grub2 (2.12-1ubuntu7.3) noble; urgency=medium
* Drop NTFS patches that seem to be causing regressions
-- Mate Kukri <mate.kukri@canonical.com> Mon, 17 Mar 2025 13:20:09 +0000
grub2 (2.12-1ubuntu7.2) noble; urgency=medium
* Cherry-pick upstream vulnerability fixes
* Cherry-pick extfs regression patch
* Cherry-pick xfs regression patches
* Bump SBAT level to grub,5
* d/rules: Also build monolithic images for riscv64 (LP: #2091706)
* SECURITY UPDATE: video/readers/jpeg: Do not permit duplicate SOF0 markers in JPEG
- CVE-2024-45774
* SECURITY UPDATE: commands/extcmd: Missing check for failed allocation
- CVE-2024-45775
* SECURITY UPDATE: gettext: Integer overflow leads to heap OOB write or read
- CVE-2024-45776
* SECURITY UPDATE: gettext: Integer overflow leads to heap OOB write
- CVE-2024-45777
* SECURITY UPDATE: fs/bfs: Integer overflow
- CVE-2024-45778
* SECURITY UPDATE: fs/bfs: integer overflow leads to heap OOB read
- CVE-2024-45779
* SECURITY UPDATE: fs/tar: Integer overflow leads to heap OOB write
- CVE-2024-45780
* SECURITY UPDATE: fs/ufs: `strcpy` use leading to heap OOB write
- CVE-2024-45781
* SECURITY UPDATE: fs/hfs: `strcpy` use leading to potential heap OOB write
- CVE-2024-45782
* SECURITY UPDATE: fs/hfsplus: incorrect refcount handling leading to UAF
- CVE-2024-45783
* SECURITY UPDATE: command/gpg: Use-after-free due to hooks not being removed on module unload
- CVE-2025-0622
* SECURITY UPDATE: net: Out-of-bounds write in grub_net_search_config_file()
- CVE-2025-0624
* SECURITY UPDATE: UFS: Integer overflow may lead to heap based out-of-bounds write when handling symlinks
- CVE-2025-0677
* SECURITY UPDATE: squash4: Integer overflow may lead to heap based out-of-bounds write when reading data
- CVE-2025-0678
* SECURITY UPDATE: reiserfs: Integer overflow when handling symlinks may lead to heap based out-of-bounds write when reading data
- CVE-2025-0684
* SECURITY UODATE: jfs: Integer overflow when handling symlinks may lead to heap based out-of-bounds write when reading data
- CVE-2025-0685
* SECURITY UPDATE: romfs: Integer overflow when handling symlinks may lead to heap based out-of-bounds write when reading data
- CVE-2025-0686
* SECURITY UPDATE: udf: Heap based buffer overflow in grub_udf_read_block() may lead to arbitrary code execution
- CVE-2025-0689
* SECURITY UPDATE: read: Integer overflow may lead to out-of-bounds write
- CVE-2025-0690
* SECURITY UPDATE: commands/dump: The dump command is not in lockdown when secure boot is enabled
- CVE-2025-1118
* SECURITY UPDATE: fs/hfs: Integer overflow may lead to heap based out-of-bounds write
- CVE-2025-1125
* SECURITY UPDATE: insmod: incorrect refcount handling leading to UAF [LP: #2055835]
-- Mate Kukri <mate.kukri@canonical.com> Fri, 17 Jan 2025 11:33:01 +0000
grub2 (2.12-1ubuntu7.1) noble; urgency=medium
* riscv: use time register in grub_efi_get_time_ms() (LP: #2076651)
* efi/chainloader: Do not print device path of chainloaded file (LP: #2073634)
-- Mate Kukri <mate.kukri@canonical.com> Wed, 11 Sep 2024 14:15:05 +0100
grub2 (2.12-1ubuntu7) noble; urgency=medium
* d/p/grub-sort-version.patch: Also patch grub-mkconfig to export GRUB_FLAVOUR_ORDER
* d/grub-sort-version: Update regex to correctly match kernel flavour
* d/grub-sort-version: Append `-0` to abi strings before passing to python-apt (Fixes LP: #2041827)
* debian/: Add tests for grub-sort-version
* Revert peimage to re-use GRUB's image handle (LP: #2057679) (LP: #2054127)
* Increase SBAT level to "grub.ubuntu,2" and "grub.peimage,2"
* d/build-efi-images: Make sure downstream didn't remove peimage SBAT entry
* SECURITY UPDATE: Use-after-free in peimage module [LP: #2054127]
- CVE-2024-2312
-- Mate Kukri <mate.kukri@canonical.com> Thu, 04 Apr 2024 11:12:35 +0100
grub2 (2.12-1ubuntu6) noble; urgency=medium
* No-change rebuild for CVE-2024-3094
-- Steve Langasek <steve.langasek@ubuntu.com> Sun, 31 Mar 2024 08:54:41 +0000
grub2 (2.12-1ubuntu5) noble; urgency=medium
* No-change rebuild for libefivar1t64 on riscv64.
-- Steve Langasek <steve.langasek@ubuntu.com> Thu, 07 Mar 2024 09:18:17 +0000
grub2 (2.12-1ubuntu4) noble; urgency=medium
* d/grub-multi-install: Treat missing `cloud_style_installation` debconf as
false (LP: #2055294)
-- Mate Kukri <mate.kukri@canonical.com> Wed, 28 Feb 2024 15:55:10 +0000
grub2 (2.12-1ubuntu3) noble; urgency=medium
* Improve GRUB reinstallation in cloud images (LP: #2054103):
- Add debconf options "grub-{efi,pc}/cloud_style_installation"
- d/postinst.in: Make empty "grub-pc/install_devices" non-fatal in
noninteractive mode
* Determine GRUB_DISTRIBUTOR from os-release and fall back to build-time
dpkg vendor (LP: #2034253)
* d/p/grub-install-efi-title.patch: Use case-sensitive GRUB distributor as
EFI option title (LP: #2026310)
* Unreleased changes from Debian:
- d/p/revert-term-ns8250-spcr.patch: Revert ACPI SPCR table support
(#1062073)
-- Mate Kukri <mate.kukri@canonical.com> Tue, 27 Feb 2024 10:54:26 +0000
grub2 (2.12-1ubuntu2) noble; urgency=medium
* Revert patchset "ppc64: Restrict memory allocations" (LP: #2053117)
-- Mate Kukri <mate.kukri@canonical.com> Wed, 14 Feb 2024 09:19:35 +0000
grub2 (2.12-1ubuntu1) noble; urgency=medium
* Merge from Debian unstable; remaining changes:
- Add Ubuntu sbat data
- build-efi-images: do not produce -installer.efi.signed. LP: 1863994
- grub-common: Install canonical-uefi-ca.crt
- Check signatures
- Support installing to multiple ESP (LP: 1871821)
- Disable various bits on i386
- Split out unsigned artefacts into grub2-unsigned
- Vcs-Git: Point to ubuntu packaging branch
- Relax dependencies on grub-common and grub2-common
- grub-pc: Avoid the possibility of breaking grub on SRU update due
to ABI change
- UBUNTU: Default timeout changes
- Revert "Add jfs module to signed UEFI images. Closes: #950959"
- Revert "Add f2fs module to signed UEFI images"
- Install grub-initrd-fallback.service again
- Build using -O1 on s390x to avoid misoptimization
- grub-check-signatures: Support gzip compressed kernels (LP: #1954683)
- grub-multi-install: Reset partition type between partitions (LP: #1997795)
- Drop i386 from grub-efi-amd64* (LP: #2020907)
- Turn depends on grub-efi-amd64/arm64 unversioned
- forward port fix for LP: #1926748
- Make the grub2/no_efi_extra_removable setting work correctly
- Forward port the fix for LP: #1930742 and make it conditional (xenial/bionic only)
- Build grub2-unsigned packages with xz compression
- Revert: "Have -bin packages Break pre-2.12 -signed packages.", this is not
compatible with our versioning schemes.
- Install a /usr/lib/grub/grub-sort-version and use that to sort versions as
it respects GRUB_FLAVOUR_ORDER. Depend on python3 to do so.
- rules: Add DPKG_BUILDPACKAGE_OPTIONS to generate-grub2-unsigned
- Drop luks2
- d/control: Add python3-apt to Depends of grub-common (LP: #2048953)
- Replaced patches:
- install-signed.patche
- grub-install-extra-removable.patch
- grub-install-removable-shim.patch
- Added patches:
+ rhboot-f34-dont-use-int-for-efi-status.patch
+ rhboot-f34-make-exit-take-a-return-code.patch
+ suse-grub.texi-add-net_bootp6-document.patch
+ ubuntu-add-devicetree-command-support.patch
+ ubuntu-add-initrd-less-boot-fallback.patch
+ ubuntu-add-initrd-less-boot-messages.patch
+ ubuntu-boot-from-multipath-dependent-symlink.patch
+ ubuntu-dont-verify-loopback-images.patch
+ ubuntu-fix-lzma-decompressor-objcopy.patch
+ ubuntu-grub-install-extra-removable.patch
+ ubuntu-install-signed.patch
+ ubuntu-mkconfig-leave-breadcrumbs.patch
+ ubuntu-os-prober-auto.patch
+ ubuntu-recovery-dis_ucode_ldr.patch
+ ubuntu-resilient-boot-boot-order.patch
+ ubuntu-resilient-boot-ignore-alternative-esps.patch
+ ubuntu-shorter-version-info.patch
+ ubuntu-speed-zsys-history.patch
+ ubuntu-support-initrd-less-boot.patch
+ ubuntu-verifiers-last.patch
+ ubuntu-zfs-enhance-support.patch
+ ubuntu-zfs-gfxpayload-dynamic.patch
+ ubuntu-zfs-gfxpayload-keep-default.patch
+ ubuntu-zfs-insmod-xzio-and-lzopio-on-xen.patch
+ ubuntu-zfs-mkconfig-recovery-title.patch
+ ubuntu-zfs-mkconfig-signed-kernel.patch
+ ubuntu-zfs-mkconfig-ubuntu-distributor.patch
+ ubuntu-zfs-mkconfig-ubuntu-recovery.patch
+ ubuntu-zfs-vt-handoff.patch
* Unreleased changes from Debian:
- Update signing-template Uploaders to match main package.
- d/p/mkconfig-ubuntu-recovery.patch: Use "recovery" instead of "single recovery"
for recovery mode bootparams (LP: #2041245)
-- Mate Kukri <mate.kukri@canonical.com> Mon, 29 Jan 2024 11:06:12 +0000
grub2 (2.12-1) unstable; urgency=medium
[ Mate Kukri ]
* New upstream version, 2.12
* d/patches: Rebase on `upstream/2.12` and drop superseded patches:
- Dropping patches now included upstream:
+ d/p/ntfs-cve-fixes/*: Fixes for NTFS OOB CVE
+ d/p/upstream/xfs-*: XFS parsing fixes
+ d/p/upstream/unmerged-usr-shebang.patch
- Dropping patch replaced with configure option:
+ d/p/dejavu-font-path.patch
* d/rules: Pass configure option '--enable-grub-themes'
* d/rules: Provide Debian specific DejaVu path via configure
* d/{control,rules}: Use default gcc version
* d/p/extra_deps_lst.patch:
Checkout "extra_deps.lst" from upstream/master
* d/p/sb/revert-efi-fallback-to-legacy.patch:
Also revert newer fallback patch
[ Julian Andres Klode ]
* Add Mate to Uploaders
-- Mate Kukri <mate.kukri@canonical.com> Mon, 15 Jan 2024 09:54:55 +0000
grub2 (2.12~rc1-13) unstable; urgency=medium
* No-change rebuild to retrigger signing following binNMU breakage
-- Julian Andres Klode <jak@debian.org> Fri, 12 Jan 2024 19:00:41 +0100
grub2 (2.12~rc1-12ubuntu5) noble; urgency=medium
* d/control: Add python3-apt to Depends of grub-common (LP: #2048953)
-- Mate Kukri <mate.kukri@canonical.com> Fri, 09 Feb 2024 13:23:36 +0000
grub2 (2.12~rc1-12ubuntu4) noble; urgency=medium
* d/p/delay-copying-to-grubdir.patch: Move platdir path canonicalisation
after files were copied to grubdir. (LP: #2045944)
-- Mate Kukri <mate.kukri@canonical.com> Fri, 08 Dec 2023 09:22:22 +0000
grub2 (2.12~rc1-12ubuntu3) noble; urgency=medium
* d/p/delay-copying-to-grubdir.patch: Improve grub-install robustness by
delaying the update of /boot after install device validation
* Remove workaround for LP: 1889556 (LP: #2043995)
- Was not needed since /boot rollback was introduced upstream
- Patch above ensures that this will not reoccur even if rollback fails
-- Mate Kukri <mate.kukri@canonical.com> Tue, 21 Nov 2023 15:35:55 +0000
grub2 (2.12~rc1-12ubuntu2) noble; urgency=medium
* Merge from Debian unstable; remaining changes:
- Add Ubuntu sbat data
- build-efi-images: do not produce -installer.efi.signed. LP: 1863994
- grub-common: Install canonical-uefi-ca.crt
- Check signatures
- Support installing to multiple ESP (LP: 1871821)
- Disable various bits on i386
- Split out unsigned artefacts into grub2-unsigned
- Vcs-Git: Point to ubuntu packaging branch
- Relax dependencies on grub-common and grub2-common
- grub-pc: Avoid the possibility of breaking grub on SRU update due
to ABI change
- UBUNTU: Default timeout changes
- Revert "Add jfs module to signed UEFI images. Closes: #950959"
- Revert "Add f2fs module to signed UEFI images"
- Install grub-initrd-fallback.service again
- Build using -O1 on s390x to avoid misoptimization
- grub-check-signatures: Support gzip compressed kernels (LP: #1954683)
- grub-multi-install: Reset partition type between partitions (LP: #1997795)
- Drop i386 from grub-efi-amd64* (LP: #2020907)
- Turn depends on grub-efi-amd64/arm64 unversioned
- forward port fix for LP: #1926748
- Make the grub2/no_efi_extra_removable setting work correctly
- Forward port the fix for LP: #1930742 and make it conditional (xenial/bionic only)
- Build grub2-unsigned packages with xz compression
- Revert: "Have -bin packages Break pre-2.12 -signed packages.", this is not
compatible with our versioning schemes.
- Install a /usr/lib/grub/grub-sort-version and use that to sort versions as
it respects GRUB_FLAVOUR_ORDER. Depend on python3 to do so.
- rules: Add DPKG_BUILDPACKAGE_OPTIONS to generate-grub2-unsigned
- Replaced patches:
- installe-signed.patched
- grub-install-extra-removable.patch
- grub-install-removable-shim.patch
- Added patches:
+ rhboot-f34-dont-use-int-for-efi-status.patch
+ rhboot-f34-make-exit-take-a-return-code.patch
+ suse-grub.texi-add-net_bootp6-document.patch
+ ubuntu-add-devicetree-command-support.patch
+ ubuntu-add-initrd-less-boot-fallback.patch
+ ubuntu-add-initrd-less-boot-messages.patch
+ ubuntu-boot-from-multipath-dependent-symlink.patch
+ ubuntu-dont-verify-loopback-images.patch
+ ubuntu-fix-lzma-decompressor-objcopy.patch
+ ubuntu-grub-install-extra-removable.patch
+ ubuntu-install-signed.patch
+ ubuntu-mkconfig-leave-breadcrumbs.patch
+ ubuntu-os-prober-auto.patch
+ ubuntu-recovery-dis_ucode_ldr.patch
+ ubuntu-resilient-boot-boot-order.patch
+ ubuntu-resilient-boot-ignore-alternative-esps.patch
+ ubuntu-shorter-version-info.patch
+ ubuntu-speed-zsys-history.patch
+ ubuntu-support-initrd-less-boot.patch
+ ubuntu-verifiers-last.patch
+ ubuntu-zfs-enhance-support.patch
+ ubuntu-zfs-gfxpayload-dynamic.patch
+ ubuntu-zfs-gfxpayload-keep-default.patch
+ ubuntu-zfs-insmod-xzio-and-lzopio-on-xen.patch
+ ubuntu-zfs-mkconfig-recovery-title.patch
+ ubuntu-zfs-mkconfig-signed-kernel.patch
+ ubuntu-zfs-mkconfig-ubuntu-distributor.patch
+ ubuntu-zfs-mkconfig-ubuntu-recovery.patch
+ ubuntu-zfs-vt-handoff.patch
* Removed luks2 from signed EFI binaries (LP: #2043101)
-- Mate Kukri <mate.kukri@canonical.com> Thu, 09 Nov 2023 16:16:56 +0200
grub2 (2.12~rc1-12) unstable; urgency=medium
[ Mate Kukri ]
* Port UEFI based network stack to 2.12 (LP: #2039081)
* efi: Correct image unloading behavior
* Prevent the incorrect use of `UnloadImage()` by binaries loaded by peimage
* efinet: HTTP_MESSAGE fix field size (LP: #2043084)
[ Abe Wieland ]
* Maintain administrator value for os-prober
[ Julian Andres Klode ]
* Cherry-pick upstream XFS directory extent parsing fixes (Closes: #1051543)
(LP: #2039172)
-- Julian Andres Klode <jak@debian.org> Thu, 09 Nov 2023 14:13:44 +0200
grub2 (2.12~rc1-11) unstable; urgency=medium
[ Mate Kukri ]
* SECURITY UPDATE: Crafted file system images can cause out-of-bounds write
and may leak sensitive information into the GRUB pager.
