-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Wed, 01 Apr 2026 21:03:46 +0100 Source: grub2 Binary: grub-common grub-common-dbgsym grub-efi grub-efi-arm64 grub-efi-arm64-bin grub-efi-arm64-dbg grub-efi-arm64-signed-template grub-mount-udeb grub-theme-starfield grub2-common grub2-common-dbgsym Architecture: arm64 Version: 2.06-13+deb12u2 Distribution: bookworm Urgency: medium Maintainer: arm64 Build Daemon (arm-ubc-04) Changed-By: Steve McIntyre <93sam@debian.org> Description: grub-common - GRand Unified Bootloader (common files) grub-efi - GRand Unified Bootloader, version 2 (dummy package) grub-efi-arm64 - GRand Unified Bootloader, version 2 (ARM64 UEFI version) grub-efi-arm64-bin - GRand Unified Bootloader, version 2 (ARM64 UEFI modules) grub-efi-arm64-dbg - GRand Unified Bootloader, version 2 (ARM64 UEFI debug files) grub-efi-arm64-signed-template - GRand Unified Bootloader, version 2 (ARM64 UEFI signing template) grub-mount-udeb - export GRUB filesystems using FUSE (udeb) grub-theme-starfield - GRand Unified Bootloader, version 2 (starfield theme) grub2-common - GRand Unified Bootloader (common files for version 2) Changes: grub2 (2.06-13+deb12u2) bookworm; urgency=medium . [ Julian Andres Klode ] * Set Protected: yes for -signed packages so they cannot easily be removed * debian/patches: Backport to bookworm . [ Felix Zielcke ] * Add salsa-ci.yml and disable blhc and reprotest pipelines. . [ Luca Boccassi ] * salsa-ci: configure for stable builds . [ Mate Kukri ] * Cherry-pick remaining XFS delta from 2.12 * Cherry-pick upstream vulnerability fixes * Cherry-pick extfs regression patch * Cherry-pick xfs regression patches * Bump SBAT level to grub,5 * fs/fat: Don't error when mtime is 0 (LP: #2098641) * SECURITY UPDATE: video/readers/jpeg: Do not permit duplicate SOF0 markers in JPEG - CVE-2024-45774 * SECURITY UPDATE: commands/extcmd: Missing check for failed allocation - CVE-2024-45775 * SECURITY UPDATE: gettext: Integer overflow leads to heap OOB write or read - CVE-2024-45776 * SECURITY UPDATE: gettext: Integer overflow leads to heap OOB write - CVE-2024-45777 * SECURITY UPDATE: fs/bfs: Integer overflow - CVE-2024-45778 * SECURITY UPDATE: fs/bfs: integer overflow leads to heap OOB read - CVE-2024-45779 * SECURITY UPDATE: fs/tar: Integer overflow leads to heap OOB write - CVE-2024-45780 * SECURITY UPDATE: fs/ufs: `strcpy` use leading to heap OOB write - CVE-2024-45781 * SECURITY UPDATE: fs/hfs: `strcpy` use leading to potential heap OOB write - CVE-2024-45782 * SECURITY UPDATE: fs/hfsplus: incorrect refcount handling leading to UAF - CVE-2024-45783 * SECURITY UPDATE: command/gpg: Use-after-free due to hooks not being removed on module unload - CVE-2025-0622 * SECURITY UPDATE: net: Out-of-bounds write in grub_net_search_config_file() - CVE-2025-0624 * SECURITY UPDATE: UFS: Integer overflow may lead to heap based out-of-bounds write when handling symlinks - CVE-2025-0677 * SECURITY UPDATE: squash4: Integer overflow may lead to heap based out-of-bounds write when reading data - CVE-2025-0678 * SECURITY UPDATE: reiserfs: Integer overflow when handling symlinks may lead to heap based out-of-bounds write when reading data - CVE-2025-0684 * SECURITY UPDATE: jfs: Integer overflow when handling symlinks may lead to heap based out-of-bounds write when reading data - CVE-2025-0685 * SECURITY UPDATE: romfs: Integer overflow when handling symlinks may lead to heap based out-of-bounds write when reading data - CVE-2025-0686 * SECURITY UPDATE: udf: Heap based buffer overflow in grub_udf_read_block() may lead to arbitrary code execution - CVE-2025-0689 * SECURITY UPDATE: read: Integer overflow may lead to out-of-bounds write - CVE-2025-0690 * SECURITY UPDATE: commands/dump: The dump command is not in lockdown when secure boot is enabled - CVE-2025-1118 * SECURITY UPDATE: fs/hfs: Integer overflow may lead to heap based out-of-bounds write - CVE-2025-1125 * SECURITY UPDATE: insmod: incorrect refcount handling leading to UAF [LP: #2055835] . [ Steve McIntyre ] * Drop NTFS patches that seem to be causing regressions * Remove NTFS from the monolithic EFI grub image, so we don't sign vulnerable code. * Similarly, remove jfs - we have doubts. * Bump SBAT levels: + grub,5 now we have the 2025 CVE fixes included + grub.debian,5 + grub.debian12,1 Checksums-Sha1: 10193ace2878ae4c34e925944d296ce091ee88ff 11448440 grub-common-dbgsym_2.06-13+deb12u2_arm64.deb 364fc4751f8b963b2422aa04bf25e320737cda29 2703048 grub-common_2.06-13+deb12u2_arm64.deb f584fbb7388755f5513a14ea37b8c36e585459b2 1408104 grub-efi-arm64-bin_2.06-13+deb12u2_arm64.deb bbece816bb15e4b4a41c9909d8ca50480c24e032 2858688 grub-efi-arm64-dbg_2.06-13+deb12u2_arm64.deb 5ca28efe21e9a7fafc78cfdc6b186b9aed27bc5d 184900 grub-efi-arm64-signed-template_2.06-13+deb12u2_arm64.deb 0c7f62b6253cfb616d4b55f31168ec460a22ab48 45584 grub-efi-arm64_2.06-13+deb12u2_arm64.deb 9778c39125ef81dc66848e29e1570f87c7d2ca53 2396 grub-efi_2.06-13+deb12u2_arm64.deb e08fb40c68fc6082c976c67c8ccebd421df8c65c 408200 grub-mount-udeb_2.06-13+deb12u2_arm64.udeb 9c2bd30f9f8ba714b359c69a390f2c463cc10a50 2154276 grub-theme-starfield_2.06-13+deb12u2_arm64.deb 698a3c2a843bcb278653200da54ad596a9326e87 1430216 grub2-common-dbgsym_2.06-13+deb12u2_arm64.deb ddae488dae0c71351a314d906c58dec47494eae8 581208 grub2-common_2.06-13+deb12u2_arm64.deb 3908b60ce281a86fe79f863285bf1f3eb0e9ec8b 13896 grub2_2.06-13+deb12u2_arm64-buildd.buildinfo Checksums-Sha256: 7b0e017cef41bd70917166b3ca65362321d38a861b8cbc1db3f1e67c850f78c9 11448440 grub-common-dbgsym_2.06-13+deb12u2_arm64.deb d6eb6faf42b158f34e5add960e2083ca847237dbaea378a5f4e365ec2c305aa9 2703048 grub-common_2.06-13+deb12u2_arm64.deb 04e469e0221a357bfe0a1f0fc558f08a92edf99ef13c321aa9ea1e04951a2914 1408104 grub-efi-arm64-bin_2.06-13+deb12u2_arm64.deb 56ad9f185b753cd5057457f63d5fdb78985eea72c725e38ee8988ad327071976 2858688 grub-efi-arm64-dbg_2.06-13+deb12u2_arm64.deb 