[ubuntu-hardened] Fwd: Confused on GRUB2 version for 20.04.2 LTS
Alex Murray
alex.murray at canonical.com
Mon Jun 21 01:19:44 UTC 2021
Hi David
This looks to be confusion between how grub2 is now packaged in Ubuntu -
since the switch to "One Grub"[1] the actual fixed version of grub2 for
EFI related issues comes from the grub2-signed package - this inturn is
built from the grub2-unsigned package and so these are the ones which
are critical to look at in terms of version numbers for UEFI security
issues. Also whilst these fixes have been available in the -updates
pocket for some time, they have only recently been published to the
-security pocket, which is the one we reference when publishing security
notices etc.
As such, for 20.04 LTS, grub2-unsigned version 2.04-1ubuntu44.2
is the first one that got published to -security and hence the one we
quote on this page. This includes the BootHole fixes plus a few other
changes which were needed to ensure it was all packaged correctly since
then (as the actual fixes landed in grub2-unsigned 2.04-1ubuntu42 but
this was only ever published to -updates, not -security).
Hopefully this clears things up.
Thanks,
Alex
On Sun, 2021-06-20 at 09:20:33 +0930, David F. wrote:
> In case this didn't make it because it had a link. Here's the message
> again without the link:
>
> When I read (link removed but search GRUB2SecureBootBypass2021)
> it says 20.04 LTS should have a 1ubuntu44.2 but it's not it's a
> 1ubuntu26.12 (was 1ubuntu26.11 last month). It appears security
> patches are applied to the build 1ubuntu26.11 (I built prior to .12).
> Based on the date it seems 1ubuntu26.11 should have updates through
> Feb 24, 2021? I know the boothole patch is applied. From description
> of 1ubuntu26.12 it seems like it updated the version but no new
> patches were applied?
>
> Can someone help clear up what is what?
>
> Thanks.
More information about the ubuntu-hardened
mailing list