- d/patches/ntfs-cve-fixes/fs-ntfs-Fix-an-OOB-read-when-parsing-a-volume-
label.patch:
fs/ntfs: Fix an OOB read when parsing a volume label
- d/patches/ntfs-cve-fixes/fs-ntfs-Fix-an-OOB-read-when-parsing-bs-for-
index-at.patch:
fs/ntfs: Fix an OOB read when parsing bitmaps for index attributes
- d/patches/ntfs-cve-fixes/fs-ntfs-Fix-an-OOB-read-when-parsing-dory-
entries-fr.patch:
fs/ntfs: Fix an OOB read when parsing directory entries from resident and
non-resident index attributes
- d/patches/ntfs-cve-fixes/fs-ntfs-Fix-an-OOB-read-when-reading-data-fhe-
reside.patch:
fs/ntfs: Fix an OOB read when reading data from the resident $DATA +
attribute
- CVE-2023-4693
* SECURITY UPDATE: Crafted file system images can cause heap-based buffer
overflow and may allow arbitrary code execution and secure boot bypass.
- d/patches/ntfs-cve-fixes/fs-ntfs-Fix-an-OOB-write-when-parsing-the-
ATTRIBUTE_LIST-.patch:
fs/ntfs: Fix an OOB write when parsing the $ATTRIBUTE_LIST attribute for
the $MFT file
- d/patches/ntfs-cve-fixes/fs-ntfs-Make-code-more-readable.patch
fs/ntfs: Make code more readable
- CVE-2023-4692
* efi: Cleanup peimage.c
[ Julian Andres Klode ]
* Bump SBAT to grub,4
-- Julian Andres Klode <juliank@ubuntu.com> Mon, 02 Oct 2023 15:55:25 +0200
grub2 (2.12~rc1-10ubuntu4) mantic; urgency=high
* SECURITY UPDATE: Crafted file system images can cause out-of-bounds write
and may leak sensitive information into the GRUB pager.
- d/patches/ntfs-cve-fixes/fs-ntfs-Fix-an-OOB-read-when-parsing-a-volume-
label.patch:
fs/ntfs: Fix an OOB read when parsing a volume label
- d/patches/ntfs-cve-fixes/fs-ntfs-Fix-an-OOB-read-when-parsing-bs-for-
index-at.patch:
fs/ntfs: Fix an OOB read when parsing bitmaps for index attributes
- d/patches/ntfs-cve-fixes/fs-ntfs-Fix-an-OOB-read-when-parsing-dory-
entries-fr.patch:
fs/ntfs: Fix an OOB read when parsing directory entries from resident and
non-resident index attributes
- d/patches/ntfs-cve-fixes/fs-ntfs-Fix-an-OOB-read-when-reading-data-fhe-
reside.patch:
fs/ntfs: Fix an OOB read when reading data from the resident $DATA +
attribute
- CVE-2023-4693
* SECURITY UPDATE: Crafted file system images can cause heap-based buffer
overflow and may allow arbitrary code execution and secure boot bypass.
- d/patches/ntfs-cve-fixes/fs-ntfs-Fix-an-OOB-write-when-parsing-the-
ATTRIBUTE_LIST-.patch:
fs/ntfs: Fix an OOB write when parsing the $ATTRIBUTE_LIST attribute for
the $MFT file
- d/patches/ntfs-cve-fixes/fs-ntfs-Make-code-more-readable.patch
fs/ntfs: Make code more readable
- CVE-2023-4692
-- Mate Kukri <mate.kukri@canonical.com> Mon, 02 Oct 2023 15:23:58 +0100
grub2 (2.12~rc1-10ubuntu2) mantic; urgency=medium
* Merge from Debian unstable to pick up fixes (LP: #2028947); remaining changes:
- Add Ubuntu sbat data
- build-efi-images: do not produce -installer.efi.signed. LP: 1863994
- grub-common: Install canonical-uefi-ca.crt
- Check signatures
- Support installing to multiple ESP (LP: 1871821)
- Disable various bits on i386
- Split out unsigned artefacts into grub2-unsigned
- Vcs-Git: Point to ubuntu packaging branch
- Relax dependencies on grub-common and grub2-common
- grub-pc: Avoid the possibility of breaking grub on SRU update due
to ABI change
- UBUNTU: Default timeout changes
- Revert "Add jfs module to signed UEFI images. Closes: #950959"
- Revert "Add f2fs module to signed UEFI images"
- Install grub-initrd-fallback.service again
- Build using -O1 on s390x to avoid misoptimization
- grub-check-signatures: Support gzip compressed kernels (LP: #1954683)
- grub-multi-install: Reset partition type between partitions (LP: #1997795)
- Drop i386 from grub-efi-amd64* (LP: #2020907)
- Turn depends on grub-efi-amd64/arm64 unversioned
- forward port fix for LP: #1926748
- Make the grub2/no_efi_extra_removable setting work correctly
- Forward port the fix for LP: #1930742 and make it conditional (xenial/bionic only)
- Build grub2-unsigned packages with xz compression
- Replaced patches:
- installe-signed.patched
- grub-install-extra-removable.patch
- grub-install-removable-shim.patch
- Added patches:
+ rhboot-f34-dont-use-int-for-efi-status.patch
+ rhboot-f34-make-exit-take-a-return-code.patch
+ suse-grub.texi-add-net_bootp6-document.patch
+ ubuntu-add-devicetree-command-support.patch
+ ubuntu-add-initrd-less-boot-fallback.patch
+ ubuntu-add-initrd-less-boot-messages.patch
+ ubuntu-boot-from-multipath-dependent-symlink.patch
+ ubuntu-dont-verify-loopback-images.patch
+ ubuntu-fix-lzma-decompressor-objcopy.patch
+ ubuntu-grub-install-extra-removable.patch
+ ubuntu-install-signed.patch
+ ubuntu-mkconfig-leave-breadcrumbs.patch
+ ubuntu-os-prober-auto.patch
+ ubuntu-recovery-dis_ucode_ldr.patch
+ ubuntu-resilient-boot-boot-order.patch
+ ubuntu-resilient-boot-ignore-alternative-esps.patch
+ ubuntu-shorter-version-info.patch
+ ubuntu-speed-zsys-history.patch
+ ubuntu-support-initrd-less-boot.patch
+ ubuntu-verifiers-last.patch
+ ubuntu-zfs-enhance-support.patch
+ ubuntu-zfs-gfxpayload-dynamic.patch
+ ubuntu-zfs-gfxpayload-keep-default.patch
+ ubuntu-zfs-insmod-xzio-and-lzopio-on-xen.patch
+ ubuntu-zfs-mkconfig-recovery-title.patch
+ ubuntu-zfs-mkconfig-signed-kernel.patch
+ ubuntu-zfs-mkconfig-ubuntu-distributor.patch
+ ubuntu-zfs-mkconfig-ubuntu-recovery.patch
+ ubuntu-zfs-vt-handoff.patch
* Dropped Ubuntu changes:
- Temporarily rmmod peimage for os-prober chainloader entries (LP: #2030810)
* Revert: "Have -bin packages Break pre-2.12 -signed packages.", this is not
compatible with our versioning schemes.
* Install a /usr/lib/grub/grub-sort-version and use that to sort versions as
it respects GRUB_FLAVOUR_ORDER. Depend on python3 to do so.
* rules: Add DPKG_BUILDPACKAGE_OPTIONS to generate-grub2-unsigned
-- Julian Andres Klode <juliank@ubuntu.com> Mon, 25 Sep 2023 17:31:09 +0200
grub2 (2.12~rc1-10) unstable; urgency=medium
[ Julian Andres Klode ]
* Cherry pick fix for unmerged usr shebang (Closes: #1051251)
* grub-common.dirs: Install empty /etc/default/grub.d (Closes: #1051412)
[ Mate Kukri ]
* efi: Eliminate globals from the `peimage.c` chainloader
-- Julian Andres Klode <jak@debian.org> Mon, 18 Sep 2023 12:23:29 +0200
grub2 (2.12~rc1-9) unstable; urgency=medium
* Correct the Breaks to include the ~rc1 bit of the version
-- Julian Andres Klode <jak@debian.org> Tue, 05 Sep 2023 19:13:30 +0200
grub2 (2.12~rc1-8) unstable; urgency=medium
* Have -bin packages Break pre-2.12 -signed packages.
On insecurely booted systems, upgrading the -bin packages with
the modules before the -signed packages caused the signed binaries
to crash when loading additional modules. (Closes: #1051271)
* Revert "In the signed packages, change the version dependency"
This reverts commit 680bb22c3308b7ccd0a7eb7923c7d68067b626f9. The
signed package needs the modules to be at the same version during
boot on insecure systems or it may crash trying to load further
modules.
* Set Protected: yes for -signed packages so they cannot easily be removed.
This ensures that the = depends in grub-efi-amd64-signed does not
cause it to be removed when it is out of sync with src:grub2
-- Julian Andres Klode <jak@debian.org> Tue, 05 Sep 2023 19:06:05 +0200
grub2 (2.12~rc1-7) unstable; urgency=medium
* Upload to unstable
-- Julian Andres Klode <jak@debian.org> Mon, 04 Sep 2023 20:03:09 +0200
grub2 (2.12~rc1-6) experimental; urgency=medium
* Use rm_conffile instead of remove-on-upgrade.
This works with ftp-master's old lintian version and allows
easy backports
-- Julian Andres Klode <jak@debian.org> Mon, 04 Sep 2023 16:57:55 +0200
grub2 (2.12~rc1-5) experimental; urgency=medium
[ Felix Zielcke ]
* Add salsa-ci.yml and disable blhc and reprotest pipelines.
* remove on upgrades /etc/default/grub.d/init-select.cfg. (Closes: #1042707)
[ Julian Andres Klode ]
* peimage: Set file_path for loaded image (LP: #2030810, #2032294)
* Hack up the lintian overrides for stable lintian on ftp-master
-- Julian Andres Klode <jak@debian.org> Mon, 04 Sep 2023 14:16:12 +0200
grub2 (2.12~rc1-4ubuntu3) mantic; urgency=medium
* zfs: Drop `set -u`, incompatible with undefined variables in library
(LP: #2033256)
-- Julian Andres Klode <juliank@ubuntu.com> Tue, 29 Aug 2023 16:03:49 +0200
grub2 (2.12~rc1-4ubuntu2) mantic; urgency=medium
* ubuntu-zfs-enhance-support.patch: Adjustments for 2.12 library
(LP: #2029260)
* zfs: on_exit: Unmount ${MNTDIR}/boot before ${MNTDIR} (LP: #2031042)
* Temporarily rmmod peimage for os-prober chainloader entries (LP: #2030810)
-- Julian Andres Klode <juliank@ubuntu.com> Mon, 21 Aug 2023 14:26:07 +0200
grub2 (2.12~rc1-4ubuntu1) mantic; urgency=medium
* Merge from Debian unstable (LP: #2028947); remaining changes:
- Add Ubuntu sbat data
- build-efi-images: do not produce -installer.efi.signed. LP: 1863994
- grub-common: Install canonical-uefi-ca.crt
- Check signatures
- Support installing to multiple ESP (LP: 1871821)
- Disable various bits on i386
- Split out unsigned artefacts into grub2-unsigned
- Vcs-Git: Point to ubuntu packaging branch
- Relax dependencies on grub-common and grub2-common
- grub-pc: Avoid the possibility of breaking grub on SRU update due
to ABI change
- UBUNTU: Default timeout changes
- Revert "Add jfs module to signed UEFI images. Closes: #950959"
- Revert "Add f2fs module to signed UEFI images"
- Install grub-initrd-fallback.service again
- Build using -O1 on s390x to avoid misoptimization
- grub-check-signatures: Support gzip compressed kernels (LP: #1954683)
- grub-multi-install: Reset partition type between partitions (LP: #1997795)
- Drop i386 from grub-efi-amd64* (LP: #2020907)
- Turn depends on grub-efi-amd64/arm64 unversioned
- forward port fix for LP: #1926748
- Make the grub2/no_efi_extra_removable setting work correctly
- Forward port the fix for LP: #1930742 and make it conditional (xenial/bionic only)
- Build grub2-unsigned packages with xz compression
- Replaced patches:
- installe-signed.patched
- grub-install-extra-removable.patch
- grub-install-removable-shim.patch
- Added patches:
+ rhboot-f34-dont-use-int-for-efi-status.patch
+ rhboot-f34-make-exit-take-a-return-code.patch
+ suse-grub.texi-add-net_bootp6-document.patch
+ ubuntu-add-devicetree-command-support.patch
+ ubuntu-add-initrd-less-boot-fallback.patch
+ ubuntu-add-initrd-less-boot-messages.patch
+ ubuntu-boot-from-multipath-dependent-symlink.patch
+ ubuntu-dont-verify-loopback-images.patch
+ ubuntu-fix-lzma-decompressor-objcopy.patch
+ ubuntu-grub-install-extra-removable.patch
+ ubuntu-install-signed.patch
+ ubuntu-mkconfig-leave-breadcrumbs.patch
+ ubuntu-os-prober-auto.patch
+ ubuntu-recovery-dis_ucode_ldr.patch
+ ubuntu-resilient-boot-boot-order.patch
+ ubuntu-resilient-boot-ignore-alternative-esps.patch
+ ubuntu-shorter-version-info.patch
+ ubuntu-speed-zsys-history.patch
+ ubuntu-support-initrd-less-boot.patch
+ ubuntu-verifiers-last.patch
+ ubuntu-zfs-enhance-support.patch
+ ubuntu-zfs-gfxpayload-dynamic.patch
+ ubuntu-zfs-gfxpayload-keep-default.patch
+ ubuntu-zfs-insmod-xzio-and-lzopio-on-xen.patch
+ ubuntu-zfs-mkconfig-recovery-title.patch
+ ubuntu-zfs-mkconfig-signed-kernel.patch
+ ubuntu-zfs-mkconfig-ubuntu-distributor.patch
+ ubuntu-zfs-mkconfig-ubuntu-recovery.patch
+ ubuntu-zfs-vt-handoff.patch
* Dropped Ubuntu changes:
- All the rhboot loader patches
- Temporarily, support for GRUB_FLAVOUR_ORDER
- RISC-V patches, applied upstream:
+ efi-add-definition-of-LoadFile2-protocol.patch
+ efi-correct-struct-grub_efi_boot_services.patch
+ efi-implemented-LoadFile2-initrd-loading-protocol-fo.patch
+ efi-implement-grub_efi_run_image.patch
+ RISC-V-Update-image-header.patch
+ RISC-V-Use-common-linux-loader.patch
+ riscv-adjust-march-flags-for-binutils-2.38.patch
+ upstream/riscv-handle-r-riscv-call-plt-reloc.patch
+ loader-drop-argv-argument-in-grub_initrd_load.patch
+ loader-Move-arm64-linux-loader-to-common-code.patch
- Networking patches (rebasing still WIP):
+ cherrypick-efi-grub_efi_close_protocol.patch
+ cherrypick-efinet-correct-closing-snp-protocol.patch
+ efinet-uefi-ipv6-pxe-support.patch
+ suse-add-support-for-UEFI-network-protocols.patch
+ suse-AUDIT-0-http-boot-tracker-bug.patch
- Red Hat boot loader, replaced by upstream:
+ linuxefi-do-not-validate-kernels-twice.patch
+ linuxefi-Invalidate-i-cache-before-starting-the-kern.patch
+ rhboot-bounce-buffers.patch
+ rhboot-efi-allocate-in-kernel-bounds.patch
+ rhboot-efi-allocate-kernel-as-code-for-real.patch
+ rhboot-efi-allocate-kernel-as-code.patch
