import Oracle_OSS grub2-2.12-29.0.1.el10_1.2

This commit is contained in:
AlmaLinux RelEng Bot 2026-03-17 18:34:10 -04:00
parent f36941c806
commit 71c37e0c7b
14 changed files with 390 additions and 131 deletions

2
.gitignore vendored
View File

@ -1,4 +1,6 @@
gnulib-9f48fb992a3d7e96610c4ce8be969cff2d61a01b.tar.gz
grub-2.12.tar.xz
oraclegrubcer.cer
securebootca.cer
theme.tar.bz2
unifont-13.0.06.pcf.gz

View File

@ -0,0 +1,62 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Alec Brown <alec.r.brown@oracle.com>
Date: Thu, 21 Aug 2025 21:14:06 +0000
Subject: [PATCH] gettext/gettext: Unregister gettext command on module unload
When the gettext module is loaded, the gettext command is registered but
isn't unregistered when the module is unloaded. We need to add a call to
grub_unregister_command() when unloading the module.
Fixes: CVE-2025-61662
Reported-by: Alec Brown <alec.r.brown@oracle.com>
Signed-off-by: Alec Brown <alec.r.brown@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/gettext/gettext.c | 19 ++++++++++++-------
1 file changed, 12 insertions(+), 7 deletions(-)
diff --git a/grub-core/gettext/gettext.c b/grub-core/gettext/gettext.c
index fffe3a05488b..1ca152ddd938 100644
--- a/grub-core/gettext/gettext.c
+++ b/grub-core/gettext/gettext.c
@@ -509,6 +509,8 @@ grub_cmd_translate (grub_command_t cmd __attribute__ ((unused)),
return 0;
}
+static grub_command_t cmd;
+
GRUB_MOD_INIT (gettext)
{
const char *lang;
@@ -528,13 +530,14 @@ GRUB_MOD_INIT (gettext)
grub_register_variable_hook ("locale_dir", NULL, read_main);
grub_register_variable_hook ("secondary_locale_dir", NULL, read_secondary);
- grub_register_command_p1 ("gettext", grub_cmd_translate,
- N_("STRING"),
- /* TRANSLATORS: It refers to passing the string through gettext.
- So it's "translate" in the same meaning as in what you're
- doing now.
- */
- N_("Translates the string with the current settings."));
+ cmd = grub_register_command_p1 ("gettext", grub_cmd_translate,
+ N_("STRING"),
+ /*
+ * TRANSLATORS: It refers to passing the string through gettext.
+ * So it's "translate" in the same meaning as in what you're
+ * doing now.
+ */
+ N_("Translates the string with the current settings."));
/* Reload .mo file information if lang changes. */
grub_register_variable_hook ("lang", NULL, grub_gettext_env_write_lang);
@@ -551,6 +554,8 @@ GRUB_MOD_FINI (gettext)
grub_register_variable_hook ("secondary_locale_dir", NULL, NULL);
grub_register_variable_hook ("lang", NULL, NULL);
+ grub_unregister_command (cmd);
+
grub_gettext_delete_list (&main_context);
grub_gettext_delete_list (&secondary_context);

