Bug#1098319: grub2 CVEs in stable
Julian Andres Klode
jak at debian.org
Thu Apr 17 16:11:56 BST 2025
On Thu, Apr 17, 2025 at 03:25:33PM +0200, Sylvain Beucler wrote:
> Hi,
>
> I'm part of the Debian LTS Team and checking on our grub2 status.
>
> Are there any plans to work on a bullseye update?
> (asking because grub2 maintainers have done so in the past, and because
> grub2 is listed at lts-do-call-me:)
> https://salsa.debian.org/security-tracker-team/security-tracker/-/blob/master/data/packages/lts-do-call-me
>
> Also, we're not familiar with the Debian signing service. Are there
> additional steps or tests to perform? Is it setup for
> security-master:oldstable?
>
> Last, let us know if we can help with the bookworm update :)
The updates are more or less ready just need merging 2.12-7
bookworm: https://salsa.debian.org/grub-team/grub/-/merge_requests/77
bullseye: https://salsa.debian.org/grub-team/grub/-/merge_requests/78
I think the reasonable path forward is to have the bookworm updates
in stable-proposed-updates, and once we had a point release the bullseye
one, since otherwise bullseye users would get it much earlier.
The grub changes have been baking in testing for almost a month
now (23rd), that's sort of the deadline for uploading to
proposed-updates.
The other thing to note is that the Ubuntu rollout also hasn't
started yet, and it's wise to wait for it to reach a significant
percentage, as Ubuntu rollsout are slowly phased ones rather than
"everyone gets it all at once".
trixie and plucky are the only distros in the wild to have shipped
the patches so far, and there is future regression potential so far
once this actually gets in the hand of stable release users, and I'd
rather deal with 10% of Ubuntu users than break all Debian installs
at the same time.
--
debian developer - deb.li/jak | jak-linux.org - free software dev
ubuntu core developer i speak de, en
More information about the Pkg-grub-devel
mailing list