-
grub2 (2.04-1ubuntu45) hirsute; urgency=medium
* Unapply all patches.
* Stop using git-dpm.
* Start using gbp pq import|export --no-patch-numbers, this brings grub2
packaging closer to other non-debian distributions.
* It would be nice to separate patches into topic subdirs -
i.e. reverts, upstream cherry picks, debian, ubuntu, rhel, security,
etc.
* Drop redundant dh-systemd build-dependency.
-- Dimitri John Ledkov <email address hidden> Tue, 30 Mar 2021 11:55:05 +0100
-
grub2 (2.04-1ubuntu44) hirsute; urgency=medium
* Compile grub-efi-amd64 installable i386 platform on hirsute, to make
it available in bionic and earlier as part of onegrub builds.
-- Dimitri John Ledkov <email address hidden> Wed, 03 Mar 2021 11:42:28 +0000
-
grub2 (2.04-1ubuntu43) hirsute; urgency=medium
* Build without grub-efi-amd64:i386 as that triggers publication issues
across series.
grub2 (2.04-1ubuntu42) hirsute; urgency=medium
* SECURITY UPDATE: acpi command allows privilleged user to load crafted
ACPI tables when secure boot is enabled.
- 0126-acpi-Don-t-register-the-acpi-command-when-locked-dow.patch: Don't
register the acpi command when secure boot is enabled.
- CVE-2020-14372
* SECURITY UPDATE: use-after-free in rmmod command
- 0128-dl-Only-allow-unloading-modules-that-are-not-depende.patch: Don't
allow rmmod to unload modules that are dependencies of other modules.
- CVE-2020-25632
* SECURITY UPDATE: out-of-bound write in grub_usb_device_initialize()
- 0129-usb-Avoid-possible-out-of-bound-accesses-caused-by-m.patch
- CVE-2020-25647
* SECURITY UPDATE: Stack buffer overflow in grub_parser_split_cmdline
- 0206-kern-parser-Introduce-process_char-helper.patch,
0207-kern-parser-Introduce-terminate_arg-helper.patch,
0208-kern-parser-Refactor-grub_parser_split_cmdline-clean.patch,
0209-kern-buffer-Add-variable-sized-heap-buffer.patch,
0210-kern-parser-Fix-a-stack-buffer-overflow.patch: Add a variable
sized heap buffer type and use this.
- CVE-2020-27749
* SECURITY UPDATE: cutmem command allows privileged user to remove memory
regions when Secure Boot is enabled.
- 0127-mmap-Don-t-register-cutmem-and-badram-commands-when-.patch:
Don't register cutmem and badram commands when secure boot is enabled.
- CVE-2020-27779
* SECURITY UPDATE: heap out-of-bounds write in short form option parser.
- 0173-lib-arg-Block-repeated-short-options-that-require-an.patch:
Block repeated short options that require an argument.
- CVE-2021-20225
* SECURITY UPDATE: heap out-of-bound write due to mis-calculation of space
required for quoting.
- 0175-commands-menuentry-Fix-quoting-in-setparams_prefix.patch: Fix
quoting in setparams_prefix()
- CVE-2021-20233
* Partially backport the lockdown framework to restrict certain features
when secure boot is enabled.
* Backport various fixes for Coverity defects.
* Add SBAT metadata to the grub EFI binary.
- Backport patches to support adding SBAT metadata with grub-mkimage:
+ 0212-util-mkimage-Remove-unused-code-to-add-BSS-section.patch
+ 0213-util-mkimage-Use-grub_host_to_target32-instead-of-gr.patch
+ 0214-util-mkimage-Always-use-grub_host_to_target32-to-ini.patch
+ 0215-util-mkimage-Unify-more-of-the-PE32-and-PE32-header-.patch
+ 0216-util-mkimage-Reorder-PE-optional-header-fields-set-u.patch
+ 0217-util-mkimage-Improve-data_size-value-calculation.patch
+ 0218-util-mkimage-Refactor-section-setup-to-use-a-helper.patch
+ 0219-util-mkimage-Add-an-option-to-import-SBAT-metadata-i.patch
- Add debian/sbat.csv.in
- Update debian/build-efi-image and debian/rules
[ Dimitri John Ledkov & Steve Langasek LP: #1915536 ]
* Allow grub-efi-amd64|arm64 & -bin & -dbg be built by
src:grub2-unsigned (potentially of a higher version number).
* Add debian/rules generate-grub2-unsigned target to quickly build
src:grub2-unsigned for binary-copy backports.
* postinst: allow postinst to with with or without grub-multi-install
binary.
* postinst: allow using various grub-install options to achieve
--no-extra-removable.
* postinst: only call grub-check-signatures if it exists.
* control: relax dependency on grub2-common, as maintainer script got
fixed up to work with grub2-common/grub-common as far back as trusty.
* control: allow higher version depdencies from grub-efi package.
* dirs.in: create var/lib/grub/ucf in grub-efi-amd64 (and similar) as
postinst script uses that directory, and yet relies on grub-common to
create/ship it, which is not true in older releases. Also make sure
dh_installdirs runs after the .dirs files are generated.
grub2 (2.04-1ubuntu41) hirsute; urgency=medium
* No-change rebuild to drop the udeb package.
-- Dimitri John Ledkov <email address hidden> Wed, 03 Mar 2021 11:42:28 +0000
-
grub2 (2.04-1ubuntu42) hirsute; urgency=medium
* SECURITY UPDATE: acpi command allows privilleged user to load crafted
ACPI tables when secure boot is enabled.
- 0126-acpi-Don-t-register-the-acpi-command-when-locked-dow.patch: Don't
register the acpi command when secure boot is enabled.
- CVE-2020-14372
* SECURITY UPDATE: use-after-free in rmmod command
- 0128-dl-Only-allow-unloading-modules-that-are-not-depende.patch: Don't
allow rmmod to unload modules that are dependencies of other modules.
- CVE-2020-25632
* SECURITY UPDATE: out-of-bound write in grub_usb_device_initialize()
- 0129-usb-Avoid-possible-out-of-bound-accesses-caused-by-m.patch
- CVE-2020-25647
* SECURITY UPDATE: Stack buffer overflow in grub_parser_split_cmdline
- 0206-kern-parser-Introduce-process_char-helper.patch,
0207-kern-parser-Introduce-terminate_arg-helper.patch,
0208-kern-parser-Refactor-grub_parser_split_cmdline-clean.patch,
0209-kern-buffer-Add-variable-sized-heap-buffer.patch,
0210-kern-parser-Fix-a-stack-buffer-overflow.patch: Add a variable
sized heap buffer type and use this.
- CVE-2020-27749
* SECURITY UPDATE: cutmem command allows privileged user to remove memory
regions when Secure Boot is enabled.
- 0127-mmap-Don-t-register-cutmem-and-badram-commands-when-.patch:
Don't register cutmem and badram commands when secure boot is enabled.
- CVE-2020-27779
* SECURITY UPDATE: heap out-of-bounds write in short form option parser.
- 0173-lib-arg-Block-repeated-short-options-that-require-an.patch:
Block repeated short options that require an argument.
- CVE-2021-20225
* SECURITY UPDATE: heap out-of-bound write due to mis-calculation of space
required for quoting.
- 0175-commands-menuentry-Fix-quoting-in-setparams_prefix.patch: Fix
quoting in setparams_prefix()
- CVE-2021-20233
* Partially backport the lockdown framework to restrict certain features
when secure boot is enabled.
* Backport various fixes for Coverity defects.
* Add SBAT metadata to the grub EFI binary.
- Backport patches to support adding SBAT metadata with grub-mkimage:
+ 0212-util-mkimage-Remove-unused-code-to-add-BSS-section.patch
+ 0213-util-mkimage-Use-grub_host_to_target32-instead-of-gr.patch
+ 0214-util-mkimage-Always-use-grub_host_to_target32-to-ini.patch
+ 0215-util-mkimage-Unify-more-of-the-PE32-and-PE32-header-.patch
+ 0216-util-mkimage-Reorder-PE-optional-header-fields-set-u.patch
+ 0217-util-mkimage-Improve-data_size-value-calculation.patch
+ 0218-util-mkimage-Refactor-section-setup-to-use-a-helper.patch
+ 0219-util-mkimage-Add-an-option-to-import-SBAT-metadata-i.patch
- Add debian/sbat.csv.in
- Update debian/build-efi-image and debian/rules
[ Dimitri John Ledkov & Steve Langasek LP: #1915536 ]
* Allow grub-efi-amd64|arm64 & -bin & -dbg be built by
src:grub2-unsigned (potentially of a higher version number).
* Add debian/rules generate-grub2-unsigned target to quickly build
src:grub2-unsigned for binary-copy backports.
* postinst: allow postinst to with with or without grub-multi-install
binary.
* postinst: allow using various grub-install options to achieve
--no-extra-removable.
* postinst: only call grub-check-signatures if it exists.
* control: relax dependency on grub2-common, as maintainer script got
fixed up to work with grub2-common/grub-common as far back as trusty.
* control: allow higher version depdencies from grub-efi package.
* dirs.in: create var/lib/grub/ucf in grub-efi-amd64 (and similar) as
postinst script uses that directory, and yet relies on grub-common to
create/ship it, which is not true in older releases. Also make sure
dh_installdirs runs after the .dirs files are generated.
-- Dimitri John Ledkov <email address hidden> Tue, 23 Feb 2021 16:23:39 +0000
-
grub2 (2.04-1ubuntu41) hirsute; urgency=medium
* No-change rebuild to drop the udeb package.
-- Matthias Klose <email address hidden> Mon, 22 Feb 2021 10:33:38 +0100
-
grub2 (2.04-1ubuntu40) hirsute; urgency=medium
* Revert: rhboot-f34-tcp-add-window-scaling-support.patch,
rhboot-f34-support-non-ethernet.patch,
ubuntu-fixup-rhboot-f34-support-non-ethernet.patch,
ubuntu-fixup-rhboot-f34-support-non-ethernet-2.patch: these break MAAS
LXD KVM pod deployments. LP: #1915288
grub2 (2.04-1ubuntu39) hirsute; urgency=medium
* Cherrypick a bunch of patches:
- fix crash in http LP: #1915288
- add bootp6 documentation
- add support for UEFI boot protocols
- use UEFI protocols for http & https networking
- make netboot search for by-mac/by-uuid/by-ip for grub.cfg
- update documentation for netboot search paths of grub.cfg
* Make prebuilt netboot image look for MAAS grub.cfg
* Fix grub-initrd-fallback.service thanks to JawnSmith LP: #1910815
grub2 (2.04-1ubuntu38) hirsute; urgency=medium
[ Jean-Baptiste Lallement ]
[ Didier Roche ]
* Fix warnings during grub menu generation. Thanks wdoekes for the patch
(LP: #1898177)
- Fix warnings when bpool doesn't exist.
- Fix warnings when snapshot name contains dashes.
* Do not fail to generate grub menu when name of the snapshot contains
spaces. (LP: #1903524)
-- Dimitri John Ledkov <email address hidden> Fri, 12 Feb 2021 20:29:16 +0000
-
grub2 (2.04-1ubuntu39) hirsute; urgency=medium
* Cherrypick a bunch of patches:
- fix crash in http
- add bootp6 documentation
- add support for UEFI boot protocols
- use UEFI protocols for http & https networking
- make netboot search for by-mac/by-uuid/by-ip for grub.cfg
- update documentation for netboot search paths of grub.cfg
* Make prebuilt netboot image look for MAAS grub.cfg
* Fix grub-initrd-fallback.service thanks to JawnSmith LP: #1910815
-- Dimitri John Ledkov <email address hidden> Fri, 12 Feb 2021 00:42:07 +0000
-
grub2 (2.04-1ubuntu38) hirsute; urgency=medium
[ Jean-Baptiste Lallement ]
[ Didier Roche ]
* Fix warnings during grub menu generation. Thanks wdoekes for the patch
(LP: #1898177)
- Fix warnings when bpool doesn't exist.
- Fix warnings when snapshot name contains dashes.
* Do not fail to generate grub menu when name of the snapshot contains
spaces. (LP: #1903524)
-- Jean-Baptiste Lallement <email address hidden> Mon, 08 Feb 2021 10:50:21 +0100
-
grub2 (2.04-1ubuntu37) hirsute; urgency=medium
* debian/patches/grub-install-backup-and-restore.patch: Fix-up the patch
to correctly initialyze the names of the modules to restore. LP:
#1907085
* 10_linux: emit messages when initrdless boot is configured, attempted
and fails triggering fallback. LP: #1901553
* grub-common.service: port init.d script to systemd unit. Add warning
message, when initrdless boot fails triggering fallback. LP: #1901553
* debian/rules: undo po/ directory patching in
override_dh_autoreconf_clean.
* minilzo: built using the distribution's minilzo
* ubuntu-fix-reproducible-squashfs-test.patch: fix squashfs-test with
new squashfs-tools in hirsute.
* rhboot-f34-make-exit-take-a-return-code.patch,
rhboot-f34-dont-use-int-for-efi-status.patch: allow grub to exit
non-zero under EFI, this should allow falling back to the next
BootOrder BootEntry.
* rhboot-f34-tcp-add-window-scaling-support.patch: speed up netboot
transfer speed.
* rhboot-f34-support-non-ethernet.patch,
ubuntu-fixup-rhboot-f34-support-non-ethernet.patch,
ubuntu-fixup-rhboot-f34-support-non-ethernet-2.patch:
add support for link layer addresses of up to 32-bytes.
* rhboot-f34-make-pmtimer-tsc-calibration-fast.patch:
speed up calibration time, especially when booting VMs.
-- Dimitri John Ledkov <email address hidden> Sat, 12 Dec 2020 00:50:47 +0000
-
grub2 (2.04-1ubuntu36) hirsute; urgency=medium
* Avoid "EFI stub: FIRMWARE BUG" message when booting >= 5.7 kernels
on arm64 by setting the image base address before jumping to the
PE/COFF entry point LP: #1900774
* Fix tftp timeouts when fetch large files. LP: #1900773
-- dann frazier <email address hidden> Wed, 11 Nov 2020 07:17:49 -0700
-
grub2 (2.04-1ubuntu35) groovy; urgency=medium
* postinst.in, grub-multi-install: fix logic of skipping installing onto
any device, if one chose to not install bootloader on any device. LP:
#1896608
* Do not finalize params twice on arm64. LP: #1897819
-- Dimitri John Ledkov <email address hidden> Thu, 01 Oct 2020 22:59:51 +0800