-
grub2 (2.02-2ubuntu8.26) bionic; urgency=medium
* Have grub-common depend on efibootmgr on amd64, arm64, i386 (LP: #1936857)
* grub-check-signatures: Support gzip compressed kernels (LP: #1954683)
-- Julian Andres Klode <email address hidden> Wed, 01 Feb 2023 18:49:01 +0100
-
grub2 (2.02-2ubuntu8.25) bionic; urgency=medium
[ Colin Watson ]
* Move kernel maintainer script snippets into grub2-common (thanks,
Bastian Blank; closes: #910959) (LP: #1995751)
-- Julian Andres Klode <email address hidden> Tue, 15 Nov 2022 12:13:43 +0100
-
grub2 (2.02-2ubuntu8.23) bionic; urgency=medium
[ Dimitri John Ledkov & Steve Langasek ]
* Relax dependencies to allow grub-efi be installed with later versions
of grub-efi-amd64. Stop building grub-efi-amd64|arm64{-bin,dbg}
packages, now provided by src:grub2-unsigned. LP: #1915536
[ Dimitri John Ledkov ]
* Cherrypick 2.02+dfsg1-5 patch for x86-64: Treat R_X86_64_PLT32 as
R_X86_64_PC32 to allow processing 2.04 grub modules built with newer
binutils.
-- Dimitri John Ledkov <email address hidden> Wed, 24 Feb 2021 19:47:47 +0000
-
grub2 (2.02-2ubuntu8.21) bionic; urgency=medium
* d/build-efi-images:
- Add xfs module to signed UEFI images
(Closes: #911147) (LP: #1652822)
-- Eric Desrochers <email address hidden> Thu, 07 Jan 2021 08:45:31 -0500
-
grub2 (2.02-2ubuntu8.20) bionic; urgency=medium
* Avoid "EFI stub: FIRMWARE BUG" message when booting >= 5.7 kernels
on arm64 by setting the image base address before jumping to the
PE/COFF entry point LP: #1900774
* Fix tftp timeouts when fetching large files. LP: #1900773
-- dann frazier <email address hidden> Fri, 13 Nov 2020 17:40:19 -0700
-
grub2 (2.02-2ubuntu8.19) bionic; urgency=medium
* grub-install: cherry-pick patch from grub-devel to make grub-install
fault tolerant. Create backup of files in /boot/grub, and restore them
on failure to complete grub-install. LP: #1891680
Also cherry-pick patch to make atexit work correctly.
* postinst.in: do not exit successfully when failing to show critical
grub-pc/install_devices_failed and grub-pc/install_devices_empty
prompts in non-interactive mode. This enables surfacing upgrade errors
to the users and/or automation. LP: #1891680 LP: #1896608
* postinst.in: do not attempt to call grub-install upon fresh install of
grub-pc because it it a job of installers to do that after fresh
install. Fixup for the issue unmasked by above. LP: #1891680
* postinst.in: Fixup postinst.in, to attempt grub-install upon explicit
dpkg-reconfigure grub-pc. LP: #1892526
-- Dimitri John Ledkov <email address hidden> Thu, 22 Oct 2020 15:01:52 +0100
-
grub2 (2.02-2ubuntu8.18) bionic; urgency=medium
* debian/patches/ubuntu-flavour-order.patch:
- Add a (hidden) GRUB_FLAVOUR_ORDER setting that can mark certain kernel
flavours as preferred, and specify an order between those preferred
flavours (LP: #1882663)
* debian/patches/ubuntu-recovery-dis_ucode_ldr.patch:
- Pass dis_ucode_ldr to kernel for recovery mode (LP: #1831789)
-- Julian Andres Klode <email address hidden> Mon, 24 Aug 2020 10:45:45 +0200
-
grub2 (2.02-2ubuntu8.17) bionic; urgency=medium
* debian/postinst.in: Avoid calling grub-install on upgrade of the grub-pc
package, since we cannot be certain that it will install to the correct
disk and a grub-install failure will render the system unbootable.
LP: #1889556.
