From 71c37e0c7b465b2ef97c254ec4d73ec2656df5e8 Mon Sep 17 00:00:00 2001 From: AlmaLinux RelEng Bot Date: Tue, 17 Mar 2026 18:34:10 -0400 Subject: [PATCH] import Oracle_OSS grub2-2.12-29.0.1.el10_1.2 --- .gitignore | 2 + ...Unregister-gettext-command-on-module.patch | 62 ++++++ ...on-t-let-trailing-blank-lines-determ.patch | 66 ------ ...k-return-code-of-the-script-when-exe.patch | 45 ----- 20-grub.install | 18 +- bug18504756-use-different-title-for-UEK.patch | 30 +++ bug26388226-update-redhat-references.patch | 25 +++ ...net-Close-and-reopen-card-on-failure.patch | 191 ++++++++++++++++++ gen_grub_cfgstub | 0 grub.macros | 9 +- grub.patches | 6 +- grub2.spec | 62 +++++- sbat.csv.in | 3 +- sources | 2 + 14 files changed, 390 insertions(+), 131 deletions(-) create mode 100644 0371-gettext-gettext-Unregister-gettext-command-on-module.patch delete mode 100644 0371-script-execute-Don-t-let-trailing-blank-lines-determ.patch delete mode 100644 0372-normal-menu-Check-return-code-of-the-script-when-exe.patch create mode 100644 bug18504756-use-different-title-for-UEK.patch create mode 100644 bug26388226-update-redhat-references.patch create mode 100644 bug37808688-efinet-Close-and-reopen-card-on-failure.patch mode change 100644 => 100755 gen_grub_cfgstub mode change 100755 => 100644 sbat.csv.in diff --git a/.gitignore b/.gitignore index c9613f0..6d26737 100644 --- a/.gitignore +++ b/.gitignore @@ -1,4 +1,6 @@ gnulib-9f48fb992a3d7e96610c4ce8be969cff2d61a01b.tar.gz grub-2.12.tar.xz +oraclegrubcer.cer +securebootca.cer theme.tar.bz2 unifont-13.0.06.pcf.gz diff --git a/0371-gettext-gettext-Unregister-gettext-command-on-module.patch b/0371-gettext-gettext-Unregister-gettext-command-on-module.patch new file mode 100644 index 0000000..0de2769 --- /dev/null +++ b/0371-gettext-gettext-Unregister-gettext-command-on-module.patch @@ -0,0 +1,62 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Alec Brown +Date: Thu, 21 Aug 2025 21:14:06 +0000 +Subject: [PATCH] gettext/gettext: Unregister gettext command on module unload + +When the gettext module is loaded, the gettext command is registered but +isn't unregistered when the module is unloaded. We need to add a call to +grub_unregister_command() when unloading the module. + +Fixes: CVE-2025-61662 + +Reported-by: Alec Brown +Signed-off-by: Alec Brown +Reviewed-by: Daniel Kiper +--- + grub-core/gettext/gettext.c | 19 ++++++++++++------- + 1 file changed, 12 insertions(+), 7 deletions(-) + +diff --git a/grub-core/gettext/gettext.c b/grub-core/gettext/gettext.c +index fffe3a05488b..1ca152ddd938 100644 +--- a/grub-core/gettext/gettext.c ++++ b/grub-core/gettext/gettext.c +@@ -509,6 +509,8 @@ grub_cmd_translate (grub_command_t cmd __attribute__ ((unused)), + return 0; + } + ++static grub_command_t cmd; ++ + GRUB_MOD_INIT (gettext) + { + const char *lang; +@@ -528,13 +530,14 @@ GRUB_MOD_INIT (gettext) + grub_register_variable_hook ("locale_dir", NULL, read_main); + grub_register_variable_hook ("secondary_locale_dir", NULL, read_secondary); + +- grub_register_command_p1 ("gettext", grub_cmd_translate, +- N_("STRING"), +- /* TRANSLATORS: It refers to passing the string through gettext. +- So it's "translate" in the same meaning as in what you're +- doing now. +- */ +- N_("Translates the string with the current settings.")); ++ cmd = grub_register_command_p1 ("gettext", grub_cmd_translate, ++ N_("STRING"), ++ /* ++ * TRANSLATORS: It refers to passing the string through gettext. ++ * So it's "translate" in the same meaning