+ rhboot-efi-enumerated-array-for-allocation-choice.patch
+ rhboot-efi-fix-incorrect-array-size.patch
+ rhboot-efi-initrd-above-4gb.patch
+ rhboot-efi-kernel-allocator.patch
+ rhboot-efi-rearrange-grub-cmd-linux.patch
+ rhboot-efi-split-allocation-policy.patch
+ rhboot-f34-efinet-also-use-the-firmware-acceleration-for-http.patch
+ rhboot-f34-make-pmtimer-tsc-calibration-fast.patch
+ rhboot-try-to-pick-better-locations-for-kernel-and-initrd.patch
+ ubuntu-linuxefi-arm64.patch
+ ubuntu-linuxefi-arm64-set-base-addr.patch
+ ubuntu-linuxefi.patch
+ ubuntu-rhboot-cast-fixups.patch
+ ubuntu-efi-allow-loopmount-chainload.patch
+ ubuntu-efi-loader-code.patch
- Security patches, applied upstream:
+ {0076...0161} security patches, applied upstream
+ font-*.patchi - security patches applied upstream
+ commands-efi-tpm-Use-grub_strcpy-instead-of-grub_memcpy.patch
+ fbutil-Fix-integer-overflow.patch
+ kern-efi-sb-Enforce-verification-of-font-files.patch
+ normal-charset-Fix-an-integer-overflow-in-grub_unicode_ag.patch
- Misc patches, merged in Debian:
+ efi-EFI-Device-Tree-Fixup-Protocol.patch
+ efivar-check-that-efivarfs-is-writeable.patch
+ fat-fix-listing-the-root-directory.patch
+ fdt-add-debug-output-to-devicetree-command.patch
+ zstd-require-8-byte-buffer.patch
+ 0241-Call-hwmatch-only-on-the-grub-pc-platform.patch
- Misc patches applied upstream:
+ 2.12-mm/* - applied upstream
+ ubuntu-fuse3.patch
+ xfs-fix-v4-superblock.patch
+ tpm-unknown-error-non-fatal.patch
+ commands-efi-tpm-Refine-the-status-of-log-event.patch
+ efi-tpm-Add-EFI_CC_MEASUREMENT_PROTOCOL-support.patch
+ linux_xen-Properly-load-multiple-initrd-files.patch
+ linux_xen-Properly-order-multiple-initrd-files.patch
+ linux-ignore-FDT-unless-we-need-to-modify-it.patch
+ mkrescue-efi-modules.patch
+ tests-ahci-update-qemu-device-name.patch
- No longer relevant:
+ ubuntu-disable-LOAD-FILE2-protocol-for-initrd-on-ARM.patch
+ ubuntu-temp-keep-auto-nvram.patch: was temporary in 2019 lol
+ ubuntu-skip-disk-by-id-lvm-pvm-uuid-entries.patch
+ no-devicetree-if-secure-boot.patch
+ no-insmod-on-sb.patch
- To be rewritten later in this cycle:
+ ubuntu-flavour-order.patch
- Coalesced into some other patches:
+ ubuntu-zfs-maybe-quiet.patch
+ ubuntu-zfs-quick-boot.patch
-- Julian Andres Klode <juliank@ubuntu.com> Fri, 28 Jul 2023 15:34:32 +0200
grub2 (2.12~rc1-4) experimental; urgency=medium
[ Julian Andres Klode ]
* Fix quiet boot feature
* Drop fs-tester-time-fail.patch, upstream
* postinst: look at /boot/grub/$target/core.efi to determine if we ran already
* Cherry-pick additional Ubuntu patches
- zstd-require-8-byte-buffer.patch: Fix for buffer size in zstd
- recovery-dis_ucode_ldr.patch: Pass dis_ucode_ldr to kernel for
recovery mode
- hwmatch-only-on-grub-pc-platform.patch: Only call hwmatch on grub-pc
(Closes: #990836)
- fdt-add-debug-output-to-devicetree-command.patch: Debugging output
for the devicetree command
- fdt-device-tree-fixup-protocol.patch: Support for u-boot device tree
fixup protocol
- fat-fix-listing-the-root-directory.patch: Fix listing of files with
0 timestamps in FAT
- efivar-check-that-efivarfs-is-writeable.patch: Do not hard error
if we cannot write the EFI variables. Some implementations, like
u-boot do not support writing them.
* Only build peimage on supported architectures
* debian/po: Refresh templates
[ Felix Zielcke ]
* Update mkconfig-ubuntu-recovery.patch to respect
GRUB_CMDLINE_LINUX_RECOVERY from /etc/default/grub.
(Closes: #766530, #922425)
* Strip grub-emu binary.
-- Julian Andres Klode <jak@debian.org> Fri, 28 Jul 2023 14:54:14 +0200
grub2 (2.12~rc1-3) experimental; urgency=medium
* Build peimage as a module and insert into signed images
* peimage: Copy the image header and ensure it's not clobbered
* Drop grub.cfg-400.patch, world-readable boot config violates several guidelines unfortunately
* Drop mkconfig-other-inits.patch (alternative init boot options)
* Order patches not used by Ubuntu last to simplify maintenance
* Drop mkconfig-signed-kernel.patch, .signed kernels are no longer used
-- Julian Andres Klode <jak@debian.org> Tue, 25 Jul 2023 16:44:12 +0200
grub2 (2.12~rc1-2) experimental; urgency=medium
[ Julian Andres Klode ]
* Build-Depend on libsdl2-dev instead of libsdl1.2-dev (Closes: #1038035)
* Link peimage into arm_efi target, fixes armhf/armel FTBFS
* peimage: Add chainloader support
[ Heinrich Schuchardt ]
* Enable building for RISC-V (LP: #1876620) (Closes: #995718)
-- Julian Andres Klode <jak@debian.org> Fri, 21 Jul 2023 18:02:28 +0200
grub2 (2.12~rc1-1) experimental; urgency=medium
[ Julian Andres Klode ]
* New upstream version, 2.12~rc1
* build-efi-images: Drop linuxefi, using new loaders now
* Do not try to install gmodule.pl, it was rewritten in Python
* Rebase patches
- Temporarily drop -dpkg-version-comparison.patch, needs to be adjusted
for switch from comparison to sort -V
- Drop -linuxefi.patch, fix-lockdown.patch, arm64-handover-to-kernel-if-sb-enabled.patch;
we will be using the upstream loader now, with an additional compat
layer for shim tbd
- Apply new network patch set from mailing list (no additional patches yet)
- Drop ton of patches applied upstream
* Implement an alternative approach to secure boot, using the upstream EFI
loader, and temporarily emulating load_image() and friends using Ubuntu's
peimage file while a image protocol is being added to shim.
* Build-Depend on gawk, it fails to compile with mawk
* Fix lzo test and xfail tests requiring root
* Fix lintian overrides
* Add grub,debian13,1 and grub.peimage,1 SBAT levels, this allows
individually revoking the parts affecting only trixie or the new
shared peimage loader.
[ Dimitri John Ledkov ]
* Include fdt modules in arm64 EFI images, tpm in all archs (LP: #2008950)
-- Julian Andres Klode <jak@debian.org> Wed, 19 Jul 2023 19:21:17 +0200
grub2 (2.06-14) experimental; urgency=medium
[ Julian Andres Klode ]
* "Upstreaming" Ubuntu changes, part 1.
* Fixup filename for debian/patches/gcc12_build_dangling_pointer.patch
* Disable os-prober for ppc64el on the PowerNV platform (for Petitboot)
* Build with FUSE3 (LP: #1935659)
* build-efi-images: Add http to netboot images
* Bundle unicode.pf2 in a squashfs memdisk attached to the signed EFI binary
* Automatic patch queue rebase
[ Dimitri John Ledkov ]
* minilzo: built using the distribution's minilzo
* dirs.in: create var/lib/grub/ucf in grub-efi-amd64 (and similar)
* grub-common.service: port init.d script to systemd unit. Add warning
message, when initrdless boot fails triggering fallback. LP: #1901553
* Make prebuilt netboot image look for grub.cfg-$deb_arch
* Link grub-efi-{amd64,arm64}-bin docs directory
[ Jeffery To ]
* Add hibernation resumption support to grub-common.service
-- Julian Andres Klode <jak@debian.org> Mon, 19 Jun 2023 17:26:49 +0200
grub2 (2.06-13) unstable; urgency=medium
[ Steve McIntyre ]
* When *also* installing to the removable media path, include the
relevant mokmanager binary. Closes: #1034409
[ General Chaos ]
* Allow initrd to contain spaces. Closes: #838177, #820838.
[ Translators ]
* Update lots of translations of debconf templates, thanks to the
following:
+ Welsh (Dafydd Tomos)
+ German (Helge Kreutzmann). Closes: #1034850
+ Croatian (Tomislav Krznar)
+ Greek (Emmanuel Galatoulas)
+ Esperanto (Felipe Castro)
+ French (Baptiste Jammet). Closes: #1035761
+ Italian (Luca Monducci). Closes: #1034825
+ Kazakh (Baurzhan Muftakhidinov)
+ Korean (Changwoo Ryu). Closes: #1034868
+ Latvian (Rudolfs Mazurs)
+ Dutch (Frans Spiesschaert). Closes: #1035399
+ Norwegian Bokmål (Petter Reinholdtsen, Sverre Vaabenoe)
+ Brazilian Portuguese (Adriano Rafael Gomes). Closes: #1035905
+ Romanian (Remus-Gabriel Chelu)
+ Russian (Yuri Kozlov). Closes: #1035294
+ Turkish (Atila KOÇ). Closes: #1035846
+ Swedish (Luna Jernberg)
-- Steve McIntyre <93sam@debian.org> Sun, 23 Apr 2023 20:55:54 +0100
grub2 (2.06-12) unstable; urgency=medium
* Fix up arm64 SB patch to fix build failure on 32-bit arm systems
-- Steve McIntyre <93sam@debian.org> Fri, 21 Apr 2023 13:30:26 +0100
grub2 (2.06-11) unstable; urgency=medium
* And try again... :-/
-- Steve McIntyre <93sam@debian.org> Fri, 21 Apr 2023 01:50:26 +0100
grub2 (2.06-10) unstable; urgency=medium
* Fix 32-bit build with the osdep/devmapper/getroot patches.
-- Steve McIntyre <93sam@debian.org> Fri, 21 Apr 2023 01:14:13 +0100
grub2 (2.06-9) unstable; urgency=medium
[ Steve McIntyre ]
* postinst: make config_item() more robust
* Add debconf logic for GRUB_DISABLE_OS_PROBER to make it easier to
control things here. Particularly useful for the installer.
Closes: #1031594, #1012865, #1025698.
* Add luks2 to the signed grub efi images. Closes: #1001248
[ Ben Hutchings ]
* Fix probing of LUKS2 devices (Closes: #1028301):
- disk/cryptodisk: When cheatmounting, use the sector info of the cheat
device
- osdep/devmapper/getroot: Have devmapper recognize LUKS2
- osdep/devmapper/getroot: Set up cheated LUKS2 cryptodisk mount from DM
parameters
[ Emanuele Rocca ]
* Add arm64-handover-to-kernel-if-sb-enabled.patch to fix Secure Boot on
arm64 (Closes: #1033657)
[ Mattia Rizzolo ]
* Don't warn about os-prober if it's not installed. Closes: #1020769
-- Steve McIntyre <93sam@debian.org> Thu, 20 Apr 2023 20:35:11 +0100
grub2 (2.06-8.1) experimental; urgency=medium
* Non-maintainer upload.
* Fix an issue where a logical volume rename would lead grub to fail to
boot (Closes: #987008)
-- Antoine Beaupré <anarcat@debian.org> Sat, 25 Feb 2023 15:16:55 -0500
grub2 (2.06-8) unstable; urgency=medium
[ Steve McIntyre ]
* Fix an issue in an f2fs security fix which caused mount
failures. Closes: #1021846. Thanks to программист некто for helping
to debug the problem!
* Switch build-deps from gcc-10 to gcc-12. Closes: #1022184
* Include upstream patch to enable EFI zboot support on arm64.
Closes: #1026092
* grub-mkconfig: Restore umask for the grub.cfg. CVE-2021-3981
Closes: #1001414
* postinst: be more verbose when using grub-install to install onto
devices.
* /etc/default/grub: Fix comment about text-mode console.
Fixes #845683
* grub-install: Don't install the shim fallback program when called
with --removable. Closes: #1016737
* grub-install: Don't use our grub CD EFI image for --removable.
Closes: #1026915. Thanks to Pascal Hambourg for the patch.
* Ignore some new ext2 flags to stay compatible with latest mke2fs
defaults. Closes: #1030846
[ Colin Watson ]
* Remove myself from Uploaders.
-- Steve McIntyre <93sam@debian.org> Thu, 09 Feb 2023 01:09:00 +0000
grub2 (2.06-7) unstable; urgency=medium
[ Steve McIntyre ]
* Fix bug in core file code so errors are handled better. This makes
the fallback font-handling patch work properly.
Closes: #1025469, #1025477.
-- Steve McIntyre <93sam@debian.org> Tue, 06 Dec 2022 03:14:53 +0000
grub2 (2.06-6) unstable; urgency=medium
[ Steve McIntyre ]
* Include fonts in the memdisk build for EFI images.
Closes: #1024395, #1025352, #1024447
* Bump Debian SBAT level to 4
- Due to a mistake in the buster upload (2.06-3~deb10u2) that left
the CVE-2022-2601 bugs in place, we need to bump SBAT for all of
the Debian GRUB binaries. :-(
* Switch away from git-dpm
-- Steve McIntyre <93sam@debian.org> Sun, 04 Dec 2022 20:42:23 +0000
grub2 (2.06-5) unstable; urgency=high
[ Steve McIntyre ]
* Explicitly unset SOURCE_DATE_EPOCH before running fs tests
* Pull in upstream patches to harden font and image handling -
CVE-2022-2601, CVE-2022-3775.
* Bump SBAT level to 3 for grub-efi packages
-- Steve McIntyre <93sam@debian.org> Sun, 13 Nov 2022 00:33:35 +0000
grub2 (2.06-4) unstable; urgency=high
[ Steve McIntyre ]
* Updated the 2.06-3 changelog to mention closure of CVE-2022-28736
* Add a commented-out GRUB_DISABLE_OS_PROBER section to
/etc/default/grub to make it easier for users to turn os-prober
back on if they want it. Closes: #1013797, #1009336
* Add smbios to the signed grub efi images. Closes: #1008106
* Add serial to the signed grub efi images. Closes: #1013962
* grub2-common: Remove dependency on install-info, it's apparently
not needed. Closes: #1013698
* Don't strip Xen binaries so they work again. Closes: #1017944.
Thanks to Valentin Kleibel for the patch.
-- Steve McIntyre <93sam@debian.org> Wed, 14 Sep 2022 22:35:49 +0100
grub2 (2.06-3) unstable; urgency=medium
[ Colin Watson ]
* Update a few leftover uses of "which" to use "command -v" instead.
* Remove some old Lintian overrides.
