A grub2 bug fix and enhancement update has been released for Oracle Linux 9.

ELBA-2023-1699 Oracle Linux 9 grub2 bug fix and enhancement update

Oracle Linux Bug Fix Advisory ELBA-2023-1699

http://linux.oracle.com/errata/ELBA-2023-1699.html

The following updated rpms for Oracle Linux 9 have been uploaded to the Unbreakable Linux Network:

x86_64:
grub2-common-2.06-46.0.4.el9_1.5.noarch.rpm
grub2-efi-aa64-modules-2.06-46.0.4.el9_1.5.noarch.rpm
grub2-efi-x64-2.06-46.0.4.el9_1.5.x86_64.rpm
grub2-efi-x64-cdboot-2.06-46.0.4.el9_1.5.x86_64.rpm
grub2-efi-x64-modules-2.06-46.0.4.el9_1.5.noarch.rpm
grub2-pc-2.06-46.0.4.el9_1.5.x86_64.rpm
grub2-pc-modules-2.06-46.0.4.el9_1.5.noarch.rpm
grub2-tools-2.06-46.0.4.el9_1.5.x86_64.rpm
grub2-tools-efi-2.06-46.0.4.el9_1.5.x86_64.rpm
grub2-tools-extra-2.06-46.0.4.el9_1.5.x86_64.rpm
grub2-tools-minimal-2.06-46.0.4.el9_1.5.x86_64.rpm

aarch64:
grub2-common-2.06-46.0.4.el9_1.5.noarch.rpm
grub2-efi-aa64-2.06-46.0.4.el9_1.5.aarch64.rpm
grub2-efi-aa64-cdboot-2.06-46.0.4.el9_1.5.aarch64.rpm
grub2-efi-aa64-modules-2.06-46.0.4.el9_1.5.noarch.rpm
grub2-efi-x64-modules-2.06-46.0.4.el9_1.5.noarch.rpm
grub2-tools-2.06-46.0.4.el9_1.5.aarch64.rpm
grub2-tools-extra-2.06-46.0.4.el9_1.5.aarch64.rpm
grub2-tools-minimal-2.06-46.0.4.el9_1.5.aarch64.rpm

SRPMS:
http://oss.oracle.com/ol9/SRPMS-updates//grub2-2.06-46.0.4.el9_1.5.src.rpm

Description of changes:

[2.06-46.0.4.5]
- Bump SBAT metadata for grub to 3 [Orabug: 34872719]
- Fix CVE-2022-3775 [Orabug: 34871953]
- Enable signing for aarch64 EFI
- Fix signing certificate names
- Enable back btrfs grub module for EFI pre-built image [Orabug: 34360986]
- Replaced bugzilla.oracle.com references [Orabug: 34202300]
- Update provided certificate version to 202204 [JIRA: OLDIS-16371]
- Various coverity fixes [JIRA: OLDIS-16371]
- bump SBAT generation
- Update bug url [Orabug: 34202300]
- Revert provided certificate version back to 202102 [JIRA: OLDIS-16371]
- Update signing certificate [JIRA: OLDIS-16371]
- fix SBAT data [JIRA: OLDIS-16371]
- Update requires [JIRA: OLDIS-16371]
- Rebuild for SecureBoot signatures [Orabug: 33801813]
- Do not add shim and grub certificate deps for aarch64 packages [Orabug: 32670033]
- Update Oracle SBAT data [Orabug: 32670033]
- Use new signing certificate [Orabug: 32670033]
- honor /etc/sysconfig/kernel DEFAULTKERNEL setting for BLS [Orabug: 30643497]
- set EFIDIR as redhat for additional grub2 tools [Orabug: 29875597]
- Update upstream references [Orabug: 26388226]
- Insert Unbreakable Enterprise Kernel text into BLS config file [Orabug: 29417955]
- Put "with" in menuentry instead of "using" [Orabug: 18504756]
- Use different titles for UEK and RHCK kernels [Orabug: 18504756]

[2.06-46.el9_1.5]
- Sync (actually 2.06-61)
- Resolves: #2181506

[2.06-46.el9_1.4]
- Sync with 9.2 (actually 2.06-58)
- Resolves: #2156419

[2.06-46.el9_1.3]
- Give up on redhat-sb-certs
- Resolves: CVE-2022-2601

[2.06-46.el9_1.2]
- CVE update (actually 2.06-49)
- Resolves: CVE-2022-2601

[2.06-46]
- Sync /etc/kernel/cmdline generation with 2.06-52.fc38
- Resolves: #1969362

