[00:37] <blahdeblah> Ah, looks like the source of the confusion is a bug in cvescan: https://github.com/canonical/sec-cvescan/issues/81
[00:37] <ubottu> Issue 81 in canonical/sec-cvescan "grub related packages reported as vulnerable without a means to fix" [Open]