[El-errata] ELSA-2025-16154 Moderate: Oracle Linux 10 grub2 security update

Errata Announcements for Oracle Linux el-errata at oss.oracle.com
Thu Sep 18 18:51:05 UTC 2025


Oracle Linux Security Advisory ELSA-2025-16154

http://linux.oracle.com/errata/ELSA-2025-16154.html

The following updated rpms for Oracle Linux 10 have been uploaded to the Unbreakable Linux Network:

x86_64:
grub2-common-2.12-15.0.1.el10_0.noarch.rpm
grub2-efi-aa64-modules-2.12-15.0.1.el10_0.noarch.rpm
grub2-efi-x64-2.12-15.0.1.el10_0.x86_64.rpm
grub2-efi-x64-cdboot-2.12-15.0.1.el10_0.x86_64.rpm
grub2-efi-x64-modules-2.12-15.0.1.el10_0.noarch.rpm
grub2-pc-2.12-15.0.1.el10_0.x86_64.rpm
grub2-pc-modules-2.12-15.0.1.el10_0.noarch.rpm
grub2-tools-2.12-15.0.1.el10_0.x86_64.rpm
grub2-tools-efi-2.12-15.0.1.el10_0.x86_64.rpm
grub2-tools-extra-2.12-15.0.1.el10_0.x86_64.rpm
grub2-tools-minimal-2.12-15.0.1.el10_0.x86_64.rpm

aarch64:
grub2-common-2.12-15.0.1.el10_0.noarch.rpm
grub2-efi-aa64-2.12-15.0.1.el10_0.aarch64.rpm
grub2-efi-aa64-cdboot-2.12-15.0.1.el10_0.aarch64.rpm
grub2-efi-aa64-modules-2.12-15.0.1.el10_0.noarch.rpm
grub2-efi-x64-modules-2.12-15.0.1.el10_0.noarch.rpm
grub2-tools-2.12-15.0.1.el10_0.aarch64.rpm
grub2-tools-extra-2.12-15.0.1.el10_0.aarch64.rpm
grub2-tools-minimal-2.12-15.0.1.el10_0.aarch64.rpm


SRPMS:
http://oss.oracle.com/ol10/SRPMS-updates/grub2-2.12-15.0.1.el10_0.src.rpm

Related CVEs:

CVE-2024-45776
CVE-2024-45781
CVE-2025-0622
CVE-2025-0677
CVE-2025-1118




Description of changes:

[2.12-15.0.1]
- efinet: Close and reopen card on failure [Orabug: 37808688]
- Update grub2 dependencies to match new Secure Boot certificate chain of trust [Orabug: 37766761]
- Fix typo in SBAT metadata [Orabug: 37693946]
- Allow installation of grub2 only with shim-aa64 that allows booting it [Orabug: 37693946]
- Enable btrfs module [Orabug: 37412995]
- Restored shim related conflicts and provide. [Orabug: 37376920]
- Rework the scripts to cover both in-place upgrade and update scenarios [Orabug: 36768566]
- Support setting custom kernels as default kernels [Orabug: 36043978]
- Bump SBAT metadata for grub to 3 [Orabug: 34872719]
- Fix CVE-2022-3775 [Orabug: 34871953]
- Enable signing for aarch64 EFI
- Fix signing certificate names
- Enable back btrfs grub module for EFI pre-built image [Orabug: 34360986]
- Replaced bugzilla.oracle.com references [Orabug: 34202300]
- Update provided certificate version to 202204 [JIRA: OLDIS-16371]
- Various coverity fixes [JIRA: OLDIS-16371]
- bump SBAT generation
- Update bug url [Orabug: 34202300]
- Revert provided certificate version back to 202102 [JIRA: OLDIS-16371]
- Update signing certificate [JIRA: OLDIS-16371]
- fix SBAT data [JIRA: OLDIS-16371]
- Update requires [JIRA: OLDIS-16371]
- Rebuild for SecureBoot signatures [Orabug: 33801813]
- Do not add shim and grub certificate deps for aarch64 packages [Orabug: 32670033]
- Update Oracle SBAT data [Orabug: 32670033]
- Use new signing certificate [Orabug: 32670033]
- honor /etc/sysconfig/kernel DEFAULTKERNEL setting for BLS [Orabug: 30643497]
- set EFIDIR as redhat for additional grub2 tools [Orabug: 29875597]
- Update upstream references [Orabug: 26388226]
- Insert Unbreakable Enterprise Kernel text into BLS config file [Orabug: 29417955]
- Put "with" in menuentry instead of "using" [Orabug: 18504756]
- Use different titles for UEK and RHCK kernels [Orabug: 18504756]

[2.12-15]
- 99-grub-mkconfig.install: Disable BLS and run grub2-mkconfig when GRUB_ENABLE_BLSCFG is disable
- Resolves: #RHEL-86261




More information about the El-errata mailing list