View File

@ -1,66 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: James Le Cuirot <jlecuirot@microsoft.com>
Date: Thu, 24 Oct 2024 14:42:46 +0100
Subject: [PATCH] script/execute: Don't let trailing blank lines determine the
return code
grub_script_execute_sourcecode() parses and executes code one line at a
time, updating the return code each time because only the last line
determines the final status. However, trailing new lines were also
executed, masking any failure on the previous line. Fix this by only
trying to execute the command when there is actually one present.
This has presumably never been noticed because this code is not used by
regular functions, only in special cases like eval and menu entries. The
latter generally don't return at all, having booted an OS. When failing
to boot, upstream GRUB triggers the fallback mechanism regardless of the
return code.
We noticed the problem while using Red Hat's patches, which change this
behaviour to take account of the return code. In that case, a failure
takes you back to the menu rather than triggering a fallback.
Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
---
grub-core/script/execute.c | 5 ++++-
tests/grub_script_eval.in | 10 +++++++++-
2 files changed, 13 insertions(+), 2 deletions(-)
diff --git a/grub-core/script/execute.c b/grub-core/script/execute.c
index 014132703..3d26a3fe4 100644
--- a/grub-core/script/execute.c
+++ b/grub-core/script/execute.c
@@ -952,7 +952,10 @@ grub_script_execute_sourcecode (const char *source)
break;
}
- ret = grub_script_execute (parsed_script);
+ /* Don't let trailing blank lines determine the return code. */
+ if (parsed_script->cmd)
+ ret = grub_script_execute (parsed_script);
+
grub_script_free (parsed_script);
grub_free (line);
}
diff --git a/tests/grub_script_eval.in b/tests/grub_script_eval.in
index c97b78d77..9c6211042 100644
--- a/tests/grub_script_eval.in
+++ b/tests/grub_script_eval.in
@@ -3,4 +3,12 @@
eval echo "Hello world"
valname=tst
eval $valname=hi
-echo $tst
\ No newline at end of file
+echo $tst
+
+if eval "
+false
+"; then
+ echo should have failed
+else
+ echo failed as expected
+fi
--
2.48.1

View File

@ -1,45 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: James Le Cuirot <jlecuirot@microsoft.com>
Date: Thu, 24 Oct 2024 15:00:26 +0100
Subject: [PATCH] normal/menu: Check return code of the script when executing a
menu entry
Don't rely on grub_errno here because grub_script_execute_new_scope()
calls grub_print_error(), which always resets grub_errno back to
GRUB_ERR_NONE. It may also get reset by grub_wait_after_message().
This problem was observed when a "bad signature" error resulted in the
menu being redisplayed rather than the fallback mechanism being
triggered, although another change was also needed to fix it. This only
happens with Red Hat's patches because upstream GRUB triggers the
fallback mechanism regardless of the return code.
Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
---
grub-core/normal/menu.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/grub-core/normal/menu.c b/grub-core/normal/menu.c
index 97687013c..a2703dabb 100644
--- a/grub-core/normal/menu.c
+++ b/grub-core/normal/menu.c
@@ -377,14 +377,14 @@ grub_menu_execute_entry(grub_menu_entry_t entry, int auto_boot)
if (ptr && ptr[0] && ptr[1])
grub_env_set ("default", ptr + 1);
- grub_script_execute_new_scope (entry->sourcecode, entry->argc, entry->args);
+ err = grub_script_execute_new_scope (entry->sourcecode, entry->argc, entry->args);
if (errs_before != grub_err_printed_errors)
grub_wait_after_message ();
errs_before = grub_err_printed_errors;
- if (grub_errno == GRUB_ERR_NONE && grub_loader_is_loaded ())
+ if (err == GRUB_ERR_NONE && grub_loader_is_loaded ())
/* Implicit execution of boot, only if something is loaded. */
err = grub_command_execute ("boot", 0, 0);
--
2.48.1

