[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1016672: marked as done (bullseye-pu: package grub2/2.06-3~deb11u1)



Your message dated Sat, 10 Sep 2022 13:36:19 +0100
with message-id <92fe43e7805e82e43100a6471ccbf91cd9a12944.camel@adam-barratt.org.uk>
and subject line Closing requests for updates in 11.5
has caused the Debian Bug report #1016672,
regarding bullseye-pu: package grub2/2.06-3~deb11u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1016672: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1016672
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu

Hey folks,

This is the current upstream version of grub2 (2.06), built for
bullseye as an upgrade path from 2.04-20. I know we normally don't
want to do this kind of thing, but I believe this is genuinely the
best way to keep on top of grub2 security issues.

Grub2 has had several sets of major security updates in the last couple
of years, particularly relevant in Secure Boot terms (BootHole et
al). Back before the bullseye release, Colin spent a *lot* of time
rebasing security fixes from GRUB 2.04 onto the 2.02 that we were
using in buster, and I know he was very worried about breaking some of
them and maybe introducing new holes. AFAICS it worked ok that time,
but...

We're now on to upstream 2.06 in unstable and bookworm, and that's
been the target for upstream hardening and patch work that's been
needed for the latest round of CVEs. There's also been a lot of code
scanning and static analysis done to find more issues before they
becoms CVE-worthy, and that's great!

There are some backported fixes to go into 2.04 and I've seen people
talking about 2.02 as well. *However*, I'm very worried that we don't
have the time and skills available to verify all the fixes against
three different upstream releases :-(.

The debdiff for the changes is way too large to include here. They're
obviously not minimal. If you really want to see it, look at [1].

I've tested locally on various machines using both UEFI and BIOS boot,
and all looks good here. The existing 2.06-3 package in bookworm that
I based on seems stable enough. The only real change I've made to that
(beyond usual backport noise) is to revert the change that disables
os-prober by default. I don't think that change is suitable for a
stable update.

[1] https://jack.einval.com/tmp/grub2_2.06-3~deb11u1.debdiff.gz


-- System Information:
Debian Release: 10.12
  APT prefers oldstable-updates
  APT policy: (500, 'oldstable-updates'), (500, 'oldstable-debug'), (500, 'oldoldstable'), (500, 'oldstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.10.0-0.bpo.15-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_CPU_OUT_OF_SPEC, TAINT_WARN
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 11.5

Hi,

The updates referred to in each of these bugs were included in today's
11.5 point release.

Regards,

Adam

--- End Message ---

Reply to: