Might just add grub2-unsigned/signed entries to the CVE tracker and mark it as not affected? I think porting new zstd to grub may be significant effort and it's not worth to work around third party tools.
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2077201 Title: grub2 vendors libzstd 1.3.6 which has some CVEs To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2-unsigned/+bug/2077201/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