View File

@ -6,6 +6,7 @@ fi
[[ -f /etc/default/grub ]] && . /etc/default/grub
[[ -f /etc/os-release ]] && . /etc/os-release
[[ -f /etc/sysconfig/kernel ]] && . /etc/sysconfig/kernel
COMMAND="$1"
KERNEL_VERSION="$2"
@ -41,8 +42,14 @@ mkbls() {
fi
fi
if [[ $kernelver =~ uek ]]; then
local ver_stanza="$kernelver with Unbreakable Enterprise Kernel"
else
local ver_stanza="$kernelver"
fi
cat <<EOF
title ${NAME} (${kernelver}) ${VERSION}${debugname}
title ${NAME} (${ver_stanza}) ${VERSION}${debugname}
version ${kernelver}${debugid}
linux /vmlinuz-${kernelver}
initrd /initramfs-${kernelver}.img
@ -117,6 +124,7 @@ case "$COMMAND" in
done
fi
KERNEL_NAME="$(rpm -q --queryformat %{NAME} $(rpm -qf $KERNEL_IMAGE))"
eval "$(grub2-get-kernel-settings)" || true
[[ -d "$BLS_DIR" ]] || mkdir -m 0700 -p "$BLS_DIR"
BLS_ID="${MACHINE_ID}-${KERNEL_VERSION}"
@ -142,11 +150,7 @@ case "$COMMAND" in
sed -i -e "s,^initrd.*,initrd ${BOOTPREFIX}${INITRD},g" "${BLS_TARGET}"
fi
if ( [[ "$KERNEL_VERSION" != *${GRUB_DEFAULT_KERNEL_TYPE}* ]] && \
[ "x$GRUB_NON_STANDARD_KERNEL" == "xtrue" ] ) || \
( echo "$KERNEL_VERSION" | grep -E -q "64k|auto|rt|uki" && \
[ "x$GRUB_NON_STANDARD_KERNEL" != "xtrue" ] ) || \
( [[ "$KERNEL_VERSION" == *debug* ]] && [ "x$GRUB_DEFAULT_TO_DEBUG" != "xtrue" ] ); then
if [[ "$KERNEL_VERSION" == *\+* ]] && [ "x$GRUB_DEFAULT_TO_DEBUG" != "xtrue" ]; then
GRUB_UPDATE_DEFAULT_KERNEL=false
fi
@ -165,7 +169,7 @@ case "$COMMAND" in
NEWDEFAULT="${BLS_DEBUG_ID}"
fi
fi
if [ -n "$NEWDEFAULT" ]; then
if [ -n "$NEWDEFAULT" ] && [ "$DEFAULTKERNEL" = "$KERNEL_NAME" ]; then
grub2-editenv - set "saved_entry=${NEWDEFAULT}"
fi

View File

@ -0,0 +1,30 @@
From fd04ca689f52d8bbef13413b4d285c9ba4d0f038 Mon Sep 17 00:00:00 2001
From: build team <natalya.naumova@oracle.com>
Date: Tue, 18 Dec 2018 13:22:12 -0800
Subject: [PATCH 1/1] Use different menuentries for UEK kernel
---
util/grub.d/10_linux.in | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/util/grub.d/10_linux.in b/util/grub.d/10_linux.in
index b54d277..fe8b20f 100644
--- a/util/grub.d/10_linux.in
+++ b/util/grub.d/10_linux.in
@@ -173,7 +173,12 @@ EOF
fi
if [ x$type != xsimple ] ; then
- title=$(mktitle "$type" "$version")
+ if echo "$version" | grep -q uek; then
+ kernel_type_text="with Unbreakable Enterprise Kernel"
+ else
+ kernel_type_text="with Linux"
+ fi
+ title=$(mktitle "$type" "$version $kernel_type_text")
if [ x"$title" = x"$GRUB_ACTUAL_DEFAULT" ] || [ x"Previous Linux versions>$title" = x"$GRUB_ACTUAL_DEFAULT" ]; then
replacement_title="$(echo "Advanced options for ${OS}" | sed 's,>,>>,g')>$(echo "$title" | sed 's,>,>>,g')"
quoted="$(echo "$GRUB_ACTUAL_DEFAULT" | grub_quote)"
--
1.8.3.1

View File

@ -0,0 +1,25 @@
From 05bfbf0b086ed14ea9311e2406d775c2562a826d Mon Sep 17 00:00:00 2001
From: livy.ge <livy.ge@oracle.com>
Date: Wed, 5 Jul 2017 03:53:48 -0700
Subject: [PATCH] update bug url
---
util/grub-set-password.in | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/util/grub-set-password.in b/util/grub-set-password.in
index d7924af..2f182b8 100755
--- a/util/grub-set-password.in
+++ b/util/grub-set-password.in
@@ -25,7 +25,7 @@ located by default at ${grubdir}.
-v, --version print the version information and exit
-o, --output_path <DIRECTORY> put user.cfg in a user-selected directory
-Report bugs at https://bugzilla.redhat.com.
+Report bugs at https://github.com/oracle/oracle-linux .
EOF
}
--
1.7.4.1