1132be05e294e4cf36167961c25f67cc0344ac5ba8d676b1c7893a396d473b86 184900 grub-efi-arm64-signed-template_2.06-13+deb12u2_arm64.deb 7ade9711441bb4582419ca45ede96abf03bb13c4ec7da77782ec95633105cad9 45584 grub-efi-arm64_2.06-13+deb12u2_arm64.deb b20d82b96ae54141e6b560a880ce22ee671c227f4bcedb7fea196acc8d1cd815 2396 grub-efi_2.06-13+deb12u2_arm64.deb d10fe070a47bedb045508fd85df9a981e6959ef3c8fd01fda2dc26c747520c73 408200 grub-mount-udeb_2.06-13+deb12u2_arm64.udeb 36f9692424384d18ccd8a1f2cb98b878af9ff9756d97cd89c9685d3a97d62957 2154276 grub-theme-starfield_2.06-13+deb12u2_arm64.deb 7cb87d236332a102a468d6a5eed59527e479390ce9685995a19ae280b37dbfd8 1430216 grub2-common-dbgsym_2.06-13+deb12u2_arm64.deb 8c5e64219da896c2546a14f1bd1702e1e73090792a8357e2018bd074807d9945 581208 grub2-common_2.06-13+deb12u2_arm64.deb 3ba28329375738540c92f3f9c79d39ef1c870ab83b701db361f5e9a2ac30b43e 13896 grub2_2.06-13+deb12u2_arm64-buildd.buildinfo Files: 60589c519e497c49667ad2c01b014d81 11448440 debug optional grub-common-dbgsym_2.06-13+deb12u2_arm64.deb 0beda271dba55349207ac3f3009c0a29 2703048 admin optional grub-common_2.06-13+deb12u2_arm64.deb cb0ab81794b78dc6f84245a2a6210f40 1408104 admin optional grub-efi-arm64-bin_2.06-13+deb12u2_arm64.deb 8ae8bbad4e674394bd717f08fa7067a9 2858688 debug optional grub-efi-arm64-dbg_2.06-13+deb12u2_arm64.deb d643685e104b22366e2c42d6c0e2a960 184900 admin optional grub-efi-arm64-signed-template_2.06-13+deb12u2_arm64.deb 1fe3f11f3f43dbb5d0943ebf6877fba3 45584 admin optional grub-efi-arm64_2.06-13+deb12u2_arm64.deb 57b2c748ab3cb3269f9ce8439b652f21 2396 admin optional grub-efi_2.06-13+deb12u2_arm64.deb 0b8bd827d20435edf841f7a094023b4f 408200 debian-installer optional grub-mount-udeb_2.06-13+deb12u2_arm64.udeb 8c8bc98ae71ac6a9508f719f2f55eae1 2154276 admin optional grub-theme-starfield_2.06-13+deb12u2_arm64.deb 6892d0954251c8627f7121f6923232ff 1430216 debug optional grub2-common-dbgsym_2.06-13+deb12u2_arm64.deb b12ae1dcd87d6351b75e91fda89cbe2c 581208 admin optional grub2-common_2.06-13+deb12u2_arm64.deb 9cca123c1b061261f3594106815568cb 13896 admin optional grub2_2.06-13+deb12u2_arm64-buildd.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEUPFH3FhY8nQZGtLwVLd4YzMSDKEFAmn3vesACgkQVLd4YzMS DKEbcxAAwZOlZPxEyuj9HBFWqvSKh2Fv00JhrLUmIoVeU/P1Qf8lG+Vek9hzEw8t VT8N05eji5II+sLp2dOCCGUc6AtAV6+ir+aW1hDcgN5rYJ5j9KflIFrZWDXdQokh MiA0dR3za0PjJCefGRtFDjd2Ng9x9ViuYjfFZpVJXjCwQaWdEk+Oj1EO/IbmriGM DCpaReCSJUJ/xX65BqJkkycKa6s2lHYO/c2rwCaVUiKHdLNtXurPQxl9YJGJPphE ziGbaWYyrqGpLISwVRF3FJfEvdjMRX0SBzMR5xIDVgkJxf5O1vqrG74+e50pefp4 dhb/z43ctqyUfRzHPdsSprQuul6U/riDEM1PFIs/KftqPtMml2AwKL/9GrSaiuMV X1d9CsXjGVFm535D6I8CAydvLQyWi20pqJqGlcLYE6x/N/42qpzmppkug9gbLB+l LcnxaRAkwkjj+w/OofKRxsUkTDs2imkroWIjOxpmlmydnqcNkHF5tBelZCcKi0tg Mj3OmxpUB4J+BhhSbuqMBz1b0N7w9Z1EIe4ORZxwwGA+TNKEaU45JEdrbxXpqPFE +BIi8nLx5Qx5l14U2/712nlp5yiUtyreG/XBt3XBavezwmqbVloZHhF4cF0SpLNk SUC+4dnyTWpIe4Zq5ppYszgyHq1KShTuZ1k/d7KYSS1actHBPTU= =OImu -----END PGP SIGNATURE-----