* Trim trailing whitespace.
* debian/copyright: use spaces rather than tabs to start continuation lines.
* Add missing ${misc:Depends} to Depends for grub-efi-ia32-signed-template,
grub-efi-amd64-signed-template, grub-efi-arm64-signed-template.
* Bump debhelper from old 10 to 13.
* Set upstream metadata fields: Bug-Submit (from ./configure), Repository,
Repository-Browse.
* Drop now-unnecessary sparc PIE workaround from debian/rules (thanks,
John Paul Adrian Glaubitz; closes: #952815).
[ Debconf translations ]
* [id] Indonesian (Andika Triwidada; closes: #1007706).
[ Julian Andres Klode ]
* Add Julian Andres Klode to uploaders
* Disable building with LTO, as used in Ubuntu and possibly other
downstreams (maybe Debian one day), as that breaks the build.
* SECURITY UPDATE: Crafted PNG grayscale images may lead to out-of-bounds
write in heap.
- 0070-video-readers-png-Drop-greyscale-support-to-fix-heap.patch:
video/readers/png: Drop greyscale support to fix heap out-of-bounds write
- CVE-2021-3695
* SECURITY UPDATE: Crafted PNG image may lead to out-of-bound write during
huffman table handling.
- 0071-video-readers-png-Avoid-heap-OOB-R-W-inserting-huff-.patch:
video/readers/png: Avoid heap OOB R/W inserting huff table items
- CVE-2021-3696
* SECURITY UPDATE: Crafted JPEG image can lead to buffer underflow write in
the heap.
- 0076-video-readers-jpeg-Block-int-underflow-wild-pointer-.patch:
video/readers/jpeg: Block int underflow -> wild pointer write
- CVE-2021-3697
* SECURITY UPDATE: Integer underflow in grub_net_recv_ip4_packets
- 0079-net-ip-Do-IP-fragment-maths-safely.patch: net/ip: Do IP fragment
maths safely
- CVE-2022-28733
* SECURITY UPDATE: Out-of-bounds write when handling split HTTP headers
- 0085-net-http-Fix-OOB-write-for-split-http-headers.patch: net/http: Fix
OOB write for split http headers
- CVE-2022-28734
* SECURITY UPDATE: shim_lock verifier allows non-kernel files to be loaded
- 0066-kern-efi-sb-Reject-non-kernel-files-in-the-shim_lock.patch:
kern/efi/sb: Reject non-kernel files in the shim_lock verifier
- CVE-2022-28735
- Closes: #1001057
* SECURITY UPDATE: use-after-free in grub_cmd_chainloader()
- 0063-loader-efi-chainloader-Simplify-the-loader-state.patch:
loader/efi/chainloader: simplify the loader state
- 0064-commands-boot-Add-API-to-pass-context-to-loader.patch: commands/boot:
Add API to pass context to loader
- 0065-loader-efi-chainloader-Use-grub_loader_set_ex.patch:
loader/efi/chainloader: Use grub_loader_set_ex
- 0066-loader-i386-efi-linux-Use-grub_loader_set_ex.patch:
loader/i386/efi/linux: Use grub_loader_set_ex
- CVE-2022-28736
* Various fixes as a result of fuzzing and static analysis:
- 0067-kern-file-Do-not-leak-device_name-on-error-in-grub_f.patch:
kern/file: Do not leak device_name on error in grub_file_open()
- 0068-video-readers-png-Abort-sooner-if-a-read-operation-f.patch:
video/readers/png: Abort sooner if a read operation fails
- 0069-video-readers-png-Refuse-to-handle-multiple-image-he.patch:
video/readers/png: Refuse to handle multiple image headers
- 0072-video-readers-png-Sanity-check-some-huffman-codes.patch:
video/readers/png: Sanity check some huffman codes
- 0073-video-readers-jpeg-Abort-sooner-if-a-read-operation-.patch:
video/readers/jpeg: Abort sooner if a read operation fails
- 0074-video-readers-jpeg-Do-not-reallocate-a-given-huff-ta.patch:
video/readers/jpeg: Do not reallocate a given huff table
- 0075-video-readers-jpeg-Refuse-to-handle-multiple-start-o.patch:
video/readers/jpeg: Refuse to handle multiple start of streams
- 0077-normal-charset-Fix-array-out-of-bounds-formatting-un.patch:
normal/charset: Fix array out-of-bounds formatting unicode for display
- 0078-net-netbuff-Block-overly-large-netbuff-allocs.patch:
net/netbuff: Block overly large netbuff allocs
- 0080-net-dns-Fix-double-free-addresses-on-corrupt-DNS-res.patch:
net/dns: Fix double-free addresses on corrupt DNS response
- 0081-net-dns-Don-t-read-past-the-end-of-the-string-we-re-.patch:
net/dns: Don't read past the end of the string we're checking against
- 0082-net-tftp-Prevent-a-UAF-and-double-free-from-a-failed.patch:
net/tftp: Prevent a UAF and double-free from a failed seek
- 0083-net-tftp-Avoid-a-trivial-UAF.patch: net/tftp: Avoid a trivial UAF
- 0084-net-http-Do-not-tear-down-socket-if-it-s-already-bee.patch:
net/http: Do not tear down socket if it's already been torn down
- 0086-net-http-Error-out-on-headers-with-LF-without-CR.patch:
net/http: Error out on headers with LF without CR
- 0087-fs-f2fs-Do-not-read-past-the-end-of-nat-journal-entr.patch:
fs/f2fs: Do not read past the end of nat journal entries
- 0088-fs-f2fs-Do-not-read-past-the-end-of-nat-bitmap.patch:
fs/f2fs: Do not read past the end of nat bitmap
- 0089-fs-f2fs-Do-not-copy-file-names-that-are-too-long.patch:
fs/f2fs: Do not copy file names that are too long
- 0090-fs-btrfs-Fix-several-fuzz-issues-with-invalid-dir-it.patch:
fs/btrfs: Fix several fuzz issues with invalid dir item sizing
- 0091-fs-btrfs-Fix-more-ASAN-and-SEGV-issues-found-with-fu.patch:
fs/btrfs: Fix more ASAN and SEGV issues found with fuzzing
- 0092-fs-btrfs-Fix-more-fuzz-issues-related-to-chunks.patch:
fs/btrfs: Fix more fuzz issues related to chunks
* Bump SBAT generation:
- update debian/sbat.debian.csv.in
-- Julian Andres Klode <jak@debian.org> Fri, 10 Jun 2022 11:15:11 +0200
grub2 (2.06-2ubuntu18) mantic; urgency=medium
* Cherry-pick "RISC-V: Handle R_RISCV_CALL_PLT reloc" (LP: #2022379)
* Drop i386 from grub-efi-amd64* (LP: #2020907)
* Turn depends on grub-efi-amd64/arm64 unversioned
-- Julian Andres Klode <juliank@ubuntu.com> Mon, 05 Jun 2023 18:55:05 +0200
grub2 (2.06-2ubuntu17) lunar; urgency=medium
* Cherry-pick more upstream memory patches (LP: #2004643)
-- Julian Andres Klode <juliank@ubuntu.com> Mon, 20 Feb 2023 17:24:10 +0100
grub2 (2.06-2ubuntu16) lunar; urgency=medium
* Cherry-pick all memory patches from rhboot
- Allocate initrd > 4 GB (LP: #1842320)
- Allocate kernels as code, not data (needed for newer firmware)
* ubuntu: Fix casts on i386-efi target
* Cherry-pick all the 2.12 memory management changes (LP: #1842320)
* Allocate executables as CODE, not DATA in chainloader and arm64
-- Julian Andres Klode <juliank@ubuntu.com> Fri, 09 Dec 2022 17:11:44 +0100
grub2 (2.06-2ubuntu15) lunar; urgency=medium
* grub-multi-install: Reset partition type between partitions (LP: #1997795)
-- Julian Andres Klode <juliank@ubuntu.com> Thu, 01 Dec 2022 16:30:53 +0100
grub2 (2.06-2ubuntu14) kinetic; urgency=medium
* SECURITY UPDATE: Fix out of bounds writes due specially crafted fonts.
- add debian/patches/font-Fix-several-integer-overflows-in-grub_font_construct.patch
- add debian/patches/font-Fix-an-integer-underflow-in-blit_comb.patch
- CVE-2022-2601, CVE-2022-3775
- LP: #1996950
* Fix various issues as a result of fuzzing, static analysis and code
review:
- add debian/patches/font-Reject-glyphs-exceeds-font-max_glyph_width-or-font-m.patch
- add debian/patches/font-Fix-size-overflow-in-grub_font_get_glyph_internal.patch
- add debian/patchces/font-Remove-grub_font_dup_glyph.patch
- add debian/patches/font-Fix-integer-overflow-in-ensure_comb_space.patch
- add debian/patches/font-Fix-integer-overflow-in-BMP-index.patch
- add debian/patches/font-Fix-integer-underflow-in-binary-search-of-char-index.patch
- add debian/patches/fbutil-Fix-integer-overflow.patch
- add debian/patches/font-Harden-grub_font_blit_glyph-and-grub_font_blit_glyph.patch
- add debian/patches/font-Assign-null_font-to-glyphs-in-ascii_font_glyph.patch
- add debian/patches/normal-charset-Fix-an-integer-overflow-in-grub_unicode_ag.patch
* Enforce verification of fonts when secure boot is enabled:
- add debian/patches/kern-efi-sb-Enforce-verification-of-font-files.patch
* Bundle unicode.pf2 in a squashfs memdisk attached to the signed EFI binary
- update debian/control
- update debian/build-efi-image
- add debian/patches/font-Try-opening-fonts-from-the-bundled-memdisk.patch
* Fix LP: #1997006 - add support for performing measurements to RTMRs
- add debian/patches/commands-efi-tpm-Refine-the-status-of-log-event.patch
- add debian/patches/commands-efi-tpm-Use-grub_strcpy-instead-of-grub_memcpy.patch
- add debian/patches/efi-tpm-Add-EFI_CC_MEASUREMENT_PROTOCOL-support.patch
* Fix the squashfs tests during the build
- remove debian/patches/ubuntu-fix-reproducible-squashfs-test.patch
- add debian/patches/tests-Explicitly-unset-SOURCE_DATE_EPOCH-before-running-f.patch
* Bump SBAT generation:
- update debian/sbat.ubuntu.csv.in
-- Chris Coulson <chris.coulson@canonical.com> Wed, 16 Nov 2022 14:40:42 +0000
grub2 (2.06-2ubuntu13) kinetic; urgency=medium
* Try to pick better locations for kernel and initrd (LP: #1989446)
* x86-efi: Use bounce buffers for reading to addresses > 4GB (enhances
firmware compatibility of previous change)
-- Julian Andres Klode <juliank@ubuntu.com> Thu, 20 Oct 2022 21:18:25 +0200
grub2 (2.06-2ubuntu12) kinetic; urgency=medium
* ubuntu-zfs-enhance-support.patch: Fix missing lines (LP: #1990143)
-- Julian Andres Klode <juliank@ubuntu.com> Mon, 19 Sep 2022 16:00:47 +0200
grub2 (2.06-2ubuntu11) kinetic; urgency=medium
[ Mauricio Faria de Oliveira ]
* linux_xen: Properly handle multiple initrd files (LP: #1987567)
- d/p/linux_xen-Properly-load-multiple-initrd-files.patch
- d/p/linux_xen-Properly-order-multiple-initrd-files.patch
* Fix for ZFS snapshots without etc directory.
Thanks to Adam R Bell <a_0x07@protonmail.ch> (LP: #1965983)
[ Heinrich Schuchardt ]
* efi/peimage: fix typos in code comments
[ dann frazier ]
* linuxefi: Invalidate i-cache before starting the kernel (LP: #1987924)
- d/p/linuxefi-Invalidate-i-cache-before-starting-the-kern.patch
-- dann frazier <dannf@ubuntu.com> Wed, 14 Sep 2022 12:35:29 -0600
grub2 (2.06-2ubuntu10) kinetic; urgency=medium
[ Chris Coulson ]
* SECURITY UPDATE: Crafted PNG grayscale images may lead to out-of-bounds
write in heap.
- 0139-video-readers-png-Drop-greyscale-support-to-fix-heap.patch:
video/readers/png: Drop greyscale support to fix heap out-of-bounds write
- CVE-2021-3695
* SECURITY UPDATE: Crafted PNG image may lead to out-of-bound write during
huffman table handling.
- 0140-video-readers-png-Avoid-heap-OOB-R-W-inserting-huff-.patch:
video/readers/png: Avoid heap OOB R/W inserting huff table items
- CVE-2021-3696
* SECURITY UPDATE: Crafted JPEG image can lead to buffer underflow write in
the heap.
- 0145-video-readers-jpeg-Block-int-underflow-wild-pointer-.patch:
video/readers/jpeg: Block int underflow -> wild pointer write
- CVE-2021-3697
* SECURITY UPDATE: Integer underflow in grub_net_recv_ip4_packets
- 0148-net-ip-Do-IP-fragment-maths-safely.patch: net/ip: Do IP fragment
maths safely
- CVE-2022-28733
* SECURITY UPDATE: Out-of-bounds write when handling split HTTP headers
- 0154-net-http-Fix-OOB-write-for-split-http-headers.patch: net/http: Fix
OOB write for split http headers
- CVE-2022-28734
* SECURITY UPDATE: shim_lock verifier allows non-kernel files to be loaded
- 0135-kern-efi-sb-Reject-non-kernel-files-in-the-shim_lock.patch:
kern/efi/sb: Reject non-kernel files in the shim_lock verifier
- CVE-2022-28735
* SECURITY UPDATE: use-after-free in grub_cmd_chainloader()
- 0130-loader-efi-chainloader-simplify-the-loader-state.patch:
loader/efi/chainloader: simplify the loader state
- 0131-commands-boot-Add-API-to-pass-context-to-loader.patch: commands/boot:
Add API to pass context to loader
- 0132-loader-efi-chainloader-Use-grub_loader_set_ex.patch:
loader/efi/chainloader: Use grub_loader_set_ex
- 0133-loader-i386-efi-linux-Use-grub_loader_set_ex.patch:
loader/i386/efi/linux: Use grub_loader_set_ex
* Various fixes as a result of fuzzing and static analysis:
- 0129-loader-efi-chainloader-grub_load_and_start_image-doe.patch:
loader/efi/chainloader: grub_load_and_start_image doesn't load and start
- 0134-loader-i386-efi-linux-Fix-a-memory-leak-in-the-initr.patch:
loader/i386/efi/linux: Fix a memory leak in the initrd command
- 0136-kern-file-Do-not-leak-device_name-on-error-in-grub_f.patch:
kern/file: Do not leak device_name on error in grub_file_open()
- 0137-video-readers-png-Abort-sooner-if-a-read-operation-f.patch:
video/readers/png: Abort sooner if a read operation fails
- 0138-video-readers-png-Refuse-to-handle-multiple-image-he.patch:
video/readers/png: Refuse to handle multiple image headers
- 0141-video-readers-png-Sanity-check-some-huffman-codes.patch:
video/readers/png: Sanity check some huffman codes
- 0142-video-readers-jpeg-Abort-sooner-if-a-read-operation-.patch:
video/readers/jpeg: Abort sooner if a read operation fails
- 0143-video-readers-jpeg-Do-not-reallocate-a-given-huff-ta.patch:
video/readers/jpeg: Do not reallocate a given huff table
- 0144-video-readers-jpeg-Refuse-to-handle-multiple-start-o.patch:
video/readers/jpeg: Refuse to handle multiple start of streams
- 0146-normal-charset-Fix-array-out-of-bounds-formatting-un.patch:
normal/charset: Fix array out-of-bounds formatting unicode for display
- 0147-net-netbuff-Block-overly-large-netbuff-allocs.patch:
net/netbuff: Block overly large netbuff allocs
- 0149-net-dns-Fix-double-free-addresses-on-corrupt-DNS-res.patch:
net/dns: Fix double-free addresses on corrupt DNS response
- 0150-net-dns-Don-t-read-past-the-end-of-the-string-we-re-.patch:
net/dns: Don't read past the end of the string we're checking against
- 0151-net-tftp-Prevent-a-UAF-and-double-free-from-a-failed.patch:
net/tftp: Prevent a UAF and double-free from a failed seek
- 0152-net-tftp-Avoid-a-trivial-UAF.patch: net/tftp: Avoid a trivial UAF
- 0153-net-http-Do-not-tear-down-socket-if-it-s-already-bee.patch:
net/http: Do not tear down socket if it's already been torn down
- 0155-net-http-Error-out-on-headers-with-LF-without-CR.patch:
net/http: Error out on headers with LF without CR
- 0156-fs-f2fs-Do-not-read-past-the-end-of-nat-journal-entr.patch:
fs/f2fs: Do not read past the end of nat journal entries
- 0157-fs-f2fs-Do-not-read-past-the-end-of-nat-bitmap.patch:
fs/f2fs: Do not read past the end of nat bitmap
- 0158-fs-f2fs-Do-not-copy-file-names-that-are-too-long.patch:
fs/f2fs: Do not copy file names that are too long
- 0159-fs-btrfs-Fix-several-fuzz-issues-with-invalid-dir-it.patch:
fs/btrfs: Fix several fuzz issues with invalid dir item sizing
- 0160-fs-btrfs-Fix-more-ASAN-and-SEGV-issues-found-with-fu.patch:
fs/btrfs: Fix more ASAN and SEGV issues found with fuzzing
- 0161-fs-btrfs-Fix-more-fuzz-issues-related-to-chunks.patch:
fs/btrfs: Fix more fuzz issues related to chunks
* Bump SBAT generation:
- update debian/sbat.ubuntu.csv.in
* Make the grub2/no_efi_extra_removable setting work correctly
- update debian/postinst.in
* Build grub2-unsigned packages with xz compression for compatibility
with xenial dpkg
- update debian/rules
[ Steve Langasek ]
* Bump versioned dependency on grub2-common to 2.02~beta2-36ubuntu3.32 for
necessary arm relocation support. LP: #1926748.
