-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Wed, 01 Apr 2026 21:03:46 +0100 Source: grub2 Binary: grub-common grub-common-dbgsym grub-mount-udeb Architecture: mips64el Version: 2.06-13+deb12u2 Distribution: bookworm Urgency: medium Maintainer: mipsel Build Daemon (mipsel-osuosl-05) Changed-By: Steve McIntyre <93sam@debian.org> Description: grub-common - GRand Unified Bootloader (common files) grub-mount-udeb - export GRUB filesystems using FUSE (udeb) Changes: grub2 (2.06-13+deb12u2) bookworm; urgency=medium . [ Julian Andres Klode ] * Set Protected: yes for -signed packages so they cannot easily be removed * debian/patches: Backport to bookworm . [ Felix Zielcke ] * Add salsa-ci.yml and disable blhc and reprotest pipelines. . [ Luca Boccassi ] * salsa-ci: configure for stable builds . [ Mate Kukri ] * Cherry-pick remaining XFS delta from 2.12 * Cherry-pick upstream vulnerability fixes * Cherry-pick extfs regression patch * Cherry-pick xfs regression patches * Bump SBAT level to grub,5 * fs/fat: Don't error when mtime is 0 (LP: #2098641) * SECURITY UPDATE: video/readers/jpeg: Do not permit duplicate SOF0 markers in JPEG - CVE-2024-45774 * SECURITY UPDATE: commands/extcmd: Missing check for failed allocation - CVE-2024-45775 * SECURITY UPDATE: gettext: Integer overflow leads to heap OOB write or read - CVE-2024-45776 * SECURITY UPDATE: gettext: Integer overflow leads to heap OOB write - CVE-2024-45777 * SECURITY UPDATE: fs/bfs: Integer overflow - CVE-2024-45778 * SECURITY UPDATE: fs/bfs: integer overflow leads to heap OOB read - CVE-2024-45779 * SECURITY UPDATE: fs/tar: Integer overflow leads to heap OOB write - CVE-2024-45780 * SECURITY UPDATE: fs/ufs: `strcpy` use leading to heap OOB write - CVE-2024-45781 * SECURITY UPDATE: fs/hfs: `strcpy` use leading to potential heap OOB write - CVE-2024-45782 * SECURITY UPDATE: fs/hfsplus: incorrect refcount handling leading to UAF - CVE-2024-45783 * SECURITY UPDATE: command/gpg: Use-after-free due to hooks not being removed on module unload - CVE-2025-0622 * SECURITY UPDATE: net: Out-of-bounds write in grub_net_search_config_file() - CVE-2025-0624 * SECURITY UPDATE: UFS: Integer overflow may lead to heap based out-of-bounds write when handling symlinks - CVE-2025-0677 * SECURITY UPDATE: squash4: Integer overflow may lead to heap based out-of-bounds write when reading data - CVE-2025-0678 * SECURITY UPDATE: reiserfs: Integer overflow when handling symlinks may lead to heap based out-of-bounds write when reading data - CVE-2025-0684 * SECURITY UPDATE: jfs: Integer overflow when handling symlinks may lead to heap based out-of-bounds write when reading data - CVE-2025-0685 * SECURITY UPDATE: romfs: Integer overflow when handling symlinks may lead to heap based out-of-bounds write when reading data - CVE-2025-0686 * SECURITY UPDATE: udf: Heap based buffer overflow in grub_udf_read_block() may