View File

@ -0,0 +1,191 @@
From 4d2d00c8b9c2954a9a1f6bec57de8477366c7d42 Mon Sep 17 00:00:00 2001
From: Alex Burmashev <alexander.burmashev@oracle.com>
Date: Thu, 17 Apr 2025 11:11:30 +0000
Subject: [PATCH] efinet: Close and reopen card on failure
There are some known bugs with network adapter firmware implementations,
that may lead to intermittent problem of network adapter link being down, despite network
being set up.
Ultimate fix of this issue should be done on firmware side, but as for now we try to close
and reopen network adapter and retransmit packet in case we see failures.
Without this fix certain amount of PXE boots fails with inability to transmit packet, with this fix,
such failures are not seen.
Orabug: 35126950
Orabug: 37808688
Signed-off-by: Alex Burmashev <alexander.burmashev@oracle.com>
---
grub-core/net/drivers/efi/efinet.c | 149 ++++++++++++++++-------------
1 file changed, 85 insertions(+), 64 deletions(-)
diff --git a/grub-core/net/drivers/efi/efinet.c b/grub-core/net/drivers/efi/efinet.c
index 4591d07..cb97a9e 100644
--- a/grub-core/net/drivers/efi/efinet.c
+++ b/grub-core/net/drivers/efi/efinet.c
@@ -37,70 +37,6 @@ static grub_guid_t pxe_io_guid = GRUB_EFI_PXE_GUID;
static grub_guid_t ip4_config_guid = GRUB_EFI_IP4_CONFIG2_PROTOCOL_GUID;
static grub_guid_t ip6_config_guid = GRUB_EFI_IP6_CONFIG_PROTOCOL_GUID;
-static grub_err_t
-send_card_buffer (struct grub_net_card *dev,
- struct grub_net_buff *pack)
-{
- grub_efi_status_t st;
- grub_efi_simple_network_t *net = dev->efi_net;
- grub_uint64_t limit_time = grub_get_time_ms () + 4000;
- void *txbuf;
-
- if (net == NULL)
- return grub_error (GRUB_ERR_IO,
- N_("network protocol not available, can't send packet"));
- if (dev->txbusy)
- while (1)
- {
- txbuf = NULL;
- st = net->get_status (net, 0, &txbuf);
- if (st != GRUB_EFI_SUCCESS)
- return grub_error (GRUB_ERR_IO,
- N_("couldn't send network packet"));
- /*
- Some buggy firmware could return an arbitrary address instead of the
- txbuf address we trasmitted, so just check that txbuf is non NULL
- for success. This is ok because we open the SNP protocol in
- exclusive mode so we know we're the only ones transmitting on this
- box and since we only transmit one packet at a time we know our
- transmit was successfull.
- */
- if (txbuf)
- {
- dev->txbusy = 0;
- break;
- }
- if (limit_time < grub_get_time_ms ())
- return grub_error (GRUB_ERR_TIMEOUT,
- N_("couldn't send network packet"));
- }
-
- dev->last_pkt_size = (pack->tail - pack->data);
- if (dev->last_pkt_size > dev->mtu)
- dev->last_pkt_size = dev->mtu;
-
- grub_memcpy (dev->txbuf, pack->data, dev->last_pkt_size);
-
- st = net->transmit (net, 0, dev->last_pkt_size,
- dev->txbuf, NULL, NULL, NULL);
- if (st != GRUB_EFI_SUCCESS)
- return grub_error (GRUB_ERR_IO, N_("couldn't send network packet"));
-
- /*
- The card may have sent out the packet immediately - set txbusy
- to 0 in this case.
- Cases were observed where checking txbuf at the next call
