Your message dated Sat, 10 Sep 2022 13:40:55 +0100 with message-id <2cfc9645343bdb910fe19c07bddfec2c428346a3.camel@adam-barratt.org.uk> and subject line Closing requests for updates included in 10.13 has caused the Debian Bug report #1016671, regarding buster-pu: package grub2/2.06-3~deb10u1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 1016671: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1016671 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: buster-pu: package grub2/2.06-3~deb10u1
- From: Steve McIntyre <steve@einval.com>
- Date: Fri, 05 Aug 2022 00:44:53 +0100
- Message-id: <165965669337.30125.6613354736670247359.reportbug@tack.local>
Package: release.debian.org Severity: normal Tags: buster User: release.debian.org@packages.debian.org Usertags: pu Hey folks, This is the current upstream version of grub2 (2.06), built for buster as an upgrade path from 2.02+dfsg1-20+deb10u4. I know we normally don't want to do this kind of thing, but I believe this is genuinely the best way to keep on top of grub2 security issues. Grub2 has had several sets of major security updates in the last couple of years, particularly relevant in Secure Boot terms (BootHole et al). Back before the bullseye release, Colin spent a *lot* of time rebasing security fixes from GRUB 2.04 onto the 2.02 that we were using in buster, and I know he was very worried about breaking some of them and maybe introducing new holes. AFAICS it worked ok that time, but... We're now on to upstream 2.06 in unstable and bookworm, and that's been the target for upstream hardening and patch work that's been needed for the latest round of CVEs. There's also been a lot of code scanning and static analysis done to find more issues before they becoms CVE-worthy, and that's great! There are some backported fixes to go into 2.04 and I've seen people talking about 2.02 as well. *However*, I'm very worried that we don't have the time and skills available to verify all the fixes against three different upstream releases :-(. The debdiff for the changes is way too large to include here. They're obviously not minimal. If you really want to see it, look at [1]. I've tested locally on various machines using both UEFI and BIOS boot, and all looks good here. The existing 2.06-3 package in bookworm that I based on seems stable enough. The only real change I've made to that (beyond usual backport noise) is to revert the change that disables os-prober by default. I don't think that change is suitable for a stable update. [1] https://jack.einval.com/tmp/grub2_2.06-3~deb10u1.debdiff.gz -- System Information: Debian Release: 10.12 APT prefers oldstable-updates APT policy: (500, 'oldstable-updates'), (500, 'oldstable-debug'), (500, 'oldoldstable'), (500, 'oldstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.10.0-0.bpo.15-amd64 (SMP w/4 CPU cores) Kernel taint flags: TAINT_CPU_OUT_OF_SPEC, TAINT_WARN Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
--- End Message ---
--- Begin Message ---
- To: 941901-done@bugs.debian.org, 945578-done@bugs.debian.org, 960396-done@bugs.debian.org, 966028-done@bugs.debian.org, 983841-done@bugs.debian.org, 987538-done@bugs.debian.org, 987941-done@bugs.debian.org, 990372-done@bugs.debian.org, 990739-done@bugs.debian.org, 991120-done@bugs.debian.org, 998390-done@bugs.debian.org, 1003293-done@bugs.debian.org, 1006182-done@bugs.debian.org, 1008056-done@bugs.debian.org, 1008062-done@bugs.debian.org, 1008154-done@bugs.debian.org, 1008163-done@bugs.debian.org, 1008578-done@bugs.debian.org, 1009065-done@bugs.debian.org, 1009076-done@bugs.debian.org, 1009251-done@bugs.debian.org, 1009652-done@bugs.debian.org, 1010060-done@bugs.debian.org, 1010193-done@bugs.debian.org, 1010305-done@bugs.debian.org, 1010380-done@bugs.debian.org, 1010388-done@bugs.debian.org, 1010615-done@bugs.debian.org, 1010858-done@bugs.debian.org, 1011030-done@bugs.debian.org, 1011272-done@bugs.debian.org, 1011286-done@bugs.debian.org, 1011360-done@bugs.debian.org, 1011745-done@bugs.debian.org, 1011943-done@bugs.debian.org, 1012048-done@bugs.debian.org, 1012066-done@bugs.debian.org, 1013347-done@bugs.debian.org, 1014145-done@bugs.debian.org, 1014200-done@bugs.debian.org, 1014346-done@bugs.debian.org, 1014860-done@bugs.debian.org, 1014907-done@bugs.debian.org, 1014909-done@bugs.debian.org, 1014912-done@bugs.debian.org, 1015243-done@bugs.debian.org, 1016169-done@bugs.debian.org, 1016176-done@bugs.debian.org, 1016198-done@bugs.debian.org, 1016439-done@bugs.debian.org, 1016671-done@bugs.debian.org, 1016733-done@bugs.debian.org, 1017112-done@bugs.debian.org, 1017393-done@bugs.debian.org, 1017998-done@bugs.debian.org, 1018048-done@bugs.debian.org, 1018080-done@bugs.debian.org, 1018086-done@bugs.debian.org, 1018092-done@bugs.debian.org, 1018095-done@bugs.debian.org, 1018096-done@bugs.debian.org, 1018097-done@bugs.debian.org, 1018101-done@bugs.debian.org, 1018107-done@bugs.debian.org, 1018108-done@bugs.debian.org, 1018151-done@bugs.debian.org, 1018152-done@bugs.debian.org, 1018178-done@bugs.debian.org, 1018179-done@bugs.debian.org, 1018182-done@bugs.debian.org, 1018184-done@bugs.debian.org, 1018185-done@bugs.debian.org, 1018199-done@bugs.debian.org, 1018241-done@bugs.debian.org, 1018244-done@bugs.debian.org, 1018246-done@bugs.debian.org, 1018250-done@bugs.debian.org
- Subject: Closing requests for updates included in 10.13
- From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Date: Sat, 10 Sep 2022 13:40:55 +0100
- Message-id: <2cfc9645343bdb910fe19c07bddfec2c428346a3.camel@adam-barratt.org.uk>
Package: release.debian.org Version: 10.13 Hi, Each of the updates referenced in these bugs was included in today's 10.13 point release. Regards, Adam
--- End Message ---