lead to arbitrary code execution - CVE-2025-0689 * SECURITY UPDATE: read: Integer overflow may lead to out-of-bounds write - CVE-2025-0690 * SECURITY UPDATE: commands/dump: The dump command is not in lockdown when secure boot is enabled - CVE-2025-1118 * SECURITY UPDATE: fs/hfs: Integer overflow may lead to heap based out-of-bounds write - CVE-2025-1125 * SECURITY UPDATE: insmod: incorrect refcount handling leading to UAF [LP: #2055835] . [ Steve McIntyre ] * Drop NTFS patches that seem to be causing regressions * Remove NTFS from the monolithic EFI grub image, so we don't sign vulnerable code. * Similarly, remove jfs - we have doubts. * Bump SBAT levels: + grub,5 now we have the 2025 CVE fixes included + grub.debian,5 + grub.debian12,1 Checksums-Sha1: baaf43a65f9b1bdb97861f1a6976c35d2fafba94 10777744 grub-common-dbgsym_2.06-13+deb12u2_mips64el.deb 7b0532ef54bdc3757d28ee35c7e3b0d6fa6f0dd6 2829820 grub-common_2.06-13+deb12u2_mips64el.deb c70f12c2d47ec848dcb840b053e5523706e7e510 414176 grub-mount-udeb_2.06-13+deb12u2_mips64el.udeb 78020585cd2e99afbc4dbbdcb351defa4849a2cb 11019 grub2_2.06-13+deb12u2_mips64el-buildd.buildinfo Checksums-Sha256: dcab2847a6fc6736f5675a601dfb6dbb6957abed68ffaa5cace9a22c9fe7fcb3 10777744 grub-common-dbgsym_2.06-13+deb12u2_mips64el.deb bfca8085ccc78c9a756069274cb6aaf8abe750301acf3e49b74826b81e037866 2829820 grub-common_2.06-13+deb12u2_mips64el.deb 1fc05a5c0f0f9d8a431226cc5472c9fb97784388b43e676e180c676c0a90cf3d 414176 grub-mount-udeb_2.06-13+deb12u2_mips64el.udeb 4bde790ca877b1780e175add5c8ac467a431e3b00a7692a1aefd35893857288b 11019 grub2_2.06-13+deb12u2_mips64el-buildd.buildinfo Files: 89f361afe8d713e7bf508a08b3b22a40 10777744 debug optional grub-common-dbgsym_2.06-13+deb12u2_mips64el.deb 8713c42bb6aea58085a9e498079fd09f 2829820 admin optional grub-common_2.06-13+deb12u2_mips64el.deb 0ca180574bb8db2393b47731336c8d4f 414176 debian-installer optional grub-mount-udeb_2.06-13+deb12u2_mips64el.udeb c0c5d438b0aba2e480e348fe7d451b58 11019 admin optional grub2_2.06-13+deb12u2_mips64el-buildd.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE4ZxaH3zEHAF/GhnCHrk2gTKeWggFAmn3yDIACgkQHrk2gTKe WgjOqA//aXXzb0tlZ50NB8vwJaAqxd0ksLIQKSaEf8FY5X1gBC/822oz8jG6HcrA w/TWZvAKe6WcQ8CPgo3OIZR+dMMzi70czR6jvWLOxjMR4w5ymezI4zzXmHbhifKq OOUNykZk7ectcFvIB5KsDSPX1VjUmgiDlP1t23R44eN478D4R1135ySXfkEaIiSJ F9OlSvLcsDLH/QN3Qt9MBsXA4nDjFgMDCjuCsA7+xXnzy/9z243C1kOTZAoNcKgU 9iNjHY5LUKJOCRURcTIhOs6G586bR5Gc/zC2ZPoWWt0bGB5UJHOAytTZHYiJZAp0 cfWpNBpKRLzxLMpEi1PTphgumeihifOijAMaMzm/iFVG2wfJHVUB0NCuK1qnETu0 0OzHUCeaLV66iqNAZul9saItzjNf+QnwdtXmvl/NdKF5Gf0rx1odABv3gcsT8V7H uff4ggLDtcag7x8sqImO2z6o1krwGKOoTyGRjRg5/dyiudL0kPN2tjq1wCQaGQFo U+8EDHvX1tBq1vBr6rBI0/enNW2nFa3NE6g4kSSNlMbai3BGgTrPxLsTg/cggrk/ 8lm51QUcYNkc6U0ZQQLy/pMmYd0LxUVua3wy/muerMUAQ/W8KbB18Q+zWEh/92Nz NS7bUFB2WsY4M/Azpj9h5P67dmrmZ/Yaog+aj6mlaHeWuIiZIPs= =ult1 -----END PGP SIGNATURE-----