- of send_card_buffer() is too late: 0 is returned in txbuf and
- we run in the GRUB_ERR_TIMEOUT case above.
- Perhaps a timeout in the FW has discarded the recycle buffer.
- */
- txbuf = NULL;
- st = net->get_status (net, 0, &txbuf);
- dev->txbusy = !(st == GRUB_EFI_SUCCESS && txbuf);
-
- return GRUB_ERR_NONE;
-}
-
static struct grub_net_buff *
get_card_packet (struct grub_net_card *dev)
{
@@ -228,6 +164,91 @@ close_card (struct grub_net_card *dev)
grub_efi_close_protocol (dev->efi_handle, &net_io_guid);
}
+static grub_err_t
+send_card_buffer (struct grub_net_card *dev,
+ struct grub_net_buff *pack)
+{
+ grub_efi_status_t st;
+ grub_efi_simple_network_t *net = dev->efi_net;
+ grub_uint64_t limit_time = grub_get_time_ms () + 4000;
+ void *txbuf;
+ grub_err_t ret;
+ int retry = 0;
+
+ if (net == NULL)
+ return grub_error (GRUB_ERR_IO,
+ N_("network protocol not available, can't send packet"));
+ if (dev->txbusy)
+ while (1)
+ {
+ txbuf = NULL;
+ st = net->get_status (net, 0, &txbuf);
+ if (st != GRUB_EFI_SUCCESS)
+ return grub_error (GRUB_ERR_IO,
+ N_("couldn't send network packet"));
+ /*
+ Some buggy firmware could return an arbitrary address instead of the
+ txbuf address we trasmitted, so just check that txbuf is non NULL
+ for success. This is ok because we open the SNP protocol in
+ exclusive mode so we know we're the only ones transmitting on this
+ box and since we only transmit one packet at a time we know our
+ transmit was successfull.
+ */
+ if (txbuf)
+ {
+ dev->txbusy = 0;
+ break;
+ }
+ if (limit_time < grub_get_time_ms ())
+ {
+ if (!retry)
+ {
+ close_card (dev);
+ grub_millisleep (100);
+ ret = open_card (dev);
+ if (ret != GRUB_ERR_NONE)
+ return grub_error (GRUB_ERR_IO,
+ N_("couldn't open card"));
+ st = net->transmit (net, 0, dev->last_pkt_size,
+ dev->txbuf, NULL, NULL, NULL);
+ if (st != GRUB_EFI_SUCCESS)
+ return grub_error (GRUB_ERR_IO,
+ N_("couldn't send network packet"));
+ retry = 1;
+ grub_uint64_t limit_time = grub_get_time_ms () + 10000;
+ break;
+ }
+ return grub_error (GRUB_ERR_TIMEOUT,
+ N_("couldn't send network packet"));
+ }
+ }
+
+ dev->last_pkt_size = (pack->tail - pack->data);
+ if (dev->last_pkt_size > dev->mtu)
+ dev->last_pkt_size = dev->mtu;
+
+ grub_memcpy (dev->txbuf, pack->data, dev->last_pkt_size);
+
+ st = net->transmit (net, 0, dev->last_pkt_size,
+ dev->txbuf, NULL, NULL, NULL);
+ if (st != GRUB_EFI_SUCCESS)
+ return grub_error (GRUB_ERR_IO, N_("couldn't send network packet"));
+
+ /*
+ The card may have sent out the packet immediately - set txbusy
+ to 0 in this case.
+ Cases were observed where checking txbuf at the next call
+ of send_card_buffer() is too late: 0 is returned in txbuf and
+ we run in the GRUB_ERR_TIMEOUT case above.
+ Perhaps a timeout in the FW has discarded the recycle buffer.
+ */
+ txbuf = NULL;
+ st = net->get_status (net, 0, &txbuf);
+ dev->txbusy = !(st == GRUB_EFI_SUCCESS && txbuf);
+
+ return GRUB_ERR_NONE;
+}
+
static struct grub_net_card_driver efidriver =
{
.name = "efinet",
--
2.47.1

