-
grub2 (2.12-1ubuntu7) noble; urgency=medium
* d/p/grub-sort-version.patch: Also patch grub-mkconfig to export GRUB_FLAVOUR_ORDER
* d/grub-sort-version: Update regex to correctly match kernel flavour
* d/grub-sort-version: Append `-0` to abi strings before passing to python-apt (Fixes LP: #2041827)
* debian/: Add tests for grub-sort-version
* Revert peimage to re-use GRUB's image handle (LP: #2057679) (LP: #2054127)
* Increase SBAT level to "grub.ubuntu,2" and "grub.peimage,2"
* d/build-efi-images: Make sure downstream didn't remove peimage SBAT entry
* SECURITY UPDATE: Use-after-free in peimage module [LP: #2054127]
- CVE-2024-2312
-- Mate Kukri <email address hidden> Thu, 04 Apr 2024 11:12:35 +0100
-
grub2 (2.12-1ubuntu6) noble; urgency=medium
* No-change rebuild for CVE-2024-3094
-- Steve Langasek <email address hidden> Sun, 31 Mar 2024 08:54:41 +0000
-
grub2 (2.12-1ubuntu5) noble; urgency=medium
* No-change rebuild for libefivar1t64 on riscv64.
-- Steve Langasek <email address hidden> Thu, 07 Mar 2024 09:18:17 +0000
-
grub2 (2.12-1ubuntu4) noble; urgency=medium
* d/grub-multi-install: Treat missing `cloud_style_installation` debconf as
false (LP: #2055294)
-- Mate Kukri <email address hidden> Wed, 28 Feb 2024 15:55:10 +0000
-
grub2 (2.12-1ubuntu3) noble; urgency=medium
* Improve GRUB reinstallation in cloud images (LP: #2054103):
- Add debconf options "grub-{efi,pc}/cloud_style_installation"
- d/postinst.in: Make empty "grub-pc/install_devices" non-fatal in
noninteractive mode
* Determine GRUB_DISTRIBUTOR from os-release and fall back to build-time
dpkg vendor (LP: #2034253)
* d/p/grub-install-efi-title.patch: Use case-sensitive GRUB distributor as
EFI option title (LP: #2026310)
* Unreleased changes from Debian:
- d/p/revert-term-ns8250-spcr.patch: Revert ACPI SPCR table support
(#1062073)
-- Mate Kukri <email address hidden> Tue, 27 Feb 2024 10:54:26 +0000
-
grub2 (2.12-1ubuntu2) noble; urgency=medium
* Revert patchset "ppc64: Restrict memory allocations" (LP: #2053117)
-- Mate Kukri <email address hidden> Wed, 14 Feb 2024 09:19:35 +0000
-
grub2 (2.12-1ubuntu1) noble; urgency=medium
* Merge from Debian unstable; remaining changes:
- Add Ubuntu sbat data
- build-efi-images: do not produce -installer.efi.signed. LP: 1863994
- grub-common: Install canonical-uefi-ca.crt
- Check signatures
- Support installing to multiple ESP (LP: 1871821)
- Disable various bits on i386
- Split out unsigned artefacts into grub2-unsigned
- Vcs-Git: Point to ubuntu packaging branch
- Relax dependencies on grub-common and grub2-common
- grub-pc: Avoid the possibility of breaking grub on SRU update due
to ABI change
- UBUNTU: Default timeout changes
- Revert "Add jfs module to signed UEFI images. Closes: #950959"
- Revert "Add f2fs module to signed UEFI images"
- Install grub-initrd-fallback.service again
- Build using -O1 on s390x to avoid misoptimization
- grub-check-signatures: Support gzip compressed kernels (LP: #1954683)
- grub-multi-install: Reset partition type between partitions (LP: #1997795)
- Drop i386 from grub-efi-amd64* (LP: #2020907)
- Turn depends on grub-efi-amd64/arm64 unversioned
- forward port fix for LP: #1926748
- Make the grub2/no_efi_extra_removable setting work correctly
- Forward port the fix for LP: #1930742 and make it conditional (xenial/bionic only)
- Build grub2-unsigned packages with xz compression
- Revert: "Have -bin packages Break pre-2.12 -signed packages.", this is not
compatible with our versioning schemes.
- Install a /usr/lib/grub/grub-sort-version and use that to sort versions as
it respects GRUB_FLAVOUR_ORDER. Depend on python3 to do so.
- rules: Add DPKG_BUILDPACKAGE_OPTIONS to generate-grub2-unsigned
- Drop luks2
- d/control: Add python3-apt to Depends of grub-common (LP: #2048953)
- Replaced patches:
- install-signed.patche
- grub-install-extra-removable.patch
- grub-install-removable-shim.patch
- Added patches:
+ rhboot-f34-dont-use-int-for-efi-status.patch
+ rhboot-f34-make-exit-take-a-return-code.patch
+ suse-grub.texi-add-net_bootp6-document.patch
+ ubuntu-add-devicetree-command-support.patch
+ ubuntu-add-initrd-less-boot-fallback.patch
+ ubuntu-add-initrd-less-boot-messages.patch
+ ubuntu-boot-from-multipath-dependent-symlink.patch
+ ubuntu-dont-verify-loopback-images.patch
+ ubuntu-fix-lzma-decompressor-objcopy.patch
+ ubuntu-grub-install-extra-removable.patch
+ ubuntu-install-signed.patch
+ ubuntu-mkconfig-leave-breadcrumbs.patch
+ ubuntu-os-prober-auto.patch
+ ubuntu-recovery-dis_ucode_ldr.patch
+ ubuntu-resilient-boot-boot-order.patch
+ ubuntu-resilient-boot-ignore-alternative-esps.patch
+ ubuntu-shorter-version-info.patch
+ ubuntu-speed-zsys-history.patch
+ ubuntu-support-initrd-less-boot.patch
+ ubuntu-verifiers-last.patch
+ ubuntu-zfs-enhance-support.patch
+ ubuntu-zfs-gfxpayload-dynamic.patch
+ ubuntu-zfs-gfxpayload-keep-default.patch
+ ubuntu-zfs-insmod-xzio-and-lzopio-on-xen.patch
+ ubuntu-zfs-mkconfig-recovery-title.patch
+ ubuntu-zfs-mkconfig-signed-kernel.patch
+ ubuntu-zfs-mkconfig-ubuntu-distributor.patch
+ ubuntu-zfs-mkconfig-ubuntu-recovery.patch
+ ubuntu-zfs-vt-handoff.patch
* Unreleased changes from Debian:
- Update signing-template Uploaders to match main package.
- d/p/mkconfig-ubuntu-recovery.patch: Use "recovery" instead of "single recovery"
for recovery mode bootparams (LP: #2041245)
-- Mate Kukri <email address hidden> Mon, 29 Jan 2024 11:06:12 +0000
-
grub2 (2.12~rc1-12ubuntu5) noble; urgency=medium
* d/control: Add python3-apt to Depends of grub-common (LP: #2048953)
-- Mate Kukri <email address hidden> Fri, 09 Feb 2024 13:23:36 +0000
-
grub2 (2.12~rc1-12ubuntu4) noble; urgency=medium
* d/p/delay-copying-to-grubdir.patch: Move platdir path canonicalisation
after files were copied to grubdir. (LP: #2045944)
-- Mate Kukri <email address hidden> Fri, 08 Dec 2023 09:22:22 +0000
-
grub2 (2.12~rc1-12ubuntu3) noble; urgency=medium
* d/p/delay-copying-to-grubdir.patch: Improve grub-install robustness by
delaying the update of /boot after install device validation
* Remove workaround for LP: 1889556 (LP: #2043995)
- Was not needed since /boot rollback was introduced upstream
- Patch above ensures that this will not reoccur even if rollback fails
-- Mate Kukri <email address hidden> Tue, 21 Nov 2023 15:35:55 +0000
-
grub2 (2.12~rc1-12ubuntu2) noble; urgency=medium
* Merge from Debian unstable; remaining changes:
- Add Ubuntu sbat data
- build-efi-images: do not produce -installer.efi.signed. LP: 1863994
- grub-common: Install canonical-uefi-ca.crt
- Check signatures
- Support installing to multiple ESP (LP: 1871821)
- Disable various bits on i386
- Split out unsigned artefacts into grub2-unsigned
- Vcs-Git: Point to ubuntu packaging branch
