Package: release.debian.org Severity: normal Tags: bullseye User: release.debian....@packages.debian.org Usertags: pu
Hey folks, This is the current upstream version of grub2 (2.06), built for bullseye as an upgrade path from 2.04-20. I know we normally don't want to do this kind of thing, but I believe this is genuinely the best way to keep on top of grub2 security issues. Grub2 has had several sets of major security updates in the last couple of years, particularly relevant in Secure Boot terms (BootHole et al). Back before the bullseye release, Colin spent a *lot* of time rebasing security fixes from GRUB 2.04 onto the 2.02 that we were using in buster, and I know he was very worried about breaking some of them and maybe introducing new holes. AFAICS it worked ok that time, but... We're now on to upstream 2.06 in unstable and bookworm, and that's been the target for upstream hardening and patch work that's been needed for the latest round of CVEs. There's also been a lot of code scanning and static analysis done to find more issues before they becoms CVE-worthy, and that's great! There are some backported fixes to go into 2.04 and I've seen people talking about 2.02 as well. *However*, I'm very worried that we don't have the time and skills available to verify all the fixes against three different upstream releases :-(. The debdiff for the changes is way too large to include here. They're obviously not minimal. If you really want to see it, look at [1]. I've tested locally on various machines using both UEFI and BIOS boot, and all looks good here. The existing 2.06-3 package in bookworm that I based on seems stable enough. The only real change I've made to that (beyond usual backport noise) is to revert the change that disables os-prober by default. I don't think that change is suitable for a stable update. [1] https://jack.einval.com/tmp/grub2_2.06-3~deb11u1.debdiff.gz -- System Information: Debian Release: 10.12 APT prefers oldstable-updates APT policy: (500, 'oldstable-updates'), (500, 'oldstable-debug'), (500, 'oldoldstable'), (500, 'oldstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.10.0-0.bpo.15-amd64 (SMP w/4 CPU cores) Kernel taint flags: TAINT_CPU_OUT_OF_SPEC, TAINT_WARN Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