-- Steve Langasek <email address hidden> Thu, 30 Jul 2020 18:49:49 -0700
-
grub2 (2.02-2ubuntu8.16) bionic; urgency=medium
[ Chris Coulson ]
* SECURITY UPDATE: Heap buffer overflow when encountering commands that
cannot be tokenized to less than 8192 characters.
- 0082-yylex-Make-lexer-fatal-errors-actually-be-fatal.patch: Make
fatal lexer errors actually be fatal
- CVE-2020-10713
* SECURITY UPDATE: Multiple integer overflow bugs that could result in
heap buffer allocations that were too small and subsequent heap buffer
overflows when handling certain filesystems, font files or PNG images.
- 0083-safemath-Add-some-arithmetic-primitives-that-check-f.patch: Add
arithmetic primitives that allow for overflows to be detected
- 0084-calloc-Make-sure-we-always-have-an-overflow-checking.patch:
Make sure that there is always an overflow checking implementation
of calloc() available
- 0085-calloc-Use-calloc-at-most-places.patch: Use calloc where
appropriate
- 0086-malloc-Use-overflow-checking-primitives-where-we-do-.patch: Use
overflow-safe arithmetic primitives when performing allocations
based on the results of operations that might overflow
- 0094-hfsplus-fix-two-more-overflows.patch: Fix integer overflows in
hfsplus
- 0095-lvm-fix-two-more-potential-data-dependent-alloc-over.patch: Fix
more potential integer overflows in lvm
- CVE-2020-14308, CVE-2020-14309, CVE-2020-14310, CVE-2020-14311
* SECURITY UPDATE: Use-after-free when executing a command that causes
a currently executing function to be redefined.
- 0092-script-Remove-unused-fields-from-grub_script_functio.patch:
Remove unused fields from grub_script_function
- 0093-script-Avoid-a-use-after-free-when-redefining-a-func.patch:
Avoid a use-after-free when redefining a function during execution
- CVE-2020-15706
* SECURITY UPDATE: Integer overflows that could result in heap buffer
allocations that were too small and subsequent heap buffer overflows
during initrd loading.
- 0105-linux-Fix-integer-overflows-in-initrd-size-handling.patch: Fix
integer overflows in initrd size handling
- 0106-efilinux-Fix-integer-overflows-in-grub_cmd_initrd.patch: Fix
integer overflows in linuxefi grub_cmd_initrd
- CVE-2020-15707
* Various fixes as a result of code review and static analysis:
- 0087-iso9660-Don-t-leak-memory-on-realloc-failures.patch: Fix a
memory leak on realloc failures when processing symbolic links
- 0088-font-Do-not-load-more-than-one-NAME-section.patch: Fix a
memory leak when processing font files with more than one NAME
section
- 0089-gfxmenu-Fix-double-free-in-load_image.patch: Zero self->bitmap
after it is freed in order to avoid a potential double free later on
- 0090-lzma-Make-sure-we-don-t-dereference-past-array.patch: Fix an
out-of-bounds read in LzmaEncode
- 0091-tftp-Do-not-use-priority-queue.patch: Refactor tftp to not use
priority queues and fix a double free
- 0096-efi-fix-some-malformed-device-path-arithmetic-errors.patch: Fix
various arithmetic errors with malformed device paths
- 0098-Fix-a-regression-caused-by-efi-fix-some-malformed-de.patch: Fix
a NULL deref in the chainloader command introduced by a previous
patch
- 0100-chainloader-Avoid-a-double-free-when-validation-fail.patch:
Avoid a double free in the chainloader command when validation fails
- 0101-relocator-Protect-grub_relocator_alloc_chunk_addr-in.patch:
Protect grub_relocator_alloc_chunk_addr input arguments against
integer overflow / underflow
- 0102-relocator-Protect-grub_relocator_alloc_chunk_align-m.patch:
Protect grub_relocator_alloc_chunk_align max_addr argument against
integer underflow
- 0103-relocator-Fix-grub_relocator_alloc_chunk_align-top-m.patch: Fix
grub_relocator_alloc_chunk_align top memory allocation
- 0104-linux-loader-avoid-overflow-on-initrd-size-calculati.patch:
Avoid overflow on initrd size calculation
[ Dimitri John Ledkov ]
* SECURITY UPDATE: Grub does not enforce kernel signature validation
when the shim protocol isn't present.