* debian/postinst.in: Unconditionally call grub-install with
--force-extra-removable on xenial and bionic, so that the \EFI\BOOT
removable path as used in cloud images receives the updates. LP: #1930742.
-- Chris Coulson <chris.coulson@canonical.com> Tue, 07 Jun 2022 17:36:27 +0100
grub2 (2.06-2ubuntu7) jammy; urgency=medium
[ Heinrich Schuchardt ]
* Disable LOAD FILE2 protocol for initrd on ARM (LP: #1967562)
-- dann frazier <dannf@ubuntu.com> Fri, 15 Apr 2022 15:50:11 -0600
grub2 (2.06-2ubuntu6) jammy; urgency=medium
[ Heinrich Schuchardt ]
* efivar: check that efivarfs is writeable (LP: #1965288)
[ Dimitri John Ledkov ]
* Do not validate kernels twice. (LP: #1964943)
[ Heinrich Schuchardt ]
* efi: EFI Device Tree Fixup Protocol (LP: #1965796)
* fdt: add debug output to devicetree command
-- Julian Andres Klode <juliank@ubuntu.com> Fri, 25 Mar 2022 16:03:11 +0100
grub2 (2.06-2ubuntu5) jammy; urgency=medium
[ Julian Andres Klode ]
* Free correct size when freeing params, rather than 16 Ki (LP: #1958623)
* Build with FUSE3 (LP: #1935659)
* Only run os-prober on first run and if it previously found other OS
(LP: #1955109)
[ Heinrich Schuchardt ]
* Rename grub-core/loader/efi/linux.c
* Add patches for GRUB on RISC-V
* fat: fix listing the root directory
* Enable building for RISC-V (LP: #1876620)
[ Julian Andres Klode ]
* Re-enable peimage code on other archs outside secure boot; this
fixes LP: #1947046 when not booting in secure boot mode (secure
boot pending security review of the code)
-- Julian Andres Klode <juliank@ubuntu.com> Fri, 18 Feb 2022 17:21:16 +0100
grub2 (2.06-2ubuntu4) jammy; urgency=medium
* UBUNTU: Move verifiers after decompressors (LP: #1954683)
* grub-check-signatures: Support gzip compressed kernels (LP: #1954683)
-- Julian Andres Klode <juliank@ubuntu.com> Mon, 10 Jan 2022 14:52:04 +0100
grub2 (2.06-2ubuntu3) jammy; urgency=medium
* Cherry-pick the missing hunk back that changes parameter loading
in grub-core/loader/i386/linux.c, this should fix booting on
BIOS systems.
* Fix the fallback for kernel addresses on amd64 EFI, if the kernel
could not be allocated at the preferred address, reset errno such
that if the 2nd allocation succeeds, we do not fail erroneously.
-- Julian Andres Klode <juliank@ubuntu.com> Mon, 13 Dec 2021 14:27:53 +0100
grub2 (2.06-2ubuntu2) jammy; urgency=medium
* Restore still relevant patches lost in rebase.
They got lost in a first rebase, when we did not include
ubuntu-linuxefi.patch as they modify code in there.
- no-devicetree-if-secure-boot.patch
- 0077-ubuntu-Update-the-linux-boot-protocol-version-check.patch
- 0096-linuxefi-fail-kernel-validation-without-shim-protoco.patch
- 0099-chainloader-Avoid-a-double-free-when-validation-fail.patch
- 0105-efilinux-Fix-integer-overflows-in-grub_cmd_initrd.patch
-- Julian Andres Klode <juliank@ubuntu.com> Wed, 08 Dec 2021 17:14:50 +0100
grub2 (2.06-2ubuntu1) jammy; urgency=medium
* Merge from Debian unstable; remaining changes:
- Build without lto
- Add Ubuntu sbat data
- Make prebuilt netboot image look for MAAS grub.cfg
- build-efi-images: add smbios module to the prebuilt signed EFI images
(LP: 1856424)
- build-efi-images: do not produce -installer.efi.signed. LP: 1863994
- build-efi-images: Add http to netboot images
- grub-common: Install canonical-uefi-ca.crt
- Check signatures
- minilzo: built using the distribution's minilzo
- Support installing to multiple ESP (LP: 1871821)
- Disable various bits on i386
- Split out unsigned artefacts into grub2-unsigned
- Vcs-Git: Point to ubuntu packaging branch
- Relax dependencies on grub-common and grub2-common
- grub-pc: Avoid the possibility of breaking grub on SRU update due
to ABI change
- UBUNTU: Default timeout changes
- Disable os-prober for ppc64el on the PowerNV platform (for Petitboot)
- dirs.in: create var/lib/grub/ucf in grub-efi-amd64 (and similar)
- Link grub-efi-{amd64,arm64}-bin docs directory
- grub-common.service: port init.d script to systemd unit. Add warning
message, when initrdless boot fails triggering fallback. LP: 1901553
- Removed patches:
- grub-install-extra-removable.patch
- grub-install-removable-shim.patch
- Added patches:
+ ubuntu-grub-install-extra-removable.patch
+ ubuntu-zfs-enhance-support.patch
+ ubuntu-zfs-gfxpayload-keep-default.patch
+ ubuntu-zfs-mkconfig-ubuntu-distributor.patch
+ ubuntu-zfs-mkconfig-signed-kernel.patch
+ ubuntu-zfs-maybe-quiet.patch
+ ubuntu-zfs-quick-boot.patch
+ ubuntu-zfs-gfxpayload-dynamic.patch
+ ubuntu-zfs-vt-handoff.patch
+ ubuntu-zfs-mkconfig-recovery-title.patch
+ ubuntu-zfs-insmod-xzio-and-lzopio-on-xen.patch
+ ubuntu-support-initrd-less-boot.patch
+ ubuntu-shorter-version-info.patch
+ ubuntu-add-initrd-less-boot-fallback.patch
+ ubuntu-mkconfig-leave-breadcrumbs.patch
+ ubuntu-fix-lzma-decompressor-objcopy.patch
+ ubuntu-temp-keep-auto-nvram.patch
+ ubuntu-add-devicetree-command-support.patch
+ ubuntu-boot-from-multipath-dependent-symlink.patch
+ ubuntu-skip-disk-by-id-lvm-pvm-uuid-entries.patch
+ ubuntu-efi-allow-loopmount-chainload.patch
+ 0076-ubuntu-Make-the-linux-command-in-EFI-grub-always-try.patch
+ ubuntu-resilient-boot-ignore-alternative-esps.patch
+ ubuntu-resilient-boot-boot-order.patch
+ ubuntu-speed-zsys-history.patch
+ ubuntu-flavour-order.patch
+ ubuntu-dont-verify-loopback-images.patch
+ ubuntu-recovery-dis_ucode_ldr.patch
+ ubuntu-linuxefi-arm64.patch
+ ubuntu-add-initrd-less-boot-messages.patch
+ ubuntu-fix-reproducible-squashfs-test.patch
+ rhboot-f34-make-exit-take-a-return-code.patch
+ rhboot-f34-dont-use-int-for-efi-status.patch
+ rhboot-f34-make-pmtimer-tsc-calibration-fast.patch
+ suse-add-support-for-UEFI-network-protocols.patch
+ suse-AUDIT-0-http-boot-tracker-bug.patch
+ rhboot-f34-efinet-also-use-the-firmware-acceleration-for-http.patch
+ 0241-Call-hwmatch-only-on-the-grub-pc-platform.patch
* Dropped changes:
- Remove obsolete dependencies on dh-autoreconf and automake
- Remove explicit --with systemd in debhelper invocation
- Remove debian/gettext-patches; they do not seem to be necessary anymore
- Remove inadvertent change to debian/signing-template.json.in, we do not
use that file anyway.
- Merged upstream:
+ merged: 0074-uefi-firmware-rename-fwsetup-menuentry-to-UEFI-Firmw.patch
+ merged: 0075-smbios-Add-a-linux-argument-to-apply-linux-modalias-.patch
+ merged security patches 0081-0105, and 0128-0240
+ various cherry picks: cherry-* and cherrypick-*.patch
+ grub-install-backup-and-restore.patch
+ uefi-firmware-setup.patch
+ sleep-shift.patch
+ vsnprintf-upper-case-hex.patch
+ rhboot-f34-update-info-with-grub.cfg-netboot-selection-order.patch
+ suse-search-for-specific-config-files-for-netboot.patch
+ tftp-rollover-block-counter.patch
+ ubuntu-efi-console-set-text-mode-as-needed.patch
- Merged in Debian:
+ install-efi-ubuntu-flavours.patch
+ ubuntu-dejavu-font-path.patch
+ ubuntu-tpm-unknown-error-non-fatal.patch
- Not applicable:
+ 0077-ubuntu-Update-the-linux-boot-protocol-version-check.patch: The
check has been removed.
* Fix zstd build on s390x
* Cherry-pick two upstream fixes to fix closing of SNP protocol in EFI
networking stack
* Build with -O1 on s390x to avoid build failure due to gcc optimization
failure causing it to wrongly assume variables as uninitialized.
* Revert integration of jfs and f2fs modules into signed images, we do not
support these file systems on /boot.
-- Julian Andres Klode <juliank@ubuntu.com> Tue, 07 Dec 2021 13:40:32 +0100
grub2 (2.06-2) unstable; urgency=medium
* Update to minilzo-2.10, fixing build failures on armel, mips64el,
mipsel, and ppc64el.
-- Colin Watson <cjwatson@debian.org> Mon, 29 Nov 2021 00:10:09 +0000
grub2 (2.06-1) unstable; urgency=medium
* Use "command -v" in maintainer scripts rather than "which".
* New upstream release.
- Switch to the upstream shim_lock verifier, dropping several more
manual checks for UEFI Secure Boot.
* Cherry-pick from upstream:
- fs/xfs: Fix unreadable filesystem with v4 superblock
- tests/ahci: Change "ide-drive" deprecated QEMU device name to "ide-hd"
(closes: #997100)
* Remove dir_to_symlink maintainer script code, which was only needed for
upgrades from before jessie.
-- Colin Watson <cjwatson@debian.org> Sun, 28 Nov 2021 13:30:32 +0000
grub2 (2.04-20) unstable; urgency=medium
[ Mathieu Trudel-Lapierre ]
* tpm: Pass unknown error as non-fatal, but debug print the error we got
(closes: #940911, LP: #1848892).
-- Colin Watson <cjwatson@debian.org> Sun, 11 Jul 2021 00:37:36 +0100
grub2 (2.04-19) unstable; urgency=medium
* Resync grub-install backup and restore patches from upstream, fixing
problems that left the system unbootable after certain kinds of failure
(closes: #983435).
-- Colin Watson <cjwatson@debian.org> Sat, 19 Jun 2021 13:04:38 +0100
grub2 (2.04-18) unstable; urgency=medium
[ Steve McIntyre ]
* Enable the shim_lock and tpm modules for i386-efi too. Ensure that
tpm is included in our EFI images.
* List the modules we include the EFI images - make it easier to
debug things.
* Add debug to display what's going on with verifiers
[ Colin Watson ]
* util/mkimage: Some fixes to PE binaries section size calculation
(closes: #987103).
-- Colin Watson <cjwatson@debian.org> Sun, 25 Apr 2021 16:20:17 +0100
grub2 (2.04-17) unstable; urgency=medium
* Pass --sbat when building the d-i netboot image as well.
* i386-pc: build verifiers API as module (thanks, Michael Chang; closes:
#984488, #985374).
-- Colin Watson <cjwatson@debian.org> Fri, 19 Mar 2021 10:41:41 +0000
grub2 (2.04-16) unstable; urgency=medium
* Fix broken advice in message when the postinst has to bail out (thanks
to Daniel Leidert for pointing out the problem).