[2.06-45]
- ieee1275: implement vec5 for cas negotiation
- Resolves: #2121192

[2.06-44]
- Skip rpm mtime verification on likely-vfat filesystems
- Resolves: #2047979

[2.06-43]
- Generate BLS snippets during mkconfig
- Resolves: #1969362

[2.06-42]
- Rest of kernel allocator fixups
- Resolves: #2108456

[2.06-41]
- Kernel allocator fixups
- Resolves: #2108456

[2.06-40]
- Rebuild against new ppc64le key
- Resolves: #2074761

[2.06-38]
- Bless the TPM module on ppc64le
- Resolves: #2051314

[2.06-37]
- CVE fixes for 2022-06-07
- CVE-2022-28736 CVE-2022-28735 CVE-2022-28734 CVE-2022-28733
- CVE-2021-3697 CVE-2021-3696 CVE-2021-3695
- Resolves: #2070688

[2.06-32]
- ppc64le: make ofdisk_retries optional
- Resolves: #2070725

[2.06-30]
- ppc64le: CAS improvements, prefix detection, and vTPM support
- Resolves: #2068281
- Resolves: #2051314
- Resolves: #2076798

[2.06-29]
- Fix rpm verification report on grub.cfg permissions
- Resolves: #2076322

[2.06-28]
- First 9.1 build; no changes from 9.0
- Resolves: #2062874

[2.06-27]
- Fix initialization on efidisk patch

[2.06-26]
- Re-run signing with updated redhat-release

[2.06-25]
- Enable connectefi module
- Resolves: #2049219

[2.06-24]
- Add efidisk/connectefi patches
- Resolves: #2049219
- Resolves: #2049220

[2.06-23]
- Re-arm GRUB_ENABLE_BLSCFG=false
- Resolves: #2018331

[2.06-22]
- Stop building unsupported 32-bit UEFI stuff
- Resolves: #2038401

[2.06-21]
- Require Secure Boot certs based on architecture
- Resolves: #2049214

[2.06-20]
- Conditionalize Secure Boot settings per architecture
- Resolves: #2049214

[2.06-19]
- Attempt to fix ppc64le signing bugs in previous change
- Resolves: #2049214

[2.06-18]
- Switch to single-signing and use certs from package (bstinson)
- Resolves: #2049214

[2.06-17]
- CVE-2021-3981 (Incorrect read permission in grub.cfg)
- Resolves: rhbz#2030724

[2.06-16]
- Stop having this problem and just copy over the beta tree
- Resolves: rhbz#2006784

* Mon Oct 25 2021 Robbie Harwood [rharwood@redhat.com]
- powerpc-ieee1275: load grub at 4MB, not 2MB
Related: rhbz#1873860

* Tue Oct 12 2021 Robbie Harwood [rharwood@redhat.com]
- Print out module name on license check failure
Related: rhbz#1873860

* Thu Oct 07 2021 pjones [pjones@redhat.com]
- Hopefully make "grub2-mkimage --appended-signature-size=" actually work.
Related: rhbz#1873860

[2.06-8]
- Attempt once more to fix signatures on ppc64le
Related: rhbz#1873860

[2.06-7]
- Fix signatures on ppc64le
Related: rhbz#1951104

[2.06-6]
- Fix booting with XFSv4 partitions
Resolves: rhbz#2006993

[2.06-5]
- Rebuild for correct signatures once more.
Resolves: rhbz#1976771

[2.06-4]
- Rebuild for correct signatures
Resolves: rhbz#1976771

[2.06-3]
- Rebuild for gating + rpminspect
Resolves: rhbz#1976771

[2.06-2]
- Rebuild because our CI infrastructure doesn't work right
Resolves: rhbz#1976771

[2.06-1]
- Update to 2.06 final release and ton of fixes
Resolves: rhbz#1976771

[2.06~rc1-9]
- Fix kernel cmdline params getting overwritten on ppc64le
Resolves: rhbz#1973564

[2.06~rc1-8]
- Add XFS needsrepair support
Resolves: rhbz#1940165

[2.06~rc1-7]
- Find and claim more memory for ieee1275 (dja)
Resolves: rhbz#1873860

[2.06~rc1-6]
- Add XFS bigtime support (cmaiolino)
Resolves: rhbz#1940165

[2.06~rc1-5]
- Use RHEL distro SBAT data also for CentOS Stream
Related: rhbz#1947696