- 0097-linuxefi-fail-kernel-validation-without-shim-protoco.patch:
Fail kernel validation if the shim protocol isn't available
- CVE-2020-15705
-- Chris Coulson <email address hidden> Mon, 20 Jul 2020 19:50:54 +0100
-
grub2 (2.02-2ubuntu8.15) bionic; urgency=medium
* Make the linux command in EFI grub always try EFI handover; thanks
to Chris Coulson for the patches (LP: #1864533)
-- Julian Andres Klode <email address hidden> Wed, 11 Mar 2020 21:57:49 +0100
-
grub2 (2.02-2ubuntu8.14) bionic; urgency=medium
* Fix kexec on ACPI/UEFI ARM systems w/ crashkernel reserved memory
beyond the 4GiB boundary. (LP: #1851190)
* Apply patch from Peter Jones to forbid the "devicetree" command when
Secure Boot is enabled. (LP: #1851897)
-- dann frazier <email address hidden> Sun, 10 Nov 2019 22:52:35 -0700
-
grub2 (2.02-2ubuntu8.13) bionic; urgency=medium
* debian/build-efi-images: add HTTP to generated UEFI images. (LP: #1787630)
* debian/config.in, debian/grub-common.dirs, debian/postinst.in,
debian/postrm.in: cherry-pick Colin's changes to ucf handling from
2.02+dfsg1-11 to avoid unnecessarily prompting about grub.cfg changes.
(LP: #564853)
-- Mathieu Trudel-Lapierre <email address hidden> Mon, 18 Mar 2019 12:11:57 -0400
-
grub2 (2.02-2ubuntu8.12) bionic; urgency=medium
* debian/grub-check-signatures: make sure grub-check-signatures conserves
its execute bit.
grub2 (2.02-2ubuntu8.11) bionic; urgency=medium
[ Mathieu Trudel-Lapierre ]
* debian/grub-check-signatures: properly account for DB showing as empty on
some broken firmwares: Guard against mokutil --export --db failing, and do
a better job at finding the DER certs for conversion to PEM format.
(LP: #1814575)
* debian/patches/linuxefi_disable_sb_fallback.patch: Disallow unsigned
kernels if UEFI Secure Boot is enabled. If UEFI Secure Boot is enabled
and kernel signature verification fails, do not boot the kernel. Patch
from Linn Crosetto. (LP: #1401532)
[ Steve Langasek ]
* debian/patches/quick-boot-lvm.patch: checking the return value of
'lsefi' when the command doesn't exist does not do what's expected, so
instead check the value of $grub_platform which is simpler anyway.
LP: #1814403.
-- Mathieu Trudel-Lapierre <email address hidden> Thu, 07 Feb 2019 18:20:04 -0500
-
grub2 (2.02-2ubuntu8.11) bionic; urgency=medium
[ Mathieu Trudel-Lapierre ]
* debian/grub-check-signatures: properly account for DB showing as empty on
some broken firmwares: Guard against mokutil --export --db failing, and do
a better job at finding the DER certs for conversion to PEM format.
(LP: #1814575)
* debian/patches/linuxefi_disable_sb_fallback.patch: Disallow unsigned
kernels if UEFI Secure Boot is enabled. If UEFI Secure Boot is enabled
and kernel signature verification fails, do not boot the kernel. Patch
from Linn Crosetto. (LP: #1401532)
[ Steve Langasek ]
* debian/patches/quick-boot-lvm.patch: checking the return value of
'lsefi' when the command doesn't exist does not do what's expected, so
instead check the value of $grub_platform which is simpler anyway.
LP: #1814403.
-- Mathieu Trudel-Lapierre <email address hidden> Tue, 05 Feb 2019 12:26:27 -0500
-
grub2 (2.02-2ubuntu8.10) bionic; urgency=medium
[ Mathieu Trudel-Lapierre ]
* debian/grub-check-signatures: check kernel signatures against keys known
in firmware, in case a kernel is signed but not using a key that will pass
validation, such as when using kernels coming from a PPA. (LP: #1789918)
* debian/patches/mkconfig_leave_breadcrumbs.patch: make sure grub-mkconfig
leaves a trace of what files were sourced to help generate the config
we're building. (LP: #1812863)
[ Steve Langasek ]
* debian/patches/quick-boot-lvm.patch: If we don't have writable
grubenv and we're on EFI, always show the menu. Closes LP: #1800722.