* Backport security patch series from upstream:
- verifiers: Move verifiers API to kernel image
- kern: Add lockdown support
- kern/lockdown: Set a variable if the GRUB is locked down
- efi: Lockdown the GRUB when the UEFI Secure Boot is enabled
- efi: Use grub_is_lockdown() instead of hardcoding a disabled modules
list
- CVE-2020-14372: acpi: Don't register the acpi command when locked down
- CVE-2020-27779: mmap: Don't register cutmem and badram commands when
lockdown is enforced
- commands: Restrict commands that can load BIOS or DT blobs when locked
down
- commands/setpci: Restrict setpci command when locked down
- commands/hdparm: Restrict hdparm command when locked down
- gdb: Restrict GDB access when locked down
- loader/xnu: Don't allow loading extension and packages when locked
down
- docs: Document the cutmem command
- CVE-2020-25632: dl: Only allow unloading modules that are not
dependencies
- CVE-2020-25647: usb: Avoid possible out-of-bound accesses caused by
malicious devices
- mmap: Fix memory leak when iterating over mapped memory
- net/net: Fix possible dereference to of a NULL pointer
- net/tftp: Fix dangling memory pointer
- kern/parser: Fix resource leak if argc == 0
- kern/efi: Fix memory leak on failure
- kern/efi/mm: Fix possible NULL pointer dereference
- gnulib/regexec: Resolve unused variable
- gnulib/regcomp: Fix uninitialized token structure
- gnulib/argp-help: Fix dereference of a possibly NULL state
- gnulib/regexec: Fix possible null-dereference
- gnulib/regcomp: Fix uninitialized re_token
- io/lzopio: Resolve unnecessary self-assignment errors
- zstd: Initialize seq_t structure fully
- kern/partition: Check for NULL before dereferencing input string
- disk/ldm: Make sure comp data is freed before exiting from make_vg()
- disk/ldm: If failed then free vg variable too
- disk/ldm: Fix memory leak on uninserted lv references
- disk/cryptodisk: Fix potential integer overflow
- hfsplus: Check that the volume name length is valid
- zfs: Fix possible negative shift operation
- zfs: Fix resource leaks while constructing path
- zfs: Fix possible integer overflows
- zfsinfo: Correct a check for error allocating memory
- affs: Fix memory leaks
- libgcrypt/mpi: Fix possible unintended sign extension
- libgcrypt/mpi: Fix possible NULL dereference
- syslinux: Fix memory leak while parsing
- normal/completion: Fix leaking of memory when processing a completion
- commands/hashsum: Fix a memory leak
- video/efi_gop: Remove unnecessary return value of
grub_video_gop_fill_mode_info()
- video/fb/fbfill: Fix potential integer overflow
- video/fb/video_fb: Fix multiple integer overflows
- video/fb/video_fb: Fix possible integer overflow
- video/readers/jpeg: Test for an invalid next marker reference from a
jpeg file
- gfxmenu/gui_list: Remove code that coverity is flagging as dead
- loader/bsd: Check for NULL arg up-front
- loader/xnu: Fix memory leak
- loader/xnu: Free driverkey data when an error is detected in
grub_xnu_writetree_toheap()
- loader/xnu: Check if pointer is NULL before using it
- util/grub-install: Fix NULL pointer dereferences
- util/grub-editenv: Fix incorrect casting of a signed value
- util/glue-efi: Fix incorrect use of a possibly negative value
- script/execute: Fix NULL dereference in grub_script_execute_cmdline()
- commands/ls: Require device_name is not NULL before printing
- script/execute: Avoid crash when using "$#" outside a function scope
- CVE-2021-20225: lib/arg: Block repeated short options that require an
argument
- script/execute: Don't crash on a "for" loop with no items
- CVE-2021-20233: commands/menuentry: Fix quoting in setparams_prefix()
- kern/misc: Always set *end in grub_strtoull()
- video/readers/jpeg: Catch files with unsupported quantization or
Huffman tables
- video/readers/jpeg: Catch OOB reads/writes in grub_jpeg_decode_du()
- video/readers/jpeg: Don't decode data before start of stream
- term/gfxterm: Don't set up a font with glyphs that are too big
- fs/fshelp: Catch impermissibly large block sizes in read helper
- fs/hfsplus: Don't fetch a key beyond the end of the node
- fs/hfsplus: Don't use uninitialized data on corrupt filesystems
- fs/hfs: Disable under lockdown
- fs/sfs: Fix over-read of root object name
- fs/jfs: Do not move to leaf level if name length is negative
- fs/jfs: Limit the extents that getblk() can consider
- fs/jfs: Catch infinite recursion
- fs/nilfs2: Reject too-large keys
- fs/nilfs2: Don't search children if provided number is too large
- fs/nilfs2: Properly bail on errors in grub_nilfs2_btree_node_lookup()
- io/gzio: Bail if gzio->tl/td is NULL
- io/gzio: Add init_dynamic_block() clean up if unpacking codes fails
- io/gzio: Catch missing values in huft_build() and bail
- io/gzio: Zero gzio->tl/td in init_dynamic_block() if huft_build()
fails
- disk/lvm: Don't go beyond the end of the data we read from disk
- disk/lvm: Don't blast past the end of the circular metadata buffer
- disk/lvm: Bail on missing PV list
- disk/lvm: Do not crash if an expected string is not found
- disk/lvm: Do not overread metadata
- disk/lvm: Sanitize rlocn->offset to prevent wild read
- disk/lvm: Do not allow a LV to be it's own segment's node's LV
- fs/btrfs: Validate the number of stripes/parities in RAID5/6
- fs/btrfs: Squash some uninitialized reads
- kern/parser: Fix a memory leak
- kern/parser: Introduce process_char() helper
- kern/parser: Introduce terminate_arg() helper
- kern/parser: Refactor grub_parser_split_cmdline() cleanup
- kern/buffer: Add variable sized heap buffer
- CVE-2020-27749: kern/parser: Fix a stack buffer overflow
- kern/efi: Add initial stack protector implementation
- util/mkimage: Remove unused code to add BSS section
- util/mkimage: Use grub_host_to_target32() instead of
grub_cpu_to_le32()
- util/mkimage: Always use grub_host_to_target32() to initialize PE
stack and heap stuff
- util/mkimage: Unify more of the PE32 and PE32+ header set-up
- util/mkimage: Reorder PE optional header fields set-up
- util/mkimage: Improve data_size value calculation
- util/mkimage: Refactor section setup to use a helper
- util/mkimage: Add an option to import SBAT metadata into a .sbat
section
- grub-install-common: Add --sbat option
- kern/misc: Split parse_printf_args() into format parsing and va_list
handling
- kern/misc: Add STRING type for internal printf() format handling
- kern/misc: Add function to check printf() format against expected
format
- gfxmenu/gui: Check printf() format in the gui_progress_bar and
gui_label
- kern/mm: Fix grub_debug_calloc() compilation error
* Add SBAT section (thanks, Chris Coulson).
-- Colin Watson <cjwatson@debian.org> Tue, 02 Mar 2021 18:00:00 +0000
grub2 (2.04-15) unstable; urgency=medium
* Demote grub-common → mtools dependency to Suggests, to go with xorriso;
explain the situation in the package description (closes: #982313).
-- Colin Watson <cjwatson@debian.org> Mon, 08 Feb 2021 21:39:24 +0000
grub2 (2.04-14) unstable; urgency=medium
[ Raphaël Hertzog ]
* Extend grub-efi to also cover arm64/ia64/arm (closes: #981819).
[ Colin Watson ]
* Cherry-pick from upstream:
- grub-install: Fix inverted test for NLS enabled when copying locales
(closes: #979754).
* Fix handling of trailing commas in grub-pc/install_devices (closes:
#913928).
* Make grub-firmware-qemu Recommend/Enhance qemu-system-x86, not qemu
(closes: #966243).
* Make grub-common depend on mtools on EFI platforms, for grub-mkrescue
(closes: #774910).
-- Colin Watson <cjwatson@debian.org> Sun, 07 Feb 2021 15:23:51 +0000
grub2 (2.04-13) unstable; urgency=medium
[ Steve McIntyre ]
* Switch to using the efivarfs interface for detecting "system setup"
(Closes: #979299)
-- Colin Watson <cjwatson@debian.org> Sat, 06 Feb 2021 17:30:38 +0000
grub2 (2.04-12) unstable; urgency=medium
* Cherry-pick from upstream:
- mdraid1x_linux: Fix gcc10 error -Werror=array-bounds
- zfs: Fix gcc10 error -Werror=zero-length-bounds
* Build with GCC 10 (closes: #978515).
-- Colin Watson <cjwatson@debian.org> Mon, 28 Dec 2020 22:33:23 +0000
grub2 (2.04-11) unstable; urgency=medium
* grub-install: Fix backup restoration on i386 (closes: #976671).
-- Colin Watson <cjwatson@debian.org> Sun, 06 Dec 2020 18:29:51 +0000
grub2 (2.04-10) unstable; urgency=medium
[ Ian Campbell ]
* Remove myself from uploaders.
[ Colin Watson ]
* When upgrading grub-pc noninteractively, bail out if grub-install fails.
It's better to fail the upgrade than to produce a possibly-unbootable
system.
* Explicitly check whether the target device exists before running
grub-install, since grub-install copies modules to /boot/grub/ before
installing the core image, and the new modules might be incompatible
with the old core image (closes: #966575).
* Cherry-pick from upstream:
- tftp: Roll-over block counter to prevent data packets timeouts
(LP: #1892290).
[ Dimitri John Ledkov ]
* grub-install: Add backup and restore.
* Don't call grub-install on fresh install of grub-pc. It's the job of
installers to do that after a fresh install.
-- Colin Watson <cjwatson@debian.org> Sun, 08 Nov 2020 16:26:08 +0000
grub2 (2.04-9) unstable; urgency=high
* Backport security patch series from upstream:
- CVE-2020-10713: yylex: Make lexer fatal errors actually be fatal
- safemath: Add some arithmetic primitives that check for overflow
- calloc: Make sure we always have an overflow-checking calloc()
available
- CVE-2020-14308: calloc: Use calloc() at most places
- CVE-2020-14309, CVE-2020-14310, CVE-2020-14311: malloc: Use overflow
checking primitives where we do complex allocations
- iso9660: Don't leak memory on realloc() failures
- font: Do not load more than one NAME section
- gfxmenu: Fix double free in load_image()
- xnu: Fix double free in grub_xnu_devprop_add_property()
- lzma: Make sure we don't dereference past array
- term: Fix overflow on user inputs
- udf: Fix memory leak
- multiboot2: Fix memory leak if grub_create_loader_cmdline() fails
- tftp: Do not use priority queue
- relocator: Protect grub_relocator_alloc_chunk_addr() input args
against integer underflow/overflow
- relocator: Protect grub_relocator_alloc_chunk_align() max_addr against
integer underflow
- script: Remove unused fields from grub_script_function struct
- CVE-2020-15706: script: Avoid a use-after-free when redefining a
function during execution
- relocator: Fix grub_relocator_alloc_chunk_align() top memory
allocation
- hfsplus: fix two more overflows
- lvm: fix two more potential data-dependent alloc overflows
- emu: make grub_free(NULL) safe
- efi: fix some malformed device path arithmetic errors
- Fix a regression caused by "efi: fix some malformed device path
arithmetic errors"
- update safemath with fallback code for gcc older than 5.1
- efi: Fix use-after-free in halt/reboot path
- linux loader: avoid overflow on initrd size calculation
* CVE-2020-15707: linux: Fix integer overflows in initrd size handling
* Apply overflow checking to allocations in Debian patches:
- bootp: Fix integer overflow in parse_dhcp6_option
- unix/config: Fix integer overflow in grub_util_load_config
- deviceiter: Fix integer overflow in grub_util_iterate_devices
-- Colin Watson <cjwatson@debian.org> Wed, 29 Jul 2020 17:58:37 +0100
grub2 (2.04-8) unstable; urgency=medium
[ Vincent Lefevre ]
* Fix typos in /etc/grub.d/05_debian_theme. Closes: #959484
[ Fabian Greffrath ]
* Change font dependency to fonts-dejavu-core. Closes: #912846
[ Colin Watson ]
* Cherry-pick from upstream:
- templates/20_linux_xen: Ignore xenpolicy and config files too.
- templates/20_linux_xen: Support Xen Security Modules (XSM/FLASK).
[ Ian Jackson ]
* 20_linux_xen: Do not load XSM policy in non-XSM options (closes:
#961673).
-- Colin Watson <cjwatson@debian.org> Sun, 07 Jun 2020 10:06:37 +0100
grub2 (2.04-7) unstable; urgency=medium
[ Christian Göttsche ]
* Create grub default configuration with default SELinux context.
[ Steve McIntyre ]
* In the signed packages, change the version dependency on
grub-common to be >= and not =. This will allow for installation
in unstable to still work in the window while we wait for the
template package to do its second trip through the archive.
* Tweak the build-dep architecture listing for libefiboot-dev and
libefivar-dev. The linux-* wildcards don't work in the way
expected, and were missing out (at least) armhf and armel.
Closes: #958461
-- Colin Watson <cjwatson@debian.org> Wed, 22 Apr 2020 14:52:13 +0100
grub2 (2.04-6) unstable; urgency=medium
[ Romain Perier ]
* Add f2fs module to signed UEFI images
[ Steve McIntyre ]
* Add jfs module to signed UEFI images. Closes: #950959
[ Colin Watson ]
* Drop mkconfig-mid-upgrade.patch; it was only needed for upgrades from
GRUB 1.99 (now a long time ago) and can inappropriately hide problems
when /etc/grub.d/00_header should have been updated but wasn't (closes:
#953201).
* Cherry-pick from upstream:
- btrfs: Add support for new RAID1C34 profiles (closes: #958236).
-- Colin Watson <cjwatson@debian.org> Mon, 20 Apr 2020 01:03:08 +0100
grub2 (2.04-5) unstable; urgency=medium
* Cherry-pick from upstream:
- verifiers: Blocklist fallout cleanup (this was one cause of a build
failure on hurd-i386, though may not be the only one).
* Only recommend grub-efi-*-signed on the architectures where they exist.
-- Colin Watson <cjwatson@debian.org> Mon, 16 Dec 2019 15:48:45 +0000
grub2 (2.04-4) unstable; urgency=medium
[ Thomas Gaugler ]
* Add leading / to prefix of network boot image for d-i.
[ Martin von Wittich ]
* upgrade-from-grub-legacy: Set DPKG_MAINTSCRIPT_NAME and
DPKG_MAINTSCRIPT_PACKAGE when calling grub-pc.postinst manually (closes:
#943387).
[ Colin Watson ]
* Use policy-compliant architecture wildcards in libefiboot-dev and
libefivar-dev build-dependencies.
* Build with GCC 9 (closes: #944166).
-- Colin Watson <cjwatson@debian.org> Fri, 08 Nov 2019 10:58:30 +0000
grub2 (2.04-3) unstable; urgency=medium
* Apply patch from James Clarke to fix BIOS Boot Partition support on
sparc64 (closes: #931969).
* Fix UEFI installation for Devuan (thanks, Ivan J.; closes: #932966).
* Add probe module to signed UEFI images (closes: #936082).
-- Colin Watson <cjwatson@debian.org> Fri, 30 Aug 2019 13:50:41 +0100
grub2 (2.04-2) unstable; urgency=medium
[ James Clarke ]
* Only Build-Depend on libefiboot-dev and libefivar-dev on Linux
architectures, since they're Linux-only.
[ Colin Watson ]
* Use debhelper-compat instead of debian/compat.
* debian/apport/source_grub2.py:
- Avoid star import.
- Fix flake8 errors.
* Run gentpl.py with python3.
-- Colin Watson <cjwatson@debian.org> Sat, 03 Aug 2019 13:42:49 +0100
grub2 (2.04-1ubuntu48) jammy; urgency=medium
* d/p/0241-Call-hwmatch-only-on-the-grub-pc-platform.patch:
Fix "error: can't find command `hwmatch'." on non-i386/pc
platforms such as x86_64/efi. (LP: #1840560)
-- Mauricio Faria de Oliveira <mfo@canonical.com> Thu, 04 Nov 2021 10:48:06 -0300
grub2 (2.04-1ubuntu47) impish; urgency=medium
* Drop grub.cfg-400.patch (LP: #1933826)
-- Julian Andres Klode <juliank@ubuntu.com> Thu, 02 Sep 2021 14:37:43 +0200
grub2 (2.04-1ubuntu46) impish; urgency=medium
* debian/grub-common.service: change type to oneshot, add wantedby
sleep.target, after sleep.target. The service will now start after
resume from hybernation. LP: #1929860
* grub-initrd-fallback.service: add wantedby sleep.target, after
sleep.target. The service will now start after resume from
hybernation. LP: #1929860
* cherrypick upstream fix to make armhf efi boot work. LP: #1788940
* debian/rules: disable LTO. LP: #1922005
* grub-initrd-fallback.service, debian/grub-common.service: only start
units when booted with grub. Use presence of /boot/grub/grub.cfg as
proxy. LP: #1925507
* tests: patch qemu command to use ide-hd instead of the removed
ide-drive.
-- Dimitri John Ledkov <dimitri.ledkov@canonical.com> Fri, 16 Jul 2021 14:01:31 +0100
grub2 (2.04-1ubuntu45) hirsute; urgency=medium
* Unapply all patches.
* Stop using git-dpm.
* Start using gbp pq import|export --no-patch-numbers, this brings grub2
packaging closer to other non-debian distributions.
* It would be nice to separate patches into topic subdirs -
i.e. reverts, upstream cherry picks, debian, ubuntu, rhel, security,
etc.
* Drop redundant dh-systemd build-dependency.
-- Dimitri John Ledkov <xnox@ubuntu.com> Tue, 30 Mar 2021 11:55:05 +0100
grub2 (2.04-1ubuntu44) hirsute; urgency=medium
* Compile grub-efi-amd64 installable i386 platform on hirsute, to make
it available in bionic and earlier as part of onegrub builds.
-- Dimitri John Ledkov <xnox@ubuntu.com> Wed, 03 Mar 2021 11:42:28 +0000
grub2 (2.04-1ubuntu42) hirsute; urgency=medium
* SECURITY UPDATE: acpi command allows privilleged user to load crafted
ACPI tables when secure boot is enabled.
- 0126-acpi-Don-t-register-the-acpi-command-when-locked-dow.patch: Don't
register the acpi command when secure boot is enabled.