0
gen_grub_cfgstub Normal file → Executable file
View File

View File

@ -304,6 +304,13 @@ Requires: grub2-common = %{evr} \
Requires: grub2-tools-minimal >= %{evr} \
Requires: grub2-tools = %{evr} \
Provides: grub2-efi = %{evr} \
Provides: oracle(grub2-sig-key) = 202502 \
%{expand:%%ifarch x86_64 \
Conflicts: shim-x64 < 15.8-1.0.6 \
%%endif} \
%{expand:%%ifarch aarch64 \
Conflicts: shim-aa64 < 15.8-1.0.6 \
%%endif} \
%{?legacy_provides:Provides: grub2 = %{evr}} \
%{-o:Obsoletes: grub2-efi < %{evr}} \
\
@ -401,7 +408,7 @@ install -m 644 %{1}.conf ${RPM_BUILD_ROOT}/etc/dnf/protected.d/ \
rm -f %{1}.conf \
%{nil}
%global grub_modules " all_video boot blscfg \\\
%global grub_modules " all_video boot blscfg btrfs \\\
cat configfile cryptodisk \\\
echo ext2 f2fs fat font \\\
gcry_rijndael gcry_rsa gcry_serpent \\\

View File

@ -367,5 +367,7 @@ Patch0367: 0367-Use-medany-instead-of-large-model-for-RISCV.patch
Patch0368: 0368-10_linux.in-escape-kernel-option-characters-properly.patch
Patch0369: 0369-blscfg-check-if-variable-is-escaped-before-consideri.patch
Patch0370: 0370-Set-correctly-the-memory-attributes-for-the-kernel-P.patch
Patch0371: 0371-script-execute-Don-t-let-trailing-blank-lines-determ.patch
Patch0372: 0372-normal-menu-Check-return-code-of-the-script-when-exe.patch
Patch0371: 0371-gettext-gettext-Unregister-gettext-command-on-module.patch
Patch1000: bug18504756-use-different-title-for-UEK.patch
Patch1001: bug26388226-update-redhat-references.patch
Patch1002: bug37808688-efinet-Close-and-reopen-card-on-failure.patch

View File

@ -17,7 +17,7 @@
Name: grub2
Epoch: 1
Version: 2.12
Release: 29%{?dist}
Release: 29.0.1%{?dist}.2
Summary: Bootloader with support for Linux, Multiboot and more
License: GPL-3.0-or-later
URL: http://www.gnu.org/software/grub/
@ -36,25 +36,27 @@ Source10: 20-grub.install
Source11: grub.patches
Source12: sbat.csv.in
Source13: gen_grub_cfgstub
Source14: oraclegrubcer.cer
Source15: securebootca.cer
%include %{SOURCE1}
%ifarch x86_64 aarch64 ppc64le
%define sb_ca %{_datadir}/pki/sb-certs/secureboot-ca-%{_arch}.cer
%define sb_cer %{_datadir}/pki/sb-certs/secureboot-grub2-%{_arch}.cer
%define sb_ca %{SOURCE15}
%define sb_cer %{SOURCE14}
%endif
%if 0%{?centos}
%ifarch x86_64 aarch64 ppc64le
%define sb_key centossecureboot202
%define sb_key OracleLinuxSecureBootKey1
%endif
%else
%ifarch x86_64 aarch64
%define sb_key redhatsecureboot502
%define sb_key OracleLinuxSecureBootKey1
%endif
%ifarch ppc64le
%define sb_key redhatsecureboot702
%define sb_key OracleLinuxSecureBootKey1
%endif
%endif
@ -574,9 +576,51 @@ fi
%endif
%changelog
* Mon Sep 08 2025 Leo Sandoval <lsandova@redhat.com> 2.12-29
- Fix the fallback mechanism when menu entries fail to boot
- Resolves: RHEL-113024
* Mon Mar 16 2026 EL Errata <el-errata_ww@oracle.com> - 2.12-29.0.1.el10_1.2
- efinet: Close and reopen card on failure [Orabug: 37808688]
- Update grub2 dependencies to match new Secure Boot certificate chain of trust [Orabug: 37766761]
- Fix typo in SBAT metadata [Orabug: 37693946]
- Allow installation of grub2 only with shim-aa64 that allows booting it [Orabug: 37693946]
- Enable btrfs module [Orabug: 37412995]
- Restored shim related conflicts and provide. [Orabug: 37376920]
- Rework the scripts to cover both in-place upgrade and update scenarios [Orabug: 36768566]
- Support setting custom kernels as default kernels [Orabug: 36043978]
- Bump SBAT metadata for grub to 3 [Orabug: 34872719]
- Fix CVE-2022-3775 [Orabug: 34871953]
- Enable signing for aarch64 EFI
- Fix signing certificate names
- Enable back btrfs grub module for EFI pre-built image [Orabug: 34360986]
- Replaced bugzilla.oracle.com references [Orabug: 34202300]
- Update provided certificate version to 202204 [JIRA: OLDIS-16371]
- Various coverity fixes [JIRA: OLDIS-16371]
- bump SBAT generation
- Update bug url [Orabug: 34202300]
- Revert provided certificate version back to 202102 [JIRA: OLDIS-16371]
- Update signing certificate [JIRA: OLDIS-16371]
- fix SBAT data [JIRA: OLDIS-16371]
- Update requires [JIRA: OLDIS-16371]
- Rebuild for SecureBoot signatures [Orabug: 33801813]
- Do not add shim and grub certificate deps for aarch64 packages [Orabug: 32670033]
- Update Oracle SBAT data [Orabug: 32670033]
- Use new signing certificate [Orabug: 32670033]
- honor /etc/sysconfig/kernel DEFAULTKERNEL setting for BLS [Orabug: 30643497]
- set EFIDIR as redhat for additional grub2 tools [Orabug: 29875597]
- Update upstream references [Orabug: 26388226]
- Insert Unbreakable Enterprise Kernel text into BLS config file [Orabug: 29417955]
- Put "with" in menuentry instead of "using" [Orabug: 18504756]
- Use different titles for UEK and RHCK kernels [Orabug: 18504756]
* Tue Mar 03 2026 Nicolas Frayer <nfrayer@redhat.com> - 2.12-29.2
- Try to get gating tests running via fmf/tmt
- Resolves: #RHEL-152849
* Thu Feb 19 2026 Therese Cornell <tcornell@redhat.com> - 2.12-29.1
- Fixes CVE-2025-61662 Missing unregister call for gettext command may lead to use-after-free
- Resolves: #RHEL-141580
* Wed Oct 8 2025 Nicolas Frayer <nfrayer@redhat.com> 2.12-29
- spec: Update signing key to redhatsecureboot802
- Resolves: #RHEL-116730
* Thu Aug 21 2025 Leo Sandoval <lsandova@redhat.com> 2.12-28
- Remove strong stack protector on target CFLAGS