-- Mathieu Trudel-Lapierre <email address hidden> Wed, 09 Jan 2019 14:04:09 -0500
-
grub2 (2.02-2ubuntu8.9) bionic; urgency=medium
[ Mathieu Trudel-Lapierre ]
* debian/default/grub.md5sum: add entry for 2.02-2ubuntu8.7; to force an
update of /etc/default/grub back to the correct timeout value of 0 if the
file has otherwise not been edited by the user. (LP: #1784363)
[ Steve Langasek ]
* debian/grub-check-signatures: Handle the case where we have unsigned
vmlinuz and signed vmlinuz.efi.signed. (LP: #1788727)
-- Mathieu Trudel-Lapierre <email address hidden> Thu, 08 Nov 2018 10:53:28 -0500
-
grub2 (2.02-2ubuntu8.8) bionic; urgency=medium
* debian/rules: set DEFAULT_TIMEOUT=0 for flicker-free boot scenarios (all
arches but ppc64el) to avoid 10 second delays at boot not showing a menu.
(LP: #1784363)
-- Mathieu Trudel-Lapierre <email address hidden> Fri, 12 Oct 2018 15:29:35 -0400
-
grub2 (2.02-2ubuntu8.7) bionic; urgency=medium
* debian/patches/0001-i386-linux-Add-support-for-ext_lfb_base.patch:
Add support for ext_lfb_base. (LP: #1785033)
-- Ivan Hu <email address hidden> Thu, 11 Oct 2018 08:39:26 -0400
-
grub2 (2.02-2ubuntu8.6) bionic; urgency=medium
* debian/patches/linuxefi_fix_relocate_coff.patch: fix typo in
relocate_coff() causing issues with relocation of code in chainload.
(LP: #1792575)
* debian/patches/linuxefi_truncate_overlong_reloc_section.patch: The Windows
7 bootloader has inconsistent headers; truncate to the smaller, correct
size to fix chainloading Windows 7. (LP: #1792575)
grub2 (2.02-2ubuntu8.5) bionic; urgency=medium
* debian/patches/grub-reboot-warn.patch: Warn when "for the next
boot only" promise cannot be kept. (LP: #788298)
-- Mathieu Trudel-Lapierre <email address hidden> Thu, 27 Sep 2018 17:00:43 +0200
-
grub2 (2.02-2ubuntu8.5) bionic; urgency=medium
* debian/patches/grub-reboot-warn.patch: Warn when "for the next
boot only" promise cannot be kept. (LP: #788298)
-- dann frazier <email address hidden> Tue, 18 Sep 2018 14:42:23 -0600
-
grub2 (2.02-2ubuntu8.4) bionic; urgency=medium
* debian/patches/ofnet-init-structs-in-bootpath-parser.patch: initialize
structs in bootpath parser. Fixes netboot issues on ppc64el. (LP: #1785859)
-- Julian Andres Klode <email address hidden> Thu, 23 Aug 2018 21:29:46 +0200
-
grub2 (2.02-2ubuntu8.3) bionic; urgency=medium
* Verify that the current and newer kernels are signed when grub is updated, to
make sure people do not accidentally shutdown without a signed kernel.
(LP: #1786491)
-- Julian Andres Klode <email address hidden> Fri, 13 Jul 2018 15:21:48 +0200
-
grub2 (2.02-2ubuntu8.2) bionic; urgency=medium
* debian/rules: replace GRUB_HIDDEN_* variables with the more concise and
less confusing GRUB_TIMEOUT_STYLE=hidden. (LP: #1258597)
* debian/control: update Vcs links.
