PVE CVE-2024-45774

[yzl1001]

Dears,

I got an vulnerability notification from Qualys, it's about CVE-2024-45774, it's request to upgrade grub2-common 2.06-13+deb12u2, but the version is grub2-common 2.06-13+pmx7 on PVE. I find the Security Advisories on https://forum.proxmox.com/threads/proxmox-virtual-environment-security-advisories.149331/, it's It only mentions grub-common, no grub2-common, so I'm not sure if it's false positive now

 

[fiona]

Hi,
the advisory does not mention grub-common either, it mentions the main packages:
grub-pc-bin, grub-efi-amd64-bin, grub-efi-amd64-signed, grub-efi-amd64-unsigned

Both grub-common and grub2-common are part of the same grub2 source package and the issues were fixed there, if you look at the changelog apt changelog grub-common and apt changelog grub2-common, you will notice it's the same changelog (from the grub2 source package).