candidate.
- getroot: Save/restore CWD more reliably on Unix (closes: #918700).
* Rename patches to use "-" as a separator rather than "_" (except when
referring to a file, function, or command containing a "_").
* Fix format of debian/copyright.
-- Colin Watson <email address hidden> Thu, 30 May 2019 16:56:05 +0100
grub2 (2.02+dfsg1-18) unstable; urgency=medium
* Apply patches from Alexander Graf to fix grub-efi-arm crash (closes:
#927269):
- arm: Move trampolines into code section
- arm: Align section alignment with manual relocation offset code
* Make grub2-common Breaks+Replaces grub-cloud-amd64 (<< 0.0.4) to work
around that package shipping colliding configuration file names in
stretch-backports (closes: #919915).
* Apply patch from Peter Jones to forbid the "devicetree" command when
Secure Boot is enabled (closes: #927888).
-- Colin Watson <email address hidden> Sat, 04 May 2019 22:58:32 +0100
| Superseded in sid-release |
grub2 (2.02+dfsg1-17) unstable; urgency=medium
* Make grub-efi-*-bin recommend efibootmgr. We don't actually use it any
more, but it's helpful for debugging.
-- Colin Watson <email address hidden> Mon, 15 Apr 2019 18:38:30 +0100
grub2 (2.02+dfsg1-16) unstable; urgency=medium * Fix -Wcast-align diagnostics on ARM. -- Colin Watson <email address hidden> Sat, 23 Mar 2019 23:28:17 +0000
| Superseded in sid-release |
grub2 (2.02+dfsg1-15) unstable; urgency=medium
* Build-depend on libefiboot-dev and libefivar-dev, for EFI variable
storage changes.
* Drop now-unnecessary dependencies on efibootmgr.
-- Colin Watson <email address hidden> Sat, 23 Mar 2019 09:56:35 +0000
| Superseded in sid-release |
grub2 (2.02+dfsg1-14) unstable; urgency=medium
* Make signed packages depend on a matching version of grub-common, in an
attempt to prevent incorrect testing migrations (closes: #924814).
* Cherry-pick from upstream:
- xfs: Accept filesystem with sparse inodes (closes: #924760).
* Minimise writes to EFI variable storage (closes: #891434).
-- Colin Watson <email address hidden> Sat, 23 Mar 2019 09:47:10 +0000
grub2 (2.02+dfsg1-13) unstable; urgency=medium * Add regexp module to signed UEFI images. * debian/signing-template.json.in: Use new extendable format. [ Debconf translations ] * [nb] Norwegian Bokmål (Petter Reinholdtsen; closes: #924326). -- Colin Watson <email address hidden> Thu, 14 Mar 2019 10:33:24 +0000
grub2 (2.02+dfsg1-12) unstable; urgency=medium
[ Colin Watson ]
* Remove code to migrate grub-pc/install_devices to persistent device
names under /dev/disk/by-id/. This migration happened in
1.98+20100702-1, which was in squeeze (four stable releases ago), so we
no longer need to carry around this complex code.
* Preserve previous answer to grub-pc/install_devices if we have to ask
grub-pc/install_devices_disks_changed and the user chooses not to
install to any devices, so that we can recover from temporary bugs that
cause /dev/disk/by-id/ paths to change (closes: #919029).
* debian/signing-template.json.in: Add trusted_certs key (empty, since
GRUB has no hardcoded list of trusted certificates).
* util: Detect more I/O errors (closes: #922741).
[ Leif Lindholm ]
* arm64/efi: Fix grub_efi_get_ram_base().
[ Steve McIntyre ]
* grub-install: Check for arm-efi as a default target (closes: #922104).
[ James Clarke ]
* osdep/freebsd: Fix partition calculation for EBR entries (closes:
#923253).
-- Colin Watson <email address hidden> Fri, 01 Mar 2019 12:34:45 +0000
grub2 (2.02+dfsg1-11) unstable; urgency=medium
[ Colin Watson ]
* Apply patches from Alexander Graf to set arm64-efi code offset to
EFI_PAGE_SIZE (closes: #919012, LP: #1812317).
* Upgrade to debhelper v10.
* Set Rules-Requires-Root: no.
* Add help and ls modules to signed UEFI images (closes: #919955).
* Fix application of answers from dpkg-reconfigure to /etc/default/grub
(based loosely on a patch by Steve Langasek, for which thanks; closes:
#921702).
[ Steve McIntyre ]
* Make grub-efi-amd64-signed recommend shim-signed (closes: #919067).
[ Jeroen Dekkers ]
* Initialize keyboard in at_keyboard module init if keyboard is ready
(closes: #741464).
