-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Wed, 01 Apr 2026 21:03:46 +0100 Source: grub2 Architecture: source Version: 2.06-13+deb12u2 Distribution: bookworm Urgency: medium Maintainer: GRUB Maintainers Changed-By: Steve McIntyre <93sam@debian.org> Changes: grub2 (2.06-13+deb12u2) bookworm; urgency=medium . [ Julian Andres Klode ] * Set Protected: yes for -signed packages so they cannot easily be removed * debian/patches: Backport to bookworm . [ Felix Zielcke ] * Add salsa-ci.yml and disable blhc and reprotest pipelines. . [ Luca Boccassi ] * salsa-ci: configure for stable builds . [ Mate Kukri ] * Cherry-pick remaining XFS delta from 2.12 * Cherry-pick upstream vulnerability fixes * Cherry-pick extfs regression patch * Cherry-pick xfs regression patches * Bump SBAT level to grub,5 * fs/fat: Don't error when mtime is 0 (LP: #2098641) * SECURITY UPDATE: video/readers/jpeg: Do not permit duplicate SOF0 markers in JPEG - CVE-2024-45774 * SECURITY UPDATE: commands/extcmd: Missing check for failed allocation - CVE-2024-45775 * SECURITY UPDATE: gettext: Integer overflow leads to heap OOB write or read - CVE-2024-45776 * SECURITY UPDATE: gettext: Integer overflow leads to heap OOB write - CVE-2024-45777 * SECURITY UPDATE: fs/bfs: Integer overflow - CVE-2024-45778 * SECURITY UPDATE: fs/bfs: integer overflow leads to heap OOB read - CVE-2024-45779 * SECURITY UPDATE: fs/tar: Integer overflow leads to heap OOB write - CVE-2024-45780 * SECURITY UPDATE: fs/ufs: `strcpy` use leading to heap OOB write - CVE-2024-45781 * SECURITY UPDATE: fs/hfs: `strcpy` use leading to potential heap OOB write - CVE-2024-45782 * SECURITY UPDATE: fs/hfsplus: incorrect refcount handling leading to UAF - CVE-2024-45783 * SECURITY UPDATE: command/gpg: Use-after-free due to hooks not being removed on module unload - CVE-2025-0622 * SECURITY UPDATE: net: Out-of-bounds write in grub_net_search_config_file() - CVE-2025-0624 * SECURITY UPDATE: UFS: Integer overflow may lead to heap based out-of-bounds write when handling symlinks - CVE-2025-0677 * SECURITY UPDATE: squash4: Integer overflow may lead to heap based out-of-bounds write when reading data - CVE-2025-0678 * SECURITY UPDATE: reiserfs: Integer overflow when handling symlinks may lead to heap based out-of-bounds write when reading data - CVE-2025-0684 * SECURITY UPDATE: jfs: Integer overflow when handling symlinks may lead to heap based out-of-bounds write when reading data - CVE-2025-0685 * SECURITY UPDATE: romfs: Integer overflow when handling symlinks may lead to heap based out-of-bounds write when reading data - CVE-2025-0686 * SECURITY UPDATE: udf: Heap based buffer overflow in grub_udf_read_block() may lead to arbitrary code execution - CVE-2025-0689 * SECURITY UPDATE: read: Integer overflow may lead to out-of-bounds write - CVE-2025-0690 * SECURITY UPDATE: commands/dump: The dump command is not in lockdown when secure boot is enabled - CVE-2025-1118 * SECURITY UPDATE: fs/hfs: Integer overflow may lead to heap based out-of-bounds write - CVE-2025-1125 * SECURITY UPDATE: insmod: incorrect refcount handling leading to UAF [LP: #2055835] . [ Steve McIntyre ] * Drop NTFS patches that seem to be causing regressions * Remove NTFS from the monolithic EFI grub image, so we don't sign vulnerable code. * Similarly, remove jfs - we have doubts. * Bump SBAT levels: + grub,5 now we have the 2025 CVE fixes included + grub.debian,5 + grub.debian12,1 Checksums-Sha1: ed6903334484fbe64a8cd2355f2b8def037fe37c 7093 grub2_2.06-13+deb12u2.dsc 221883f315faab979a8d6fb6c05867551b5decfd 1158840 grub2_2.06-13+deb12u2.debian.tar.xz 2a59ccf7792518ad29c2b95282acc60ce8ead54a 13574 grub2_2.06-13+deb12u2_source.buildinfo Checksums-Sha256: 9c0f89f34907e0e50df46401c811347f9559cd405b8c83659042f2c4687622b7 7093 grub2_2.06-13+deb12u2.dsc 851ac9ec78b167db98217d115c88fbd87644d80f3c63cd9d6da682926e819f82 1158840 grub2_2.06-13+deb12u2.debian.tar.xz 0865d0c092ba8a975473be0a89c8fbeb8c04d766e5c27ea6a90c7b958487ca8d 13574 grub2_2.06-13+deb12u2_source.buildinfo Files: 8dc24f29ef91c63792563f01d08f8a35 7093 admin optional grub2_2.06-13+deb12u2.dsc 47cde18067cfa34c757042476313d338 1158840 admin optional grub2_2.06-13+deb12u2.debian.tar.xz 5d3f53491723fd63562146ee02783347 13574 admin optional grub2_2.06-13+deb12u2_source.buildinfo -----BEGIN PGP SIGNATURE----- iQJFBAEBCgAvFiEEzrtSMB1hfpEDkP4WWHl5VzRCaE4FAmnNfa4RHDkzc2FtQGRl Ymlhbi5vcmcACgkQWHl5VzRCaE6GdA/+O0vIAkpD4xuDbHYFQy2SgIjq5fc79pRr iSn/D3UIbinets3QOSb0AIo79tg1jOl1XZbOAYXED/3PDCzHz8zK/KlsS9n+Zfmm a6g6Pp5YR312ixCAkLBUuJC54oCgkA9+j0mUzjRBR4tAnq07qGRgX1Grt98pXKIk 8WAeee5I4VrMDVcYBS/zZ9lmd+va55SiQS727QIwlegMyzrgS8M81/2+QOr8F3h6 sx2UDTYJAxDNztkLqOYOiUcXX7H0z4vDU3fo2n4qZgowQIJ+SGFSt2h4WbdzVn4d sjpePP0nldUV0UzureiEtDqJJfXi1H2SIApgYrDGo2jbbqrUScVxF+LWcMzDrmeC 7N/6hoDl+aLS+Kjawh2zDA8cHKDXGL+/gsiHM+AnNeb65NIzEZ60qyeF7mCVtVRY L4xPY/VD/kRF6dfobuLxvpiEWxZ1/rfVFyrPzOwWd374G288PX4Lpx8R9pl6InQl BgciJJmz4ll0XTQ7L+MT9syJv8ESRzBHtc8/KVgyzgsmyqpzdE0QXi3qNY4F21HH Rvnsqf9wO4t/gYk/qZqD2K2ikxWO1Y5uBi1RyFzVcBhB9f9fQCTlkEhxG8sAdHzc wyWqOmCot64f9ORdWBGgw9OJ5HU4RAIkjt1mbeQBBgFLulR68Jmwh8VkrnYJhqT2 QjXdsRtRomM= =a7CN -----END PGP SIGNATURE-----