package: grub2 maintainers: nfrayer, lsandova, pjones
The embargo on 21 security vulnerabilities in the GRUB bootloader [1] was lifted on 18 February, and since F40 is still being maintained, the most robust way to address these is to backport the entire rebased GRUB 2.12 to F40. This 2.12 version is already in F41 and rawhide, so it is being tested by users, and is functioning well.
While it could be possible to backport the 60+ CVE patches, as well as other upstream patches that would be necessary for compatibility, it would be necessary to first revert other patches that have already been applied to the current stable F40 GRUB, apply all of the CVE patches, then reapply the reverted patches. The result would be a lot of work that could easily result in mistakes, new issues, etc.
The cleanest approach is to backport the rebased GRUB, so as to have the same version of the bootloader in all currently maintained Fedora releases. The change for users should be negligible. Aside from CVE fixes, support for newer versions of GCC, clang, binutils, TPM driver fixes, improved debugging support and more will also be brought in.
[1] https://lists.gnu.org/archive/html/grub-devel/2025-02/msg00024.html
Hmm, I see grub2-2.12-9.fc40 and a bunch of earlier builds of 2.12 for f40. But grub2-2.06-123.fc40 is the stable version, and no nothing is in updates-testing. This seems to go against the explicit rule that koji is not a playground and non-scratch builds must not be done unless they are realistically expected to be used for updates.
grub2-2.12-9.fc40
grub2-2.06-123.fc40
updates-testing
Are there any incompatible changes between 2.06 and 2.12? (I couldn't find any changelog…)
I wouldn't characterize those builds as using koji like a playground. Nicolas did one build in the autumn when updating GRUB in other fedora releases, which failed because of problems with the builder. Peter initiated the build again after fixing the issue to make sure the fix was correct.
There are no incompatible changes that we're aware of. As I mentioned, 2.12 is the stable version in F41, F42, rawhide.
changelog: https://koji.fedoraproject.org/koji/buildinfo?buildID=2587947
The rule is that builds should not be done if they are not submitted as updates. Those builds passed, so they could have been submitted.
+1 to the rebase
+1
This is quite similar to exceptions that we've granted for Golang updates in "oldstable" branches, so I'm fine with this too, assuming the changes go through enough testing before being pushed to "stable" in Fedora 40 (for example, high karma thresholds in bodhi, or 14+ days required in "testing").
Metadata Update from @decathorpe: - Issue tagged with: updates policy exception
+1 here
Since this is for a CVE, I'll set FastTrack here too.
Metadata Update from @zbyszek: - Issue tagged with: fast track
Metadata Update from @humaton: - Issue close_status updated to: Accepted - Issue status updated to: Closed (was: Open)
This is now approved following the FastTrack procedure: APPROVED (+7, 0, 0)
thank you :)
Log in to comment on this ticket.