- Relax dependencies on grub-common and grub2-common
- grub-pc: Avoid the possibility of breaking grub on SRU update due
to ABI change
- UBUNTU: Default timeout changes
- Revert "Add jfs module to signed UEFI images. Closes: #950959"
- Revert "Add f2fs module to signed UEFI images"
- Install grub-initrd-fallback.service again
- Build using -O1 on s390x to avoid misoptimization
- grub-check-signatures: Support gzip compressed kernels (LP: #1954683)
- grub-multi-install: Reset partition type between partitions (LP: #1997795)
- Drop i386 from grub-efi-amd64* (LP: #2020907)
- Turn depends on grub-efi-amd64/arm64 unversioned
- forward port fix for LP: #1926748
- Make the grub2/no_efi_extra_removable setting work correctly
- Forward port the fix for LP: #1930742 and make it conditional (xenial/bionic only)
- Build grub2-unsigned packages with xz compression
- Revert: "Have -bin packages Break pre-2.12 -signed packages.", this is not
compatible with our versioning schemes.
- Install a /usr/lib/grub/grub-sort-version and use that to sort versions as
it respects GRUB_FLAVOUR_ORDER. Depend on python3 to do so.
- rules: Add DPKG_BUILDPACKAGE_OPTIONS to generate-grub2-unsigned
- Replaced patches:
- installe-signed.patched
- grub-install-extra-removable.patch
- grub-install-removable-shim.patch
- Added patches:
+ rhboot-f34-dont-use-int-for-efi-status.patch
+ rhboot-f34-make-exit-take-a-return-code.patch
+ suse-grub.texi-add-net_bootp6-document.patch
+ ubuntu-add-devicetree-command-support.patch
+ ubuntu-add-initrd-less-boot-fallback.patch
+ ubuntu-add-initrd-less-boot-messages.patch
+ ubuntu-boot-from-multipath-dependent-symlink.patch
+ ubuntu-dont-verify-loopback-images.patch
+ ubuntu-fix-lzma-decompressor-objcopy.patch
+ ubuntu-grub-install-extra-removable.patch
+ ubuntu-install-signed.patch
+ ubuntu-mkconfig-leave-breadcrumbs.patch
+ ubuntu-os-prober-auto.patch
+ ubuntu-recovery-dis_ucode_ldr.patch
+ ubuntu-resilient-boot-boot-order.patch
+ ubuntu-resilient-boot-ignore-alternative-esps.patch
+ ubuntu-shorter-version-info.patch
+ ubuntu-speed-zsys-history.patch
+ ubuntu-support-initrd-less-boot.patch
+ ubuntu-verifiers-last.patch
+ ubuntu-zfs-enhance-support.patch
+ ubuntu-zfs-gfxpayload-dynamic.patch
+ ubuntu-zfs-gfxpayload-keep-default.patch
+ ubuntu-zfs-insmod-xzio-and-lzopio-on-xen.patch
+ ubuntu-zfs-mkconfig-recovery-title.patch
+ ubuntu-zfs-mkconfig-signed-kernel.patch
+ ubuntu-zfs-mkconfig-ubuntu-distributor.patch
+ ubuntu-zfs-mkconfig-ubuntu-recovery.patch
+ ubuntu-zfs-vt-handoff.patch
* Removed luks2 from signed EFI binaries (LP: #2043101)
grub2 (2.12~rc1-12) unstable; urgency=medium
[ Mate Kukri ]
* Port UEFI based network stack to 2.12 (LP: #2039081)
* efi: Correct image unloading behavior
* Prevent the incorrect use of `UnloadImage()` by binaries loaded by peimage
* efinet: HTTP_MESSAGE fix field size (LP: #2043084)
[ Abe Wieland ]
* Maintain administrator value for os-prober
[ Julian Andres Klode ]
* Cherry-pick upstream XFS directory extent parsing fixes (Closes: #1051543)
(LP: #2039172)
grub2 (2.12~rc1-11) unstable; urgency=medium
[ Mate Kukri ]
* SECURITY UPDATE: Crafted file system images can cause out-of-bounds write
and may leak sensitive information into the GRUB pager.