[ John Paul Adrian Glaubitz ]
* Include a.out header in assembly of sparc64 boot loader (closes:
#921249).
[ Hervé Werner ]
* Fix setup on Secure Boot systems where cryptodisk is in use (closes:
#917117).
[ Debconf translations ]
* [de] German (Helge Kreutzmann and Holger Wansing; closes: #921018).
-- Colin Watson <email address hidden> Sun, 10 Feb 2019 18:53:41 +0000
grub2 (2.02+dfsg1-10) unstable; urgency=medium
* Apply patch from Heinrich Schuchardt (mentioned in #916695 though
unrelated):
- grub-core/loader/efi/fdt.c: do not copy random memory
* Add luks modules to signed UEFI images (pointed out by Alex Griffin and
Hervé Werner; closes: #908162, LP: #1565950).
* Keep track of the previous version of /usr/share/grub/default/grub and
set UCF_FORCE_CONFFOLD=1 when running ucf if it hasn't changed; ucf
can't figure this out for itself since we apply debconf-based
customisations on top of the template configuration file (closes:
#812574, LP: #564853).
* Backport Xen PVH guest support from upstream (closes: #776450). Thanks
to Hans van Kranenburg for testing.
-- Colin Watson <email address hidden> Fri, 11 Jan 2019 15:24:20 +0000
grub2 (2.02+dfsg1-9) unstable; urgency=medium
[ Colin Watson ]
* Sync Maintainer/Uploaders in debian/signing-template/control.in with the
main packaging.
* Tell reportbug to submit bug reports against unsigned packages rather
than generated signed packages.
* Update Homepage, debian/copyright Source, and debian/watch to use HTTPS.
* Move bash completions to /usr/share/bash-completion/completions/grub and
add appropriate symlinks (closes: #912852).
* Build with GCC 8 (closes: #915735).
[ Leif Lindholm ]
* Apply patch series (mostly) from upstream to switch the arm loader over
to use the arm64 loader code and improve arm/arm64 initrd handling
(closes: #907596, #909420, #915091).
[ Matthew Garrett ]
* Don't enforce Shim signature validation if Secure Boot is disabled.
-- Colin Watson <email address hidden> Fri, 07 Dec 2018 10:38:37 +0000
| Superseded in stretch-release |
grub2 (2.02~beta3-5+deb9u1) stable; urgency=medium
* grub-mknetdir: Add support for ARM64 EFI (closes: #871772).
* Cherry-pick upstream patch to change the default TSC calibration method
to pmtimer on EFI systems (closes: #908852).
-- Colin Watson <email address hidden> Sun, 28 Oct 2018 19:18:13 +0000
grub2 (2.02+dfsg1-8) unstable; urgency=medium
* Revise grub-<platform>-bin and grub-<platform> package descriptions to
try to explain better how they fit together and which one should be used
(based loosely on work by Justin B Rye, for which thanks; closes:
#630224).
* Skip flaky grub_cmd_set_date test (closes: #906470).
* Work around bug in obsolete init-select package: add Conflicts/Replaces
from grub-common, and take over /etc/default/grub.d/init-select.cfg with
a no-op stub (thanks to Guillem Jover for the suggestion; closes:
#863801).
* Build-depend on dosfstools and mtools on non-Linux variants of
i386/amd64/arm64 as well, to match debian/rules.
* Cherry-pick from upstream:
- i386/linux: Add support for ext_lfb_base (LP: #1785033).
* Don't source /etc/default/grub.d/*.cfg in config maintainer scripts,
since otherwise we incorrectly merge settings from there into
/etc/default/grub (closes: #872637, LP: #1797894).
* Add xfs module to signed UEFI images (closes: #911147, LP: #1652822).
* Cope with / being on a ZFS root dataset (closes: #886178).
[ Debconf translations ]
* [sv] Swedish (Martin Bagge and Anders Jonsson; closes: #851964).
-- Colin Watson <email address hidden> Mon, 29 Oct 2018 13:02:08 +0000
| Superseded in sid-release |
grub2 (2.02+dfsg1-7) unstable; urgency=medium
* Move kernel maintainer script snippets into grub2-common (thanks,
Bastian Blank; closes: #910959).
* Add cryptodisk and gcry_* modules to signed UEFI images (closes:
#908162, LP: #1565950).
* Remove dh_builddeb override to use xz compression; this has been the
default since dpkg 1.17.0.
-- Colin Watson <email address hidden> Sat, 27 Oct 2018 13:06:32 +0100
| 1 → 75 of 279 results | First • Previous • Next • Last |