as in what you're ++ * doing now. ++ */ ++ N_("Translates the string with the current settings.")); + + /* Reload .mo file information if lang changes. */ + grub_register_variable_hook ("lang", NULL, grub_gettext_env_write_lang); +@@ -551,6 +554,8 @@ GRUB_MOD_FINI (gettext) + grub_register_variable_hook ("secondary_locale_dir", NULL, NULL); + grub_register_variable_hook ("lang", NULL, NULL); + ++ grub_unregister_command (cmd); ++ + grub_gettext_delete_list (&main_context); + grub_gettext_delete_list (&secondary_context); + diff --git a/0371-script-execute-Don-t-let-trailing-blank-lines-determ.patch b/0371-script-execute-Don-t-let-trailing-blank-lines-determ.patch deleted file mode 100644 index fd2eb2b..0000000 --- a/0371-script-execute-Don-t-let-trailing-blank-lines-determ.patch +++ /dev/null @@ -1,66 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: James Le Cuirot -Date: Thu, 24 Oct 2024 14:42:46 +0100 -Subject: [PATCH] script/execute: Don't let trailing blank lines determine the - return code - -grub_script_execute_sourcecode() parses and executes code one line at a -time, updating the return code each time because only the last line -determines the final status. However, trailing new lines were also -executed, masking any failure on the previous line. Fix this by only -trying to execute the command when there is actually one present. - -This has presumably never been noticed because this code is not used by -regular functions, only in special cases like eval and menu entries. The -latter generally don't return at all, having booted an OS. When failing -to boot, upstream GRUB triggers the fallback mechanism regardless of the -return code. - -We noticed the problem while using Red Hat's patches, which change this -behaviour to take account of the return code. In that case, a failure -takes you back to the menu rather than triggering a fallback. - -Signed-off-by: James Le Cuirot ---- - grub-core/script/execute.c | 5 ++++- - tests/grub_script_eval.in | 10 +++++++++- - 2 files changed, 13 insertions(+), 2 deletions(-) - -diff --git a/grub-core/script/execute.c b/grub-core/script/execute.c -index 014132703..3d26a3fe4 100644 ---- a/grub-core/script/execute.c -+++ b/grub-core/script/execute.c -@@ -952,7 +952,10 @@ grub_script_execute_sourcecode (const char *source) - break; - } - -- ret = grub_script_execute (parsed_script); -+ /* Don't let trailing blank lines determine the return code. */ -+ if (parsed_script->cmd) -+ ret = grub_script_execute (parsed_script); -+ - grub_script_free (parsed_script); - grub_free (line); - } -diff --git a/tests/grub_script_eval.in b/tests/grub_script_eval.in -index c97b78d77..9c6211042 100644 ---- a/tests/grub_script_eval.in -+++ b/tests/grub_script_eval.in -@@ -3,4 +3,12 @@ - eval echo "Hello world" - valname=tst - eval $valname=hi --echo $tst -\ No newline at end of file -+echo $tst -+ -+if eval " -+false -+"; then -+ echo should have failed -+else -+ echo failed as expected -+fi --- -2.48.1 - diff --git a/0372-normal-menu-Check-return-code-of-the-script-when-exe.patch b/0372-normal-menu-Check-return-code-of-the-script-when-exe.patch deleted file mode 100644 index 3ce0eec..0000000 --- a/0372-normal-menu-Check-return-code-of-the-script-when-exe.patch +++ /dev/null @@ -1,45 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: James Le Cuirot -Date: Thu, 24 Oct 2024 15:00:26 +0100 -Subject: [PATCH] normal/menu: Check return code of the script when executing a - menu entry - -Don't rely on grub_errno