grub2 before 