On Tue, Nov 22, 2022 at 05:00:47PM +0800, Zhang Boyang wrote: >Package: grub2 >Tags: security > >Hi, > >Although there are patches in `debian/patches/cve_2022_2601/`, they are not >used by `debian/patches/series`. So the vulnerability is still not fixed in >buster even its SBAT==3.
Aw, crap. :-( Looks like I lost a change when switching between branches when testing locally. Thanks for reporting this! >Bullseye seems OK. However, it seems debian's SBAT numbers should be bumped, >so bullseye also needs an update. ACK, I'll work stuff out. -- Steve McIntyre, Cambridge, UK. [email protected] Google-bait: https://www.debian.org/CD/free-linux-cd Debian does NOT ship free CDs. Please do NOT contact the mailing lists asking us to send them to you.