here because grub_script_execute_new_scope() -calls grub_print_error(), which always resets grub_errno back to -GRUB_ERR_NONE. It may also get reset by grub_wait_after_message(). - -This problem was observed when a "bad signature" error resulted in the -menu being redisplayed rather than the fallback mechanism being -triggered, although another change was also needed to fix it. This only -happens with Red Hat's patches because upstream GRUB triggers the -fallback mechanism regardless of the return code. - -Signed-off-by: James Le Cuirot ---- - grub-core/normal/menu.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/grub-core/normal/menu.c b/grub-core/normal/menu.c -index 97687013c..a2703dabb 100644 ---- a/grub-core/normal/menu.c -+++ b/grub-core/normal/menu.c -@@ -377,14 +377,14 @@ grub_menu_execute_entry(grub_menu_entry_t entry, int auto_boot) - if (ptr && ptr[0] && ptr[1]) - grub_env_set ("default", ptr + 1); - -- grub_script_execute_new_scope (entry->sourcecode, entry->argc, entry->args); -+ err = grub_script_execute_new_scope (entry->sourcecode, entry->argc, entry->args); - - if (errs_before != grub_err_printed_errors) - grub_wait_after_message (); - - errs_before = grub_err_printed_errors; - -- if (grub_errno == GRUB_ERR_NONE && grub_loader_is_loaded ()) -+ if (err == GRUB_ERR_NONE && grub_loader_is_loaded ()) - /* Implicit execution of boot, only if something is loaded. */ - err = grub_command_execute ("boot", 0, 0); - --- -2.48.1 - diff --git a/20-grub.install b/20-grub.install index 699fff7..9cbf739 100755 --- a/20-grub.install +++ b/20-grub.install @@ -6,6 +6,7 @@ fi [[ -f /etc/default/grub ]] && . /etc/default/grub [[ -f /etc/os-release ]] && . /etc/os-release +[[ -f /etc/sysconfig/kernel ]] && . /etc/sysconfig/kernel COMMAND="$1" KERNEL_VERSION="$2" @@ -41,8 +42,14 @@ mkbls() { fi fi + if [[ $kernelver =~ uek ]]; then + local ver_stanza="$kernelver with Unbreakable Enterprise Kernel" + else + local ver_stanza="$kernelver" + fi + cat < +Date: Tue, 18 Dec 2018 13:22:12 -0800 +Subject: [PATCH 1/1] Use different menuentries for UEK kernel + +--- + util/grub.d/10_linux.in | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/util/grub.d/10_linux.in b/util/grub.d/10_linux.in +index b54d277..fe8b20f 100644 +--- a/util/grub.d/10_linux.in ++++ b/util/grub.d/10_linux.in +@@ -173,7 +173,12 @@ EOF + fi + + if [ x$type != xsimple ] ; then +- title=$(mktitle "$type" "$version") ++ if echo "$version" | grep -q uek; then ++ kernel_type_text="with Unbreakable Enterprise Kernel" ++ else ++ kernel_type_text="with Linux" ++ fi ++ title=$(mktitle "$type" "$version $kernel_type_text") + if [ x"$title" = x"$GRUB_ACTUAL_DEFAULT" ] || [ x"Previous Linux versions>$title" = x"$GRUB_ACTUAL_DEFAULT" ]; then + replacement_title="$(echo "Advanced options for ${OS}" | sed 's,>,>>,g')>$(echo "$title" | sed 's,>,>>,g')" + quoted="$(echo "$GRUB_ACTUAL_DEFAULT" | grub_quote)" +-- +1.8.3.1 + diff --git a/bug26388226-update-redhat-references.patch b/bug26388226-update-redhat-references.patch new file mode 100644 index 0000000..bf1916a --- /dev/null +++ b/bug26388226-update-redhat-references.patch @@ -0,0 +1,25 @@ +From 05bfbf0b086ed14ea9311e2406d775c2562a826d Mon Sep 17 00:00:00 2001 +From: livy.ge +Date: Wed, 5 Jul 2017 03:53:48 -0700 +Subject: [PATCH] update bug url + +--- + util/grub-set-password.in | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +diff --git a/util/grub-set-password.in b/util/grub-set-password.in +index d7924af..2f182b8 100755 +--- a/util/grub-set-password.in ++++ b/util/grub-set-password.in +@@ -25,7 +25,7 @@ located by default at ${grubdir}. + -v, --version print the version information and exit + -o, --output_path put user.cfg in a user-selected directory + +-Report bugs at https://bugzilla.redhat.com. ++Report bugs at https://github.com/oracle/oracle-linux . + EOF + } + +-- +1.7.4.1 + diff --git a/bug37808688-efinet-Close-and-reopen-card-on-failure.patch b/bug37808688-efinet-Close-and-reopen-card-on-failure.patch new file mode 100644 index 0000000..2e5ef82 --- /dev/null +++ b/bug37808688-efinet-Close-and-reopen-card-on-failure.patch @@ -0,0 +1,191 @@ +From 4d2d00c8b9c2954a9a1f6bec57de8477366c7d42 Mon Sep 17 00:00:00 2001 +From: Alex Burmashev +Date: Thu, 17 Apr 2025 11:11:30 +0000 +Subject: [PATCH] efinet: Close and reopen card on failure + +There are some known bugs with network adapter firmware implementations, +that may lead to intermittent problem of network adapter link being down, despite network +being set up. +Ultimate fix of this issue should be done on firmware side, but as for now we try to close +and reopen network adapter and retransmit packet in case we see failures. + +Without this fix certain amount of PXE boots fails with inability to transmit packet, with this fix, +such failures are not seen. + +Orabug: 35126950 +Orabug: 37808688 +Signed-off-by: Alex Burmashev +--- + grub-core/net/drivers/efi/efinet.c | 149 ++++++++++++++++------------- + 1 file changed, 85 insertions(+), 64 deletions(-) + +diff --git a/grub-core/net/drivers/efi/efinet.c b/grub-core/net/drivers/efi/efinet.c +index 4591d07..cb97a9e 100644 +--- a/grub-core/net/drivers/efi/efinet.c ++++ b/grub-core/net/drivers/efi/efinet.c +@@ -37,70 +37,6 @@ static grub_guid_t pxe_io_guid = GRUB_EFI_PXE_GUID; + static grub_guid_t ip4_config_guid = GRUB_EFI_IP4_CONFIG2_PROTOCOL_GUID; + static grub_guid_t ip6_config_guid = GRUB_EFI_IP6_CONFIG_PROTOCOL_GUID; + +-static grub_err_t +-send_card_buffer (struct grub_net_card *dev, +- struct grub_net_buff *pack) +-{ +- grub_efi_status_t st; +- grub_efi_simple_network_t *net = dev->efi_net; +- grub_uint64_t limit_time = grub_get_time_ms () + 4000; +- void *txbuf; +- +- if (net == NULL) +- return grub_error (GRUB_ERR_IO, +- N_("network protocol not available, can't send packet")); +- if (dev->txbusy) +- while (1) +- { +- txbuf = NULL; +- st = net->get_status (net, 0, &txbuf); +- if (st != GRUB_EFI_SUCCESS) +- return grub_error (GRUB_ERR_IO, +- N_("couldn't send network packet")); +- /* +- Some buggy firmware could return an arbitrary address instead of the +- txbuf address we trasmitted, so just check that txbuf is non NULL +- for success. This is ok because we open the SNP protocol in +- exclusive mode so we know we're the only ones transmitting on this +- box and since we only transmit one packet at a time we know our +- transmit was successfull. +- */ +- if (txbuf) +- { +- dev->txbusy = 0; +- break; +- } +- if (limit_time < grub_get_time_ms ()) +- return grub_error (GRUB_ERR_TIMEOUT, +- N_("couldn't send network packet")); +- } +- +- dev->last_pkt_size = (pack->tail - pack->data); +- if (dev->last_pkt_size > dev->mtu) +- dev->last_pkt_size = dev->mtu; +- +- grub_memcpy (dev->txbuf, pack->data, dev->last_pkt_size); +- +- st = net->transmit (net, 0, dev->last_pkt_size, +- dev->txbuf, NULL, NULL, NULL); +- if (st != GRUB_EFI_SUCCESS) +- return grub_error (GRUB_ERR_IO, N_("couldn't send network packet")); +- +- /* +- The card may have sent out the packet immediately - set txbusy +- to 0 in this case. +- Cases were observed where checking txbuf at the next call +- of send_card_buffer() is too late: 0 is returned in txbuf and +- we run in the GRUB_ERR_TIMEOUT case above. +- Perhaps a timeout in the FW has discarded the recycle buffer. +- */ +- txbuf = NULL; +- st = net->get_status (net, 0, &txbuf); +- dev->txbusy = !