diff --git a/debian/changelog b/debian/changelog index 88d6eccf..52558c20 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,13 @@ +livecd-rootfs (2.680) UNRELEASED; urgency=medium + + [ Cody Shepherd ] + * Add dist-upgrade to bootable-buildd hook to ensure the built image + doesn't contain vulnerable kernels or other packages. + * Don't explicitly install grub-efi-amd64-signed, it's a dependency of + shim-signed. + + -- Steve Langasek Tue, 04 Aug 2020 12:29:00 -0700 + livecd-rootfs (2.679) groovy; urgency=medium * Handle seeded lxd snap with channel name for ubuntu-cpc:minimized diff --git a/live-build/buildd/hooks/02-disk-image-uefi.binary b/live-build/buildd/hooks/02-disk-image-uefi.binary index 75d93aa5..18f74bae 100755 --- a/live-build/buildd/hooks/02-disk-image-uefi.binary +++ b/live-build/buildd/hooks/02-disk-image-uefi.binary @@ -84,8 +84,7 @@ install_grub() { efi_target=arm-efi ;; amd64) - chroot mountpoint apt-get install -qqy grub-pc - chroot mountpoint apt-get install -qqy grub-efi-amd64-signed shim-signed + chroot mountpoint apt-get install -qqy grub-pc shim-signed efi_target=x86_64-efi ;; esac diff --git a/live-build/buildd/hooks/52-linux-virtual-image.binary b/live-build/buildd/hooks/52-linux-virtual-image.binary index a0c64d75..d8efab84 100755 --- a/live-build/buildd/hooks/52-linux-virtual-image.binary +++ b/live-build/buildd/hooks/52-linux-virtual-image.binary @@ -39,6 +39,9 @@ trap cleanup_linux_virtual EXIT # Install dependencies env DEBIAN_FRONTEND=noninteractive chroot "$mount_d" apt-get \ update --assume-yes +# Perform a dist-upgrade to pull in package updates +env DEBIAN_FRONTEND=noninteractive chroot "$mount_d" apt-get \ + dist-upgrade --assume-yes env DEBIAN_FRONTEND=noninteractive chroot "$mount_d" apt-get \ install -y lsb-release locales initramfs-tools busybox-initramfs \ udev dbus netplan.io cloud-init openssh-server sudo snapd