-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Wed, 01 Apr 2026 21:03:46 +0100 Source: grub2 Binary: grub-common grub-common-dbgsym grub-mount-udeb Architecture: s390x Version: 2.06-13+deb12u2 Distribution: bookworm Urgency: medium Maintainer: s390x Build Daemon (ziehrer) Changed-By: Steve McIntyre <93sam@debian.org> Description: grub-common - GRand Unified Bootloader (common files) grub-mount-udeb - export GRUB filesystems using FUSE (udeb) Changes: grub2 (2.06-13+deb12u2) bookworm; urgency=medium . [ Julian Andres Klode ] * Set Protected: yes for -signed packages so they cannot easily be removed * debian/patches: Backport to bookworm . [ Felix Zielcke ] * Add salsa-ci.yml and disable blhc and reprotest pipelines. . [ Luca Boccassi ] * salsa-ci: configure for stable builds . [ Mate Kukri ] * Cherry-pick remaining XFS delta from 2.12 * Cherry-pick upstream vulnerability fixes * Cherry-pick extfs regression patch * Cherry-pick xfs regression patches * Bump SBAT level to grub,5 * fs/fat: Don't error when mtime is 0 (LP: #2098641) * SECURITY UPDATE: video/readers/jpeg: Do not permit duplicate SOF0 markers in JPEG - CVE-2024-45774 * SECURITY UPDATE: commands/extcmd: Missing check for failed allocation - CVE-2024-45775 * SECURITY UPDATE: gettext: Integer overflow leads to heap OOB write or read - CVE-2024-45776 * SECURITY UPDATE: gettext: Integer overflow leads to heap OOB write - CVE-2024-45777 * SECURITY UPDATE: fs/bfs: Integer overflow - CVE-2024-45778 * SECURITY UPDATE: fs/bfs: integer overflow leads to heap OOB read - CVE-2024-45779 * SECURITY UPDATE: fs/tar: Integer overflow leads to heap OOB write - CVE-2024-45780 * SECURITY UPDATE: fs/ufs: `strcpy` use leading to heap OOB write - CVE-2024-45781 * SECURITY UPDATE: fs/hfs: `strcpy` use leading to potential heap OOB write - CVE-2024-45782 * SECURITY UPDATE: fs/hfsplus: incorrect refcount handling leading to UAF - CVE-2024-45783 * SECURITY UPDATE: command/gpg: Use-after-free due to hooks not being removed on module unload - CVE-2025-0622 * SECURITY UPDATE: net: Out-of-bounds write in grub_net_search_config_file() - CVE-2025-0624 * SECURITY UPDATE: UFS: Integer overflow may lead to heap based out-of-bounds write when handling symlinks - CVE-2025-0677 * SECURITY UPDATE: squash4: Integer overflow may lead to heap based out-of-bounds write when reading data - CVE-2025-0678 * SECURITY UPDATE: reiserfs: Integer overflow when handling symlinks may lead to heap based out-of-bounds write when reading data - CVE-2025-0684 * SECURITY UPDATE: jfs: Integer overflow when handling symlinks may lead to heap based out-of-bounds write when reading data - CVE-2025-0685 * SECURITY UPDATE: romfs: Integer overflow when handling symlinks may lead to heap based out-of-bounds write when reading data - CVE-2025-0686 * SECURITY UPDATE: udf: Heap based buffer overflow in