(st == GRUB_EFI_SUCCESS && txbuf); +- +- return GRUB_ERR_NONE; +-} +- + static struct grub_net_buff * + get_card_packet (struct grub_net_card *dev) + { +@@ -228,6 +164,91 @@ close_card (struct grub_net_card *dev) + grub_efi_close_protocol (dev->efi_handle, &net_io_guid); + } + ++static grub_err_t ++send_card_buffer (struct grub_net_card *dev, ++ struct grub_net_buff *pack) ++{ ++ grub_efi_status_t st; ++ grub_efi_simple_network_t *net = dev->efi_net; ++ grub_uint64_t limit_time = grub_get_time_ms () + 4000; ++ void *txbuf; ++ grub_err_t ret; ++ int retry = 0; ++ ++ if (net == NULL) ++ return grub_error (GRUB_ERR_IO, ++ N_("network protocol not available, can't send packet")); ++ if (dev->txbusy) ++ while (1) ++ { ++ txbuf = NULL; ++ st = net->get_status (net, 0, &txbuf); ++ if (st != GRUB_EFI_SUCCESS) ++ return grub_error (GRUB_ERR_IO, ++ N_("couldn't send network packet")); ++ /* ++ Some buggy firmware could return an arbitrary address instead of the ++ txbuf address we trasmitted, so just check that txbuf is non NULL ++ for success. This is ok because we open the SNP protocol in ++ exclusive mode so we know we're the only ones transmitting on this ++ box and since we only transmit one packet at a time we know our ++ transmit was successfull. ++ */ ++ if (txbuf) ++ { ++ dev->txbusy = 0; ++ break; ++ } ++ if (limit_time < grub_get_time_ms ()) ++ { ++ if (!retry) ++ { ++ close_card (dev); ++ grub_millisleep (100); ++ ret = open_card (dev); ++ if (ret != GRUB_ERR_NONE) ++ return grub_error (GRUB_ERR_IO, ++ N_("couldn't open card")); ++ st = net->transmit (net, 0, dev->last_pkt_size, ++ dev->txbuf, NULL, NULL, NULL); ++ if (st != GRUB_EFI_SUCCESS) ++ return grub_error (GRUB_ERR_IO, ++ N_("couldn't send network packet")); ++ retry = 1; ++ grub_uint64_t limit_time = grub_get_time_ms () + 10000; ++ break; ++ } ++ return grub_error (GRUB_ERR_TIMEOUT, ++ N_("couldn't send network packet")); ++ } ++ } ++ ++ dev->last_pkt_size = (pack->tail - pack->data); ++ if (dev->last_pkt_size > dev->mtu) ++ dev->last_pkt_size = dev->mtu; ++ ++ grub_memcpy (dev->txbuf, pack->data, dev->last_pkt_size); ++ ++ st = net->transmit (net, 0, dev->last_pkt_size, ++ dev->txbuf, NULL, NULL, NULL); ++ if (st != GRUB_EFI_SUCCESS) ++ return grub_error (GRUB_ERR_IO, N_("couldn't send network packet")); ++ ++ /* ++ The card may have sent out the packet immediately - set txbusy ++ to 0 in this case. ++ Cases were observed where checking txbuf at the next call ++ of send_card_buffer() is too late: 0 is returned in txbuf and ++ we run in the GRUB_ERR_TIMEOUT case above. ++ Perhaps a timeout in the FW has discarded the recycle buffer. ++ */ ++ txbuf = NULL; ++ st = net->get_status (net, 0, &txbuf); ++ dev->txbusy = !