- CVE-2020-14372
* SECURITY UPDATE: use-after-free in rmmod command
- 0128-dl-Only-allow-unloading-modules-that-are-not-depende.patch: Don't
allow rmmod to unload modules that are dependencies of other modules.
- CVE-2020-25632
* SECURITY UPDATE: out-of-bound write in grub_usb_device_initialize()
- 0129-usb-Avoid-possible-out-of-bound-accesses-caused-by-m.patch
- CVE-2020-25647
* SECURITY UPDATE: Stack buffer overflow in grub_parser_split_cmdline
- 0206-kern-parser-Introduce-process_char-helper.patch,
0207-kern-parser-Introduce-terminate_arg-helper.patch,
0208-kern-parser-Refactor-grub_parser_split_cmdline-clean.patch,
0209-kern-buffer-Add-variable-sized-heap-buffer.patch,
0210-kern-parser-Fix-a-stack-buffer-overflow.patch: Add a variable
sized heap buffer type and use this.
- CVE-2020-27749
* SECURITY UPDATE: cutmem command allows privileged user to remove memory
regions when Secure Boot is enabled.
- 0127-mmap-Don-t-register-cutmem-and-badram-commands-when-.patch:
Don't register cutmem and badram commands when secure boot is enabled.
- CVE-2020-27779
* SECURITY UPDATE: heap out-of-bounds write in short form option parser.
- 0173-lib-arg-Block-repeated-short-options-that-require-an.patch:
Block repeated short options that require an argument.
- CVE-2021-20225
* SECURITY UPDATE: heap out-of-bound write due to mis-calculation of space
required for quoting.
- 0175-commands-menuentry-Fix-quoting-in-setparams_prefix.patch: Fix
quoting in setparams_prefix()
- CVE-2021-20233
* Partially backport the lockdown framework to restrict certain features
when secure boot is enabled.
* Backport various fixes for Coverity defects.
* Add SBAT metadata to the grub EFI binary.
- Backport patches to support adding SBAT metadata with grub-mkimage:
+ 0212-util-mkimage-Remove-unused-code-to-add-BSS-section.patch
+ 0213-util-mkimage-Use-grub_host_to_target32-instead-of-gr.patch
+ 0214-util-mkimage-Always-use-grub_host_to_target32-to-ini.patch
+ 0215-util-mkimage-Unify-more-of-the-PE32-and-PE32-header-.patch
+ 0216-util-mkimage-Reorder-PE-optional-header-fields-set-u.patch
+ 0217-util-mkimage-Improve-data_size-value-calculation.patch
+ 0218-util-mkimage-Refactor-section-setup-to-use-a-helper.patch
+ 0219-util-mkimage-Add-an-option-to-import-SBAT-metadata-i.patch
- Add debian/sbat.csv.in
- Update debian/build-efi-image and debian/rules
[ Dimitri John Ledkov & Steve Langasek LP: #1915536 ]
* Allow grub-efi-amd64|arm64 & -bin & -dbg be built by
src:grub2-unsigned (potentially of a higher version number).
* Add debian/rules generate-grub2-unsigned target to quickly build
src:grub2-unsigned for binary-copy backports.
* postinst: allow postinst to with with or without grub-multi-install
binary.
* postinst: allow using various grub-install options to achieve
--no-extra-removable.
* postinst: only call grub-check-signatures if it exists.
* control: relax dependency on grub2-common, as maintainer script got
fixed up to work with grub2-common/grub-common as far back as trusty.
* control: allow higher version depdencies from grub-efi package.
* dirs.in: create var/lib/grub/ucf in grub-efi-amd64 (and similar) as
postinst script uses that directory, and yet relies on grub-common to
create/ship it, which is not true in older releases. Also make sure
dh_installdirs runs after the .dirs files are generated.
-- Dimitri John Ledkov <xnox@ubuntu.com> Tue, 23 Feb 2021 16:23:39 +0000
grub2 (2.04-1ubuntu41) hirsute; urgency=medium
* No-change rebuild to drop the udeb package.
-- Matthias Klose <doko@ubuntu.com> Mon, 22 Feb 2021 10:33:38 +0100
grub2 (2.04-1ubuntu40) hirsute; urgency=medium
* Revert: rhboot-f34-tcp-add-window-scaling-support.patch,
rhboot-f34-support-non-ethernet.patch,
ubuntu-fixup-rhboot-f34-support-non-ethernet.patch,
ubuntu-fixup-rhboot-f34-support-non-ethernet-2.patch: these break MAAS
LXD KVM pod deployments. LP: #1915288
-- Dimitri John Ledkov <xnox@ubuntu.com> Fri, 12 Feb 2021 20:29:16 +0000
grub2 (2.04-1ubuntu39) hirsute; urgency=medium
* Cherrypick a bunch of patches:
- fix crash in http LP: #1915288
- add bootp6 documentation
- add support for UEFI boot protocols
- use UEFI protocols for http & https networking
- make netboot search for by-mac/by-uuid/by-ip for grub.cfg
- update documentation for netboot search paths of grub.cfg
* Make prebuilt netboot image look for MAAS grub.cfg
* Fix grub-initrd-fallback.service thanks to JawnSmith LP: #1910815
-- Dimitri John Ledkov <xnox@ubuntu.com> Fri, 12 Feb 2021 00:42:07 +0000
grub2 (2.04-1ubuntu38) hirsute; urgency=medium
[ Jean-Baptiste Lallement ]
[ Didier Roche ]
* Fix warnings during grub menu generation. Thanks wdoekes for the patch
(LP: #1898177)
- Fix warnings when bpool doesn't exist.
- Fix warnings when snapshot name contains dashes.
* Do not fail to generate grub menu when name of the snapshot contains
spaces. (LP: #1903524)
-- Jean-Baptiste Lallement <jean-baptiste.lallement@ubuntu.com> Mon, 08 Feb 2021 10:50:21 +0100
grub2 (2.04-1ubuntu37) hirsute; urgency=medium
* debian/patches/grub-install-backup-and-restore.patch: Fix-up the patch
to correctly initialyze the names of the modules to restore. LP:
#1907085
* 10_linux: emit messages when initrdless boot is configured, attempted
and fails triggering fallback. LP: #1901553
* grub-common.service: port init.d script to systemd unit. Add warning
message, when initrdless boot fails triggering fallback. LP: #1901553
* debian/rules: undo po/ directory patching in
override_dh_autoreconf_clean.
* minilzo: built using the distribution's minilzo
* ubuntu-fix-reproducible-squashfs-test.patch: fix squashfs-test with
new squashfs-tools in hirsute.
* rhboot-f34-make-exit-take-a-return-code.patch,
rhboot-f34-dont-use-int-for-efi-status.patch: allow grub to exit
non-zero under EFI, this should allow falling back to the next
BootOrder BootEntry.
* rhboot-f34-tcp-add-window-scaling-support.patch: speed up netboot
transfer speed.
* rhboot-f34-support-non-ethernet.patch,
ubuntu-fixup-rhboot-f34-support-non-ethernet.patch,
ubuntu-fixup-rhboot-f34-support-non-ethernet-2.patch:
add support for link layer addresses of up to 32-bytes.
* rhboot-f34-make-pmtimer-tsc-calibration-fast.patch:
speed up calibration time, especially when booting VMs.
-- Dimitri John Ledkov <xnox@ubuntu.com> Sat, 12 Dec 2020 00:50:47 +0000
grub2 (2.04-1ubuntu36) hirsute; urgency=medium
* Avoid "EFI stub: FIRMWARE BUG" message when booting >= 5.7 kernels
on arm64 by setting the image base address before jumping to the
PE/COFF entry point LP: #1900774
* Fix tftp timeouts when fetch large files. LP: #1900773
-- dann frazier <dannf@ubuntu.com> Wed, 11 Nov 2020 07:17:49 -0700
grub2 (2.04-1ubuntu35) groovy; urgency=medium
* postinst.in, grub-multi-install: fix logic of skipping installing onto
any device, if one chose to not install bootloader on any device. LP:
#1896608
* Do not finalize params twice on arm64. LP: #1897819
-- Dimitri John Ledkov <xnox@ubuntu.com> Thu, 01 Oct 2020 22:59:51 +0800
grub2 (2.04-1ubuntu34) groovy; urgency=medium
* configure.ac: one more dejavu font search path
-- Dimitri John Ledkov <xnox@ubuntu.com> Mon, 14 Sep 2020 10:53:07 +0100
grub2 (2.04-1ubuntu33) groovy; urgency=medium
* Build-depend on fonts-dejavu-core, not obsolete ttf-dejavu-core.
-- Steve Langasek <steve.langasek@ubuntu.com> Sun, 13 Sep 2020 23:49:08 -0700
grub2 (2.04-1ubuntu32) groovy; urgency=medium
* ubuntu-linuxefi-arm64.patch: Fix build on armhf
-- Julian Andres Klode <juliank@ubuntu.com> Fri, 11 Sep 2020 20:33:34 +0200
grub2 (2.04-1ubuntu31) groovy; urgency=medium
* ubuntu-linuxefi-arm64.patch: Restore arm64 parts of ubuntu-linuxefi.patch
that got lost in the 2.04 rebase (LP: #1862279)
-- Julian Andres Klode <juliank@ubuntu.com> Fri, 11 Sep 2020 17:49:50 +0200
grub2 (2.04-1ubuntu30) groovy; urgency=medium
* postinst.in: do not attempt to call grub-install upon fresh install of
grub-pc because it it a job of installers to do that after fresh
install.
* grub-multi-install: fix non-interactive failures for grub-efi like it
was fixed in postinst for grub-pc.
-- Dimitri John Ledkov <xnox@ubuntu.com> Thu, 03 Sep 2020 14:54:23 +0100
grub2 (2.04-1ubuntu29) groovy; urgency=medium
* grub-install: cherry-pick patch from grub-devel to make grub-install
fault tolerant. Create backup of files in /boot/grub, and restore them
on failure to complete grub-install. LP: #1891680
* postinst.in: do not exit successfully when failing to show critical
grub-pc/install_devices_failed and grub-pc/install_devices_empty
prompts in non-interactive mode. This enables surfacing upgrade errors
to the users and/or automation. LP: #1891680
* postinst.in: Fixup postinst.in, to attempt grub-install upon explicit
dpkg-reconfigure grub-pc. LP: #1892526
-- Dimitri John Ledkov <xnox@ubuntu.com> Tue, 01 Sep 2020 20:04:44 +0100
grub2 (2.04-1ubuntu28) groovy; urgency=medium
* Ensure that grub-multi-install can always find templates (LP: #1879948)
* Fix changelog entries for security update
-- Julian Andres Klode <juliank@ubuntu.com> Mon, 10 Aug 2020 15:07:29 +0200
grub2 (2.04-1ubuntu27) groovy; urgency=medium
* debian/patches/ubuntu-flavour-order.patch:
- Add a (hidden) GRUB_FLAVOUR_ORDER setting that can mark certain kernel
flavours as preferred, and specify an order between those preferred
flavours (LP: #1882663)
* debian/patches/ubuntu-zfs-enhance-support.patch:
- Use version_find_latest for ordering kernels, so it also supports
the GRUB_FLAVOUR_ORDER setting.
* debian/patches/ubuntu-dont-verify-loopback-images.patch:
- disk/loopback: Don't verify loopback images (LP: #1878541),
Thanks to Chris Coulson for the patch
* debian/patches/ubuntu-recovery-dis_ucode_ldr.patch
- Pass dis_ucode_ldr to kernel for recovery mode (LP: #1831789)
* debian/patches/ubuntu-add-initrd-less-boot-fallback.patch:
- Merge changes from xnox to fix multiple initrds support (LP: #1878705)
* debian/patches/ubuntu-clear-invalid-initrd-spacing.patch:
- Remove, no longer needed thanks to xnox's patch
-- Julian Andres Klode <juliank@ubuntu.com> Thu, 06 Aug 2020 14:47:52 +0200
grub2 (2.04-1ubuntu26.2) focal; urgency=medium
* debian/postinst.in: Avoid calling grub-install on upgrade of the grub-pc
package, since we cannot be certain that it will install to the correct
disk and a grub-install failure will render the system unbootable.
LP: #1889556.
-- Steve Langasek <steve.langasek@ubuntu.com> Thu, 30 Jul 2020 17:34:25 -0700
grub2 (2.04-1ubuntu26.1) focal; urgency=medium
[ Julian Andres Klode ]
* Move gettext patches out of git-dpm's way, so it does not delete them
[ Chris Coulson ]
* SECURITY UPDATE: Heap buffer overflow when encountering commands that
cannot be tokenized to less than 8192 characters.
- 0082-yylex-Make-lexer-fatal-errors-actually-be-fatal.patch: Make
fatal lexer errors actually be fatal
- CVE-2020-10713
* SECURITY UPDATE: Multiple integer overflow bugs that could result in
heap buffer allocations that were too small and subsequent heap buffer
overflows when handling certain filesystems, font files or PNG images.
- 0083-safemath-Add-some-arithmetic-primitives-that-check-f.patch: Add
arithmetic primitives that allow for overflows to be detected
- 0084-calloc-Make-sure-we-always-have-an-overflow-checking.patch:
Make sure that there is always an overflow checking implementation
of calloc() available
- 0085-calloc-Use-calloc-at-most-places.patch: Use calloc where
appropriate
- 0086-malloc-Use-overflow-checking-primitives-where-we-do-.patch: Use
overflow-safe arithmetic primitives when performing allocations
based on the results of operations that might overflow
- 0094-hfsplus-fix-two-more-overflows.patch: Fix integer overflows in
hfsplus
- 0095-lvm-fix-two-more-potential-data-dependent-alloc-over.patch: Fix
more potential integer overflows in lvm
- CVE-2020-14308, CVE-2020-14309, CVE-2020-14310, CVE-2020-14311
* SECURITY UPDATE: Use-after-free when executing a command that causes
a currently executing function to be redefined.
- 0092-script-Remove-unused-fields-from-grub_script_functio.patch:
Remove unused fields from grub_script_function
- 0093-script-Avoid-a-use-after-free-when-redefining-a-func.patch:
Avoid a use-after-free when redefining a function during execution
- CVE-2020-15706
* SECURITY UPDATE: Integer overflows that could result in heap buffer
allocations that were too small and subsequent heap buffer overflows
during initrd loading.
- 0105-linux-Fix-integer-overflows-in-initrd-size-handling.patch: Fix
integer overflows in initrd size handling
- 0106-efilinux-Fix-integer-overflows-in-grub_cmd_initrd.patch: Fix
integer overflows in linuxefi grub_cmd_initrd
- CVE-2020-15707
* Various fixes as a result of code review and static analysis:
- 0087-iso9660-Don-t-leak-memory-on-realloc-failures.patch: Fix a
memory leak on realloc failures when processing symbolic links
- 0088-font-Do-not-load-more-than-one-NAME-section.patch: Fix a
memory leak when processing font files with more than one NAME
section
- 0089-gfxmenu-Fix-double-free-in-load_image.patch: Zero self->bitmap
after it is freed in order to avoid a potential double free later on
- 0090-lzma-Make-sure-we-don-t-dereference-past-array.patch: Fix an
out-of-bounds read in LzmaEncode
- 0091-tftp-Do-not-use-priority-queue.patch: Refactor tftp to not use
priority queues and fix a double free
- 0096-efi-fix-some-malformed-device-path-arithmetic-errors.patch: Fix
various arithmetic errors with malformed device paths
- 0098-Fix-a-regression-caused-by-efi-fix-some-malformed-de.patch: Fix
a NULL deref in the chainloader command introduced by a previous
patch
- 0099-efi-Fix-use-after-free-in-halt-reboot-path.patch: Fix a
use-after-free in the halt and reboot commands by not freeing
allocated memory in these paths
- 0100-chainloader-Avoid-a-double-free-when-validation-fail.patch:
Avoid a double free in the chainloader command when validation fails
- 0101-relocator-Protect-grub_relocator_alloc_chunk_addr-in.patch:
Protect grub_relocator_alloc_chunk_addr input arguments against
integer overflow / underflow
- 0102-relocator-Protect-grub_relocator_alloc_chunk_align-m.patch:
Protect grub_relocator_alloc_chunk_align max_addr argument against
integer underflow
- 0103-relocator-Fix-grub_relocator_alloc_chunk_align-top-m.patch: Fix
grub_relocator_alloc_chunk_align top memory allocation
- 0104-linux-loader-avoid-overflow-on-initrd-size-calculati.patch:
Avoid overflow on initrd size calculation
[ Dimitri John Ledkov ]
* SECURITY UPDATE: Grub does not enforce kernel signature validation
when the shim protocol isn't present.