-- Mathieu Trudel-Lapierre <email address hidden> Tue, 17 Jul 2018 14:13:52 -0400
-
grub2 (2.02-2ubuntu8.1) bionic; urgency=medium
* debian/patches/add-an-auto-nvram-option-to-grub-install.patch: Add the
--auto-nvram option to grub-install for auto-detecting NVRAM availability
before attempting NVRAM updates. (LP: #1778848)
-- Łukasz 'sil2100' Zemczak <email address hidden> Tue, 05 Jun 2018 00:34:38 +0200
-
grub2 (2.02-2ubuntu8) bionic; urgency=medium
* Drop debian/patches/mkconfig_keep_native_term_active.patch, which can
lead to flickering between graphical and text mode when traversing the
menu. (LP: #1752767)
* debian/patches/yylex-explicitly_cast_fprintf_to_void.patch: Fix FTBFS
with flex 2.6.4.
-- dann frazier <email address hidden> Sun, 04 Mar 2018 06:11:35 -0700
-
grub2 (2.02-2ubuntu7) bionic; urgency=medium
[ Julian Andres Klode ]
* debian/patches/shorter_version_info.patch: Only show the upstream version
in menu and console, and hide the package one in a package_version
variable. (LP: #1723434)
[ Mathieu Trudel-Lapierre ]
* debian/patches/skip_text_gfxpayload_where_not_supported.patch: Skip the
'text' payload if it's not supported but present in gfxpayload, such as
on EFI systems. (LP: #1711452)
-- Mathieu Trudel-Lapierre <email address hidden> Fri, 09 Feb 2018 16:30:45 -0500
-
grub2 (2.02-2ubuntu6) bionic; urgency=medium
[ Steve Langasek ]
* debian/patches/bufio_sensible_block_sizes.patch: Don't use arbitrary file
fizes as block sizes in bufio: this avoids potentially seeking back in
the files unnecessarily, which may require re-open files that cannot be
seeked into, such as via TFTP. (LP: #1743249)
-- Mathieu Trudel-Lapierre <email address hidden> Mon, 05 Feb 2018 11:58:09 -0500
-
grub2 (2.02-2ubuntu5) bionic; urgency=medium
* debian/patches/mkconfig_keep_native_term_active.patch: Keep the
default EFI console active while enabling gfxterm. (LP: #1743884)
-- dann frazier <email address hidden> Wed, 31 Jan 2018 10:51:11 -0700
-
grub2 (2.02-2ubuntu4) bionic; urgency=medium
* debian/patches/vt_handoff.patch: modify the existing patch to set
vt.handoff=1 instead of vt.handoff=7 as we now start display managers on
vt1 anyway. This also fixes issues with netboot installed server systems
not displaying the login prompt on boot. (LP: #1675453)
-- Łukasz 'sil2100' Zemczak <email address hidden> Thu, 18 Jan 2018 18:32:31 +0100
-
grub2 (2.02-2ubuntu3) bionic; urgency=medium
* util/grub-install.c: Drop extra handling for x.efi.signed files for mok
and fallback binaries: shim now installs them without the .signed
extension. (LP: #1708245)
* debian/control: Breaks shim (<< 13).
-- Mathieu Trudel-Lapierre <email address hidden> Wed, 17 Jan 2018 09:25:09 -0500
-
grub2 (2.02-2ubuntu2) bionic; urgency=medium
* Cherry-pick upstream patch to change the default TSC calibration method
to pmtimer on EFI systems (LP: #1734278)
* debian/control: Update Vcs fields for code location on Ubuntu.
-- Mathieu Trudel-Lapierre <email address hidden> Tue, 05 Dec 2017 11:47:31 -0500
-
grub2 (2.02-2ubuntu1) bionic; urgency=medium
* Merge with Debian; remaining changes:
- debian/patches/support_initrd-less_boot.patch: Added knobs to allow
non-initrd boot config. (LP: #1640878)
- Disable os-prober for ppc64el on the PowerNV platform, to reduce the
number of entries/clutter from other OSes in Petitboot (LP: #1447500)
- debian/build-efi-images: provide a new grub EFI image which enforces that
loaded kernels are signed for Secure Boot: build gsb$arch.efi; which is
the same as grub$arch.efi minus the 'linux' module. Without fallback to
'linux' for unsigned loading, this makes it effectively enforce having a
signed kernel. (LP: #1401532)
- debian/patches/install_signed.patch, grub-install-extra-removable.patch:
- Make sure if we install shim; it should also be exported as the default
bootloader to install later to a removable path, if we do.