3
sbat.csv.in Executable file → Normal file
View File

@ -1,4 +1,5 @@
sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
grub,5,Free Software Foundation,grub,@@VERSION@@,https//www.gnu.org/software/grub/
grub,5,Free Software Foundation,grub,@@VERSION@@,https://www.gnu.org/software/grub/
grub.rh,2,Red Hat,grub2,@@VERSION_RELEASE@@,mailto:secalert@redhat.com
grub.centos,2,Red Hat,grub2,@@VERSION_RELEASE@@,mailto:secalert@redhat.com
grub.ol10,3,Oracle Linux,grub2,@@VERSION@@,mail:secalert_us@oracle.com

View File

@ -1,4 +1,6 @@
SHA512 (gnulib-9f48fb992a3d7e96610c4ce8be969cff2d61a01b.tar.gz) = 6887dede2d4a403422ea045329ee9bd7ca4c1561bcaf39e805e1d1ce8f4c050a65ce286e7d8362fb8e815b5fab0b405730a3f93194e343e2aedcf9b4411a285e
SHA512 (grub-2.12.tar.xz) = 761c060a4c3da9c0e810b0ea967e3ebc66baa4ddd682a503ae3d30a83707626bccaf49359304a16b3a26fc4435fe6bea1ee90be910c84de3c2b5485a31a15be3
SHA512 (oraclegrubcer.cer) = 45d6ba3ae6f640fe7c26836e697085b12b39b2aee41ae5c474f00aa68a40d7c0380206f81eab8fc784298e82f8a4d268c38eb3ae9e3c3e80dbabcfc3857c66f3
SHA512 (securebootca.cer) = f8ef4b87e610b07ef53bcde253469b5316d9ba128357123246c64e4468c13f329d42187503908201d67168e61e5ce5e8a969935087b9bda38eee85d306561050
SHA512 (theme.tar.bz2) = 0f6f914d5f801509403094b28b8cfe5169cb56ae9bdd808ae21a6780a8236b434161a068351508dd78729c25ee2fed066c124c1eef9e15102750b409b4576a5c
SHA512 (unifont-13.0.06.pcf.gz) = 25f1ea4e316cd77b65cf4f60aa10ed054db6df2195be7344216673dee6628ab055ebcdeea186996d931fd1e9e4f519f4a2e4b4544b8a9ad2fe410aadc4eecd2d