Hi, I just uploaded grub2 2.12-2 and 2.12-2~deb13u1 to unstable and testing-proposed-updates respectively. These have been pending for a couple weeks now but we got a bit distracted by the time_t stuff (which is also the reason for the t-p-u upload so this doesn't get stuck). These fix a use-after-free in the peimage module that has been assigned CVE-2024-2312 that affects Debian/Ubuntu grubs 2.12~rc1 and newer: GRUB2 does not call the module fini functions on exit, leading to Debian/Ubuntu's peimage GRUB2 module leaving UEFI system table hooks after exit. This lead to a use-after-free condition, and could possibly lead to secure boot bypass The same change also restores support for the systemd-boot stub. Dear ftp and release teams, please ensure that the testing-proposed-updates upload lands and that the signed uploads are processed accordingly. I don't know how to handle the signing with the proposed-updates, but I'm sure you can coordinate that :) -- debian developer - deb.li/jak | jak-linux.org - free software dev ubuntu core developer i speak de, en
Attachment:
signature.asc
Description: PGP signature