- Rework grub-install-extra-removable.patch to reverse its logic: in the
default case, install the bootloader to /EFI/BOOT, unless we're trying
to install on a removable device, or explicitly telling grub *not* to
do it.
- Move installing fb$arch.efi to --no-extra-removable; as we don't want
fallback to be installed unless we're also installing to /EFI/BOOT.
(LP: #1684341)
- Make sure postinst and templates know about the replacement of
--force-extra-removable with --no-extra-removable.
* Sync Secure Boot support patches with the upstream patch set from
rhboot/grub2:master-sb. Renamed some patches and updated descriptions for
the whole thing to make more sense, too:
- dropped debian/patches/linuxefi_require_shim.patch
- renamed: debian/patches/no_insmod_on_sb.patch ->
debian/patches/linuxefi_no_insmod_on_sb.patch
- debian/patches/linuxefi.patch
- debian/patches/linuxefi_debug.patch
- debian/patches/linuxefi_non_sb_fallback.patch
- debian/patches/linuxefi_add_sb_to_efi_chainload.patch
- debian/patches/linuxefi_cleanup_errors_in_loader.patch
- debian/patches/linuxefi_fix_efi_validation_race.patch
- debian/patches/linuxefi_handle_multiarch_boot.patch
- debian/patches/linuxefi_honor_sb_mode.patch
- debian/patches/linuxefi_move_fdt_helper.patch
- debian/patches/linuxefi_load_arm_with_sb.patch
- debian/patches/linuxefi_minor_cleanups.patch
- debian/patches/linuxefi_re-enable_linux_cmd.patch
- debian/patches/linuxefi_rework_linux16_cmd.patch
- debian/patches/linuxefi_rework_linux_cmd.patch
- debian/patches/linuxefi_rework_non-sb_efi_chainload.patch
- debian/patches/linuxefi_rework_pe_loading.patch
- debian/patches/linuxefi_use_dev_chainloader_target.patch
* debian/patches/dont-fail-efi-warnings.patch: handle linuxefi patches and
the casting they do on some architectures: we don't want to fail build
because of some of the warnings that can show up since we otherwise build
with -Werror.
grub2 (2.02-3) UNRELEASED; urgency=medium
* Use current location for upstream signing key
(debian/upstream/signing-key.asc).
* Update upstream signing key to a non-expired version.
[ Debconf translations ]
* [sq] Albanian (Silva Arapi; closes: #874497).
grub2 (2.02-2) unstable; urgency=medium
* Comment out debian/watch lines for betas and pre-releases for now.
* Cherry-pick upstream patch to allow mounting ext2/3/4 file systems that
have the 'encrypt' feature enabled (closes: #840204).
grub2 (2.02-1) unstable; urgency=medium
* New upstream release.
- xen: Fix wrong register in relocator (closes: #799480).
* Resolve symlinks for supported init paths as well as for /sbin/init
(thanks, Felipe Sateler; closes: #842315).
[ Debconf translations ]
* [sr] Serbian (Karolina Kalic; closes: #691288).
* [sr@latin] Serbian Latin (Karolina Kalic; closes: #691289).
* [pt] Portuguese (Rui Branco - DebianPT; closes: #864171).
grub2 (2.02~beta3-5) unstable; urgency=medium
[ Steve McIntyre ]
* Make grub-install check for errors from efibootmgr (closes: #853234).
There are probably still underlying issues in other similar reported
bugs, but they're more effectively tracked elsewhere (e.g. efibootmgr)
at this point (closes: #756253, #852513).
[ Debconf translations ]
* [ug] Uyghur (Abduqadir Abliz).
* [es] Spanish (Manuel "Venturi" Porras Peralta; closes: #852977).
-- Mathieu Trudel-Lapierre <email address hidden> Mon, 06 Nov 2017 15:37:12 -0500
-
grub2 (2.02~beta3-4ubuntu7) artful; urgency=medium
* debian/patches/headers_for_device_macros.patch,
debian/patches/fix_check_for_sys_macros.patch: make sure the right
device macro header is included and that the deprecation warning
is dealt with. LP: #1722955.
-- Tiago Stürmer Daitx <email address hidden> Thu, 12 Oct 2017 09:41:17 -0400