grub_udf_read_block() may lead to arbitrary code execution - CVE-2025-0689 * SECURITY UPDATE: read: Integer overflow may lead to out-of-bounds write - CVE-2025-0690 * SECURITY UPDATE: commands/dump: The dump command is not in lockdown when secure boot is enabled - CVE-2025-1118 * SECURITY UPDATE: fs/hfs: Integer overflow may lead to heap based out-of-bounds write - CVE-2025-1125 * SECURITY UPDATE: insmod: incorrect refcount handling leading to UAF [LP: #2055835] . [ Steve McIntyre ] * Drop NTFS patches that seem to be causing regressions * Remove NTFS from the monolithic EFI grub image, so we don't sign vulnerable code. * Similarly, remove jfs - we have doubts. * Bump SBAT levels: + grub,5 now we have the 2025 CVE fixes included + grub.debian,5 + grub.debian12,1 Checksums-Sha1: 5316dd1cfd940c48c13795cb93bc0466de7df67b 10313196 grub-common-dbgsym_2.06-13+deb12u2_s390x.deb 4d3d36924839564b6c82699d35de4bbdb72ce8cc 2625136 grub-common_2.06-13+deb12u2_s390x.deb ec67244832683851b8d15a36c9e77ec680ad57df 392396 grub-mount-udeb_2.06-13+deb12u2_s390x.udeb 41b310dc6844d8448621fb31b1a767d513928896 11093 grub2_2.06-13+deb12u2_s390x-buildd.buildinfo Checksums-Sha256: 4910094a6613891d6a86231bfbfeb4b5b63024af8c133deff4cc4315fa877b0b 10313196 grub-common-dbgsym_2.06-13+deb12u2_s390x.deb 70de0cfe283ecdb9ee541c1b8edeaba4eb286404635c6f6c2a5ec2d50f549f6f 2625136 grub-common_2.06-13+deb12u2_s390x.deb 872a57470006aacf4383c26c6e4e3ab4f8485d186dcc6840dd6555af03abdaab 392396 grub-mount-udeb_2.06-13+deb12u2_s390x.udeb fa328cad89701894ddaed0f08bc5839ced47505dd9376755516d1677cc30734e 11093 grub2_2.06-13+deb12u2_s390x-buildd.buildinfo Files: 7fcf0fc1735f68ca4987b1e3653c2788 10313196 debug optional grub-common-dbgsym_2.06-13+deb12u2_s390x.deb 7be9d5a0c3309b01856929d42325a1f9 2625136 admin optional grub-common_2.06-13+deb12u2_s390x.deb fee1a0c5a77410e03615a767a0588f10 392396 debian-installer optional grub-mount-udeb_2.06-13+deb12u2_s390x.udeb aaefb26a1f868770fdf80a559c59f242 11093 admin optional grub2_2.06-13+deb12u2_s390x-buildd.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEl0BM/nR+Oj597wRWMWUFebkHnoQFAmn3wfQACgkQMWUFebkH noTM2g//f8GR/3TPwLNB3nwuCaA5QrkCEgCpMLmpAOK3SXvur1UB86LsJUP6SQTE QfRsxgTHWuhRj5Uvhr3jgESLLn+qqcSOOhQ8l+F6TzZIraRYbnO9zJysEXRrQzbh xzBTMcMf6k+oLgpGAoYD/NewNgAczSTHcqmfr1F8YzWTS/WAG4+Id4jq//x5qz1B z5VDTja1ZB0922luoXCbVkLg4SZa43CeQExIiKUaPgHtSK0MJGzxJpopmAeAMWBQ ZzsQacEYgdveJFRXvoiAxujBNIbb7ZYJOYsRUMYXj9iAPnRnCsRHpqBUcRK79fsR vhHCafT0+Gc9BDcwVUynUChNtVKGYEjTXhSrUsOqaHjdk2P+oQJ+taHl6M4apRFD 0950tpnsTyUrhuvNh+/ChOreQ2NrAaXGZUgK26yOEnfg58XrUqaWMQhtJi9jzcL8 AQB948VG9QM71RBU+HtHtmd+Btyxi044VvWo7oxr5Fc33TBPw6Dv4b3RJNVPUeRf ruepsagEgRRtu8owrdin/SnfIfE4fhBR/f7jSHnkttM6WYSsCt8kB0A71bZm7O7/ 5fG/jS8iQSmxrYXWoYKLVNeTJIBNdcIWW+0tC9ByEN15kAfVjX+ewWLhrfLID3LE i5biDC1jMih/UCE9PXn/9OKbKc6TcAs+nITkinkMiSUpgv13dEI= =tS6h -----END PGP SIGNATURE-----