- 0097-linuxefi-fail-kernel-validation-without-shim-protoco.patch:
Fail kernel validation if the shim protocol isn't available
- CVE-2020-15705
-- Chris Coulson <chris.coulson@canonical.com> Mon, 20 Jul 2020 19:19:08 +0100
grub2 (2.04-1ubuntu26) focal; urgency=medium
[ Julian Andres Klode ]
* Move /boot/efi -> debconf migration into wrapper, so it runs everywhere
(LP: #1872077)
* Display disk name and size in the ESP selection dialog, instead of ???
[ Sebastien Bacher ]
* debian/patches/gettext,
debian/patches/rules:
- backport upstream patches to fix the list of translated strings,
reported on the ubuntu-translators mailing list. The changes would
be overwritten by autoreconf so applying from a rules override.
-- Julian Andres Klode <juliank@ubuntu.com> Wed, 15 Apr 2020 13:31:27 +0200
grub2 (2.04-1ubuntu25) focal; urgency=medium
[ Jean-Baptiste Lallement ]
[ Didier Roche ]
* debian/patches/ubuntu-zfs-enhance-support.patch:
- fix trailing } when no advanced menu is printed
- ensure we unmount all temporary snapshots path before zfs collect them
out.
* debian/patches/ubuntu-speed-zsys-history.patch:
- Speed up navigating zsys history by reducing greatly grub.cfg file size.
It used to take eg 80 seconds when loading 100 system snapshots. This is
now instantaneous by using a function with parameters that the users can
still easily edit.
-- Didier Roche <didrocks@ubuntu.com> Mon, 13 Apr 2020 15:17:42 +0200
grub2 (2.04-1ubuntu24) focal; urgency=medium
* Support installing to multiple ESPs (LP: #1871821)
-- Julian Andres Klode <juliank@ubuntu.com> Thu, 09 Apr 2020 12:51:07 +0200
grub2 (2.04-1ubuntu23) focal; urgency=medium
[ Jean-Baptiste Lallement ]
[ Didier Roche ]
* Performance improvements for update-grub on ZFS systems (LP: #1869885)
-- Didier Roche <didrocks@ubuntu.com> Tue, 31 Mar 2020 15:30:36 +0200
grub2 (2.04-1ubuntu22) focal; urgency=medium
* smbios: Add a --linux argument to apply linux modalias-like filtering
* Make the linux command in EFI grub always try EFI handover; thanks
to Chris Coulson for the patches (LP: #1864533)
-- Julian Andres Klode <juliank@ubuntu.com> Wed, 11 Mar 2020 17:46:35 +0100
grub2 (2.04-1ubuntu21) focal; urgency=medium
* Make ZFS menu generation depending on new zsysd binary instead of eoan
zsys compatibility symlink.
-- Didier Roche <didrocks@ubuntu.com> Wed, 26 Feb 2020 09:59:49 +0100
grub2 (2.04-1ubuntu20) focal; urgency=medium
* build-efi-images: do not produce -installer.efi.signed. LP: #1863994
-- Dimitri John Ledkov <xnox@ubuntu.com> Tue, 25 Feb 2020 01:11:31 +0000
grub2 (2.04-1ubuntu19) focal; urgency=medium
* uefi-firmware: rename fwsetup menuentry to UEFI Firmware Settings
(LP: #1864547)
* build-efi-images: add smbios module to the prebuilt signed EFI images
(LP: #1856424)
-- Dimitri John Ledkov <xnox@ubuntu.com> Mon, 24 Feb 2020 20:34:13 +0000
grub2 (2.04-1ubuntu18) focal; urgency=medium
* Cherry-pick fix from Colin W. in debian to build with python3.
-- Didier Roche <didrocks@ubuntu.com> Thu, 06 Feb 2020 18:37:44 +0100
grub2 (2.04-1ubuntu17) focal; urgency=medium
* Fix ZFS menu generation with ZFS 0.8.x where mounted datasets can’t list
snapshots due to an upstream change.
https://github.com/zfsonlinux/zfs/issues/9958
-- Didier Roche <didrocks@ubuntu.com> Thu, 06 Feb 2020 18:20:16 +0100
grub2 (2.04-1ubuntu16) focal; urgency=medium
* Revert "Add smbios module to build-efi-images script" from previous
upload, pending review see https://bugs.launchpad.net/bugs/1856424
-- Dimitri John Ledkov <xnox@ubuntu.com> Sun, 15 Dec 2019 01:28:49 +0000
grub2 (2.04-1ubuntu15) focal; urgency=medium
* ubuntu-efi-allow-loopmount-chainload.patch:
- Enable chainloading EFI apps from loopmounts
* cherrypick-lsefisystab-define-smbios3.patch:
* cherrypick-smbios-modules.patch:
- Cherrypick from 2.05 module for retrieving SMBIOS information
* cherrypick-lsefisystab-show-dtb.patch:
- If dtb is provided by the firmware / DtbLoader driver, display it in
human form, rather than just UUID
-- Dimitri John Ledkov <xnox@ubuntu.com> Fri, 13 Dec 2019 11:24:21 +0000
grub2 (2.04-1ubuntu14) focal; urgency=medium
* debian/patches/ubuntu-zfs-enhance-support.patch:
- Handle the case where grub-probe returns several devices for a single
pool (LP: #1848856). Thanks jpb for the report and the proposed patch.
- Add savedefault to non-recovery entries (LP: #1850202). Thanks Deltik
for the patch.
- Do not crash on invalid fstab and report the invalid entry.
(LP: #1849347) Thanks Deltik for the patch.
- When a pool fails to import, catch and display the error message and
continue with other pools. Import all the pools in readonly mode so we
can import other pools with unsupported features (LP: #1848399) Thanks
satmandu for the investigation and the proposed patch
-- Jean-Baptiste Lallement <jean-baptiste.lallement@ubuntu.com> Mon, 18 Nov 2019 11:22:43 +0100
grub2 (2.04-1ubuntu13) focal; urgency=medium
* debian/patches/ubuntu-tpm-unknown-error-non-fatal.patch: treat "unknown"
TPM errors as non-fatal, but still write up the details as debug messages
so we can further track what happens with the systems throwing those up.
(LP: #1848892)
* debian/patches/ubuntu-linuxefi.patch: Drop extra check for Secure Boot
status in linuxefi_secure_validate(); it's unnecessary and blocking boot
in chainload (like chainloading Windows) when SB is disabled.
(LP: #1845289)
-- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> Thu, 31 Oct 2019 17:58:47 -0400
grub2 (2.04-1ubuntu12) eoan; urgency=medium
* Move our identifier to com.ubuntu
As we are not going to own org.zsys, move our identifier under
com.ubuntu.zsys (LP: #1847711)
-- Didier Roche <didrocks@ubuntu.com> Fri, 11 Oct 2019 15:57:47 +0200
grub2 (2.04-1ubuntu11) eoan; urgency=medium
* Load all kernels (even those without .efi.signed) for secure boot mode
as those are signed kernels on ubuntu, loaded by the shim. (LP: #1847581)
-- Didier Roche <didrocks@ubuntu.com> Thu, 10 Oct 2019 11:40:44 +0200
grub2 (2.04-1ubuntu10) eoan; urgency=medium
* debian/patches/ubuntu-skip-disk-by-id-lvm-pvm-uuid-entries.patch:
skip /dev/disk/by-id/lvm-pvm-uuid entries from device iteration.
(LP: #1838525)
-- Rafael David Tinoco <rafaeldtinoco@ubuntu.com> Mon, 07 Oct 2019 23:23:54 -0300
grub2 (2.04-1ubuntu9) eoan; urgency=medium
* debian/patches/ubuntu-zfs-enhance-support.patch:
- Handle case of pure zfs only snapshots giving additional "}", and as
such, creating invalid grub menu.
Spotted by grubzfs-testsuite autopkgtests.
-- Didier Roche <didrocks@ubuntu.com> Wed, 02 Oct 2019 09:59:19 +0200
grub2 (2.04-1ubuntu8) eoan; urgency=medium
* debian/patches/install-signed.patch -> ubuntu-install-signed.patch:
Really fix the installation of UEFI artefacts to the distributor path (we
only want shim, grub, and MokManager, and shim's boot.csv there), and to
the removable /EFI/BOOT path (where we want shim and fallback only).
Rename the patch to ubuntu- like others that are Ubuntu-specific or
otherwise modified to avoid such confusion at merge time in the future.
-- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> Tue, 01 Oct 2019 11:29:24 -0400
grub2 (2.04-1ubuntu7) eoan; urgency=medium
* debian/patches/ubuntu-zfs-enhance-support.patch:
Disable history entry under some conditions:
- Don't show up if the system is a zsys one and zsys isn't installed
(LP: #1845333)
- Don't show for pure zfs systems: we identified multiple issues due
to the mount generator in upstream zfs which makes it incompatible.
Disable for now (LP: #1845913)
-- Didier Roche <didrocks@ubuntu.com> Mon, 30 Sep 2019 09:35:03 +0200
grub2 (2.04-1ubuntu6) eoan; urgency=medium
* debian/patches/install-signed.patch: fix paths for MokManager/fallback;
shim no longer ships these with a .signed suffix. (LP: #1845466)
-- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> Thu, 26 Sep 2019 09:48:07 -0400
grub2 (2.04-1ubuntu5) eoan; urgency=medium
* d/patches/ubuntu-boot-from-multipath-dependent-symlink.patch: fix
mis-spelling of helper function in final computation of GRUB_DEVICE in
multipath case.
-- Michael Hudson-Doyle <michael.hudson@ubuntu.com> Tue, 13 Aug 2019 08:56:16 +1200
grub2 (2.04-1ubuntu4) eoan; urgency=medium
* d/patches/ubuntu-boot-from-multipath-dependent-symlink.patch: when / is
multipathed there will be multiple paths to the partition, so using
root=UUID= exposes the boot process to udev races. In addition
grub-probe --target device / in this case reports /dev/dm-1 or similar --
better to use a symlink that depends on the multipath name. (LP: #1429327)
-- Michael Hudson-Doyle <michael.hudson@ubuntu.com> Tue, 06 Aug 2019 12:37:18 +1200
grub2 (2.04-1ubuntu3) eoan; urgency=medium
[ Mathieu Trudel-Lapierre ]
* debian/patches/ubuntu-add-devicetree-command-support.patch: import patch
into git-dpm: drop [PATCH] tag and add Patch-Name.
[ Didier Roche ]
* debian/patches/ubuntu-zfs-enhance-support.patch
- Don't patch autoregenerated files.
- rewrite generate MenuMeta implementation in shell (LP: #1834095)
mawk doesn't support \s and other array features.
+ Change \s by their space or tab equivalent.
+ Rewrite the menumeta generation in pure shell, which is easier to
debug, keeping globally the same algorithm
+ Support i18n in entry name generation.
Co-authored with Jean-Baptiste.
- Resplit all patches in debian/patches/*, so that we have upstreamable
and non upstreamable parts separate. Also, any change in 10_linux patch
will be reflected in 10_linux_zfs.
- Always import pools (using force), as we don't mount them. Ensure also
that we don't update the host cache, as we import all pools, and not
only those attached to that system.
-- Didier Roche <didrocks@ubuntu.com> Mon, 29 Jul 2019 08:08:48 +0200
grub2 (2.04-1ubuntu2) eoan; urgency=medium
* Add device-tree command support as installed by flash-kernel.
-- Dimitri John Ledkov <xnox@ubuntu.com> Wed, 17 Jul 2019 23:47:27 +0100
grub2 (2.04-1ubuntu1) eoan; urgency=medium
* Merge against Debian; remaining changes:
- debian/control: Update Vcs fields for code location on Ubuntu.
- debian/control: Breaks shim (<< 13).
- debian/patches/linuxefi.patch: Secure Boot support: use newer patchset
from rhboot repo, flattened to a single patch.
- debian/patches/install_signed.patch, grub-install-extra-removable.patch:
- Make sure if we install shim; it should also be exported as the default
bootloader to install later to a removable path, if we do.
- Rework grub-install-extra-removable.patch to reverse its logic: in the
default case, install the bootloader to /EFI/BOOT, unless we're trying
to install on a removable device, or explicitly telling grub *not* to
do it.
- Install a BOOT.CSV for fallback to use.
- Make sure postinst and templates know about the replacement of
--force-extra-removable with --no-extra-removable.
- debian/patches/ubuntu-support-initrd-less-boot.patch: allow non-initrd
boot config.
- debian/patches/ubuntu-add-initrd-less-boot-fallback.patch: If a kernel
fails to boot without initrd, we will fallback to trying to boot the
kernel with an initrd.
- debian/patches/ubuntu-mkconfig-leave-breadcrumbs.patch: make sure
grub-mkconfig leaves a trace of what files were sourced to help generate
the config we're building.
- debian/patches/ubuntu-efi-console-set-text-mode-as-needed.patch: in EFI
console, only set text-mode when we're actually going to need it.
- debian/patches/ubuntu-zfs-enhance-support.patch: Better ZFS grub support.
- Disable os-prober for ppc64el on the PowerNV platform, to reduce the
number of entries/clutter from other OSes in Petitboot
- debian/patches/ubuntu-shorter-version-info.patch: Only show the upstream
version in menu and console, and hide the package one in a
package_version variable.
- Verify that the current and newer kernels are signed when grub is
updated, to make sure people do not accidentally shutdown without a
signed kernel.
- debian/default/grub: replace GRUB_HIDDEN_* variables with the less
confusing GRUB_TIMEOUT_STYLE=hidden.
- debian/rules: shuffle files around for now to keep build artefacts
for signing at the same location as they were expected by Launchpad.
- debian/rules, debian/control: enable dh-systemd.
- debian/grub-common.install.in: install the systemd unit that's part of
initrd fallback handling, missed when the feature landed.
- debian/build-efi-images: add http module to NET_MODULES.
* debian/patches/linuxefi*.patch: Flatten linuxefi patches into one.
* debian/patches: rename patches to use "-" as a separator rather than "_".
* debian/patches: rename Ubuntu-specific patches and commits to add "ubuntu"
so it's clearer which are new or changed when doing a merge.
* debian/patches/ubuntu-fix-lzma-decompressor-objcopy.patch: fix FTBFS due
to objcopy building an invalid binary padded with zeroes (LP: #1833234)
* debian/patches/ubuntu-clear-invalid-initrd-spacing.patch: clear up invalid
spacing for the initrd command when not using early initrds.
* debian/patches/ubuntu-add-initrd-less-boot-fallback.patch: move the initrd
boot success/failure service to start later at boot time. (LP: #1823391)
* debian/patches/fix-lockdown.patch: Drop lockdown patch from Debian, which
breaks with new linuxefi patchset.
* debian/patches/ubuntu-temp-keep-auto-nvram.patch: Temporarily keep the
--auto-nvram option we previously had as a supported option in grub-install
(with no effect now), to avoid breaking upgrades. "auto-nvram" is default
behavior now that we use libefivar instead of calling efibootmgr.
-- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> Tue, 16 Jul 2019 11:31:29 -0400
grub2 (2.04-1) unstable; urgency=medium
* New upstream release.
* debian/upstream/signing-key.asc: Add signing key of new upstream
maintainer (Daniel Kiper).
-- Colin Watson <cjwatson@debian.org> Tue, 09 Jul 2019 11:48:01 +0100
# Older entries have been removed from this changelog.
# To read the complete changelog use `apt changelog grub-common`.
Generated by dwww version 1.16 on Mon Dec 15 21:03:09 CET 2025.