(st == GRUB_EFI_SUCCESS && txbuf); ++ ++ return GRUB_ERR_NONE; ++} ++ + static struct grub_net_card_driver efidriver = + { + .name = "efinet", +-- +2.47.1 + diff --git a/gen_grub_cfgstub b/gen_grub_cfgstub old mode 100644 new mode 100755 diff --git a/grub.macros b/grub.macros index 685b897..dfc682a 100644 --- a/grub.macros +++ b/grub.macros @@ -304,6 +304,13 @@ Requires: grub2-common = %{evr} \ Requires: grub2-tools-minimal >= %{evr} \ Requires: grub2-tools = %{evr} \ Provides: grub2-efi = %{evr} \ +Provides: oracle(grub2-sig-key) = 202502 \ +%{expand:%%ifarch x86_64 \ +Conflicts: shim-x64 < 15.8-1.0.6 \ +%%endif} \ +%{expand:%%ifarch aarch64 \ +Conflicts: shim-aa64 < 15.8-1.0.6 \ +%%endif} \ %{?legacy_provides:Provides: grub2 = %{evr}} \ %{-o:Obsoletes: grub2-efi < %{evr}} \ \ @@ -401,7 +408,7 @@ install -m 644 %{1}.conf ${RPM_BUILD_ROOT}/etc/dnf/protected.d/ \ rm -f %{1}.conf \ %{nil} -%global grub_modules " all_video boot blscfg \\\ +%global grub_modules " all_video boot blscfg btrfs \\\ cat configfile cryptodisk \\\ echo ext2 f2fs fat font \\\ gcry_rijndael gcry_rsa gcry_serpent \\\ diff --git a/grub.patches b/grub.patches index f4a4658..87e6941 100644 --- a/grub.patches +++ b/grub.patches @@ -367,5 +367,7 @@ Patch0367: 0367-Use-medany-instead-of-large-model-for-RISCV.patch Patch0368: 0368-10_linux.in-escape-kernel-option-characters-properly.patch Patch0369: 0369-blscfg-check-if-variable-is-escaped-before-consideri.patch Patch0370: 0370-Set-correctly-the-memory-attributes-for-the-kernel-P.patch -Patch0371: 0371-script-execute-Don-t-let-trailing-blank-lines-determ.patch -Patch0372: 0372-normal-menu-Check-return-code-of-the-script-when-exe.patch +Patch0371: 0371-gettext-gettext-Unregister-gettext-command-on-module.patch +Patch1000: bug18504756-use-different-title-for-UEK.patch +Patch1001: bug26388226-update-redhat-references.patch +Patch1002: bug37808688-efinet-Close-and-reopen-card-on-failure.patch \ No newline at end of file diff --git a/grub2.spec b/grub2.spec index 2a67eab..5c56ec1 100644 --- a/grub2.spec +++ b/grub2.spec @@ -17,7 +17,7 @@ Name: grub2 Epoch: 1 Version: 2.12 -Release: 29%{?dist} +Release: 29.0.1%{?dist}.2 Summary: Bootloader with support for Linux, Multiboot and more License: GPL-3.0-or-later URL: http://www.gnu.org/software/grub/ @@ -36,25 +36,27 @@ Source10: 20-grub.install Source11: grub.patches Source12: sbat.csv.in Source13: gen_grub_cfgstub +Source14: oraclegrubcer.cer +Source15: securebootca.cer %include %{SOURCE1} %ifarch x86_64 aarch64 ppc64le -%define sb_ca %{_datadir}/pki/sb-certs/secureboot-ca-%{_arch}.cer -%define sb_cer %{_datadir}/pki/sb-certs/secureboot-grub2-%{_arch}.cer +%define sb_ca %{SOURCE15} +%define sb_cer %{SOURCE14} %endif %if 0%{?centos} %ifarch x86_64 aarch64 ppc64le -%define sb_key centossecureboot202 +%define sb_key OracleLinuxSecureBootKey1 %endif %else %ifarch x86_64 aarch64 -%define sb_key redhatsecureboot502 +%define sb_key OracleLinuxSecureBootKey1 %endif %ifarch ppc64le -%define sb_key redhatsecureboot702 +%define sb_key OracleLinuxSecureBootKey1 %endif %endif @@ -574,9 +576,51 @@ fi %endif %changelog -* Mon Sep 08 2025 Leo Sandoval 2.12-29 -- Fix the fallback mechanism when menu entries fail to boot -- Resolves: RHEL-113024 +* Mon Mar 16 2026 EL Errata - 2.12-29.0.1.el10_1.2 +- efinet: Close and reopen card on failure [Orabug: 37808688] +- Update grub2 dependencies to match new Secure Boot certificate chain of trust [Orabug: 37766761] +- Fix typo in SBAT metadata [Orabug: 37693946] +- Allow installation of grub2 only with shim-aa64 that allows booting it [Orabug: 37693946] +- Enable btrfs module [Orabug: 37412995] +- Restored shim related conflicts and provide. [Orabug: 37376920] +- Rework the scripts to cover both in-place upgrade and update scenarios [Orabug: 36768566] +- Support setting custom kernels as default kernels [Orabug: 36043978] +- Bump SBAT metadata for grub to 3 [Orabug: 34872719] +- Fix CVE-2022-3775 [Orabug: 34871953] +- Enable signing for aarch64 EFI +- Fix signing certificate names +- Enable back btrfs grub module for EFI pre-built image [Orabug: 34360986] +- Replaced bugzilla.oracle.com references [Orabug: 34202300] +- Update provided certificate version to 202204 [JIRA: OLDIS-16371] +- Various coverity fixes [JIRA: OLDIS-16371] +- bump SBAT generation +- Update bug url [Orabug: 34202300] +- Revert provided certificate version back to 202102 [JIRA: OLDIS-16371] +- Update signing certificate [JIRA: OLDIS-16371] +- fix SBAT data [JIRA: OLDIS-16371] +- Update requires [JIRA: OLDIS-16371] +- Rebuild for SecureBoot signatures [Orabug: 33801813] +- Do not add shim and grub certificate deps for aarch64 packages [Orabug: 32670033] +- Update Oracle SBAT data [Orabug: 32670033] +- Use new signing certificate [Orabug: 32670033] +- honor /etc/sysconfig/kernel DEFAULTKERNEL setting for BLS [Orabug: 30643497] +- set EFIDIR as redhat for additional grub2 tools [Orabug: 29875597] +- Update upstream references [Orabug: 26388226] +- Insert Unbreakable Enterprise Kernel text into BLS config file [Orabug: 29417955] +- Put "with" in menuentry instead of "using" [Orabug: 18504756] +- Use different titles for UEK and RHCK kernels [Orabug: 18504756] + +* Tue Mar 03 2026 Nicolas Frayer - 2.12-29.2 +- Try to get gating tests running via fmf/tmt +- Resolves: #RHEL-152849 + +* Thu Feb 19 2026 Therese Cornell - 2.12-29.1 +- Fixes CVE-2025-61662 Missing unregister call for gettext command may lead to use-after-free +- Resolves: #RHEL-141580 + +* Wed Oct 8 2025 Nicolas Frayer 2.12-29 +- spec: Update signing key to redhatsecureboot802 +- Resolves: #RHEL-116730 * Thu Aug 21 2025 Leo Sandoval 2.12-28 - Remove strong stack protector on target CFLAGS diff --git a/sbat.csv.in b/sbat.csv.in old mode 100755 new mode 100644 index a0c77de..9a1d304 --- a/sbat.csv.in +++ b/sbat.csv.in @@ -1,4 +1,5 @@ sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md -grub,5,Free Software Foundation,grub,@@VERSION@@,https//www.gnu.org/software/grub/ +grub,5,Free Software Foundation,grub,@@VERSION@@,https://www.gnu.org/software/grub/ grub.rh,2,Red Hat,grub2,@@VERSION_RELEASE@@,mailto:secalert@redhat.com grub.centos,2,Red Hat,grub2,@@VERSION_RELEASE@@,mailto:secalert@redhat.com +grub.ol10,3,Oracle Linux,grub2,@@VERSION@@,mail:secalert_us@oracle.com \ No newline at end of file diff --git a/sources b/sources index cf7ec7d..7f46f3a 100644 --- a/sources +++ b/sources @@ -1,4 +1,6 @@ SHA512 (gnulib-9f48fb992a3d7e96610c4ce8be969cff2d61a01b.tar.gz) = 6887dede2d4a403422ea045329ee9bd7ca4c1561bcaf39e805e1d1ce8f4c050a65ce286e7d8362fb8e815b5fab0b405730a3f93194e343e2aedcf9b4411a285e SHA512 (grub-2.12.tar.xz) = 761c060a4c3da9c0e810b0ea967e3ebc66baa4ddd682a503ae3d30a83707626bccaf49359304a16b3a26fc4435fe6bea1ee90be910c84de3c2b5485a31a15be3 +SHA512 (oraclegrubcer.cer) = 45d6ba3ae6f640fe7c26836e697085b12b39b2aee41ae5c474f00aa68a40d7c0380206f81eab8fc784298e82f8a4d268c38eb3ae9e3c3e80dbabcfc3857c66f3 +SHA512 (securebootca.cer) = f8ef4b87e610b07ef53bcde253469b5316d9ba128357123246c64e4468c13f329d42187503908201d67168e61e5ce5e8a969935087b9bda38eee85d306561050 SHA512 (theme.tar.bz2) = 0f6f914d5f801509403094b28b8cfe5169cb56ae9bdd808ae21a6780a8236b434161a068351508dd78729c25ee2fed066c124c1eef9e15102750b409b4576a5c SHA512 (unifont-13.0.06.pcf.gz) = 25f1ea4e316cd77b65cf4f60aa10ed054db6df2195be7344216673dee6628ab055ebcdeea186996d931fd1e9e4f519f4a2e4b4544b8a9ad2fe410aadc4eecd2d