- d/patches/ntfs-cve-fixes/fs-ntfs-Fix-an-OOB-read-when-parsing-a-volume-
label.patch:
fs/ntfs: Fix an OOB read when parsing a volume label
- d/patches/ntfs-cve-fixes/fs-ntfs-Fix-an-OOB-read-when-parsing-bs-for-
index-at.patch:
fs/ntfs: Fix an OOB read when parsing bitmaps for index attributes
- d/patches/ntfs-cve-fixes/fs-ntfs-Fix-an-OOB-read-when-parsing-dory-
entries-fr.patch:
fs/ntfs: Fix an OOB read when parsing directory entries from resident and
non-resident index attributes
- d/patches/ntfs-cve-fixes/fs-ntfs-Fix-an-OOB-read-when-reading-data-fhe-
reside.patch:
fs/ntfs: Fix an OOB read when reading data from the resident $DATA +
attribute
- CVE-2023-4693
* SECURITY UPDATE: Crafted file system images can cause heap-based buffer
overflow and may allow arbitrary code execution and secure boot bypass.
- d/patches/ntfs-cve-fixes/fs-ntfs-Fix-an-OOB-write-when-parsing-the-
ATTRIBUTE_LIST-.patch:
fs/ntfs: Fix an OOB write when parsing the $ATTRIBUTE_LIST attribute for
the $MFT file
- d/patches/ntfs-cve-fixes/fs-ntfs-Make-code-more-readable.patch
fs/ntfs: Make code more readable
- CVE-2023-4692
* efi: Cleanup peimage.c
[ Julian Andres Klode ]
* Bump SBAT to grub,4
-- Mate Kukri <email address hidden> Thu, 09 Nov 2023 16:16:56 +0200
-
grub2 (2.12~rc1-10ubuntu4) mantic; urgency=high
* SECURITY UPDATE: Crafted file system images can cause out-of-bounds write
and may leak sensitive information into the GRUB pager.
- d/patches/ntfs-cve-fixes/fs-ntfs-Fix-an-OOB-read-when-parsing-a-volume-
label.patch:
fs/ntfs: Fix an OOB read when parsing a volume label
- d/patches/ntfs-cve-fixes/fs-ntfs-Fix-an-OOB-read-when-parsing-bs-for-
index-at.patch:
fs/ntfs: Fix an OOB read when parsing bitmaps for index attributes
- d/patches/ntfs-cve-fixes/fs-ntfs-Fix-an-OOB-read-when-parsing-dory-
entries-fr.patch:
fs/ntfs: Fix an OOB read when parsing directory entries from resident and
non-resident index attributes
- d/patches/ntfs-cve-fixes/fs-ntfs-Fix-an-OOB-read-when-reading-data-fhe-
reside.patch:
fs/ntfs: Fix an OOB read when reading data from the resident $DATA +
attribute
- CVE-2023-4693
* SECURITY UPDATE: Crafted file system images can cause heap-based buffer
overflow and may allow arbitrary code execution and secure boot bypass.
- d/patches/ntfs-cve-fixes/fs-ntfs-Fix-an-OOB-write-when-parsing-the-
ATTRIBUTE_LIST-.patch:
fs/ntfs: Fix an OOB write when parsing the $ATTRIBUTE_LIST attribute for
the $MFT file
- d/patches/ntfs-cve-fixes/fs-ntfs-Make-code-more-readable.patch
fs/ntfs: Make code more readable
- CVE-2023-4692
-- Mate Kukri <email address hidden> Mon, 02 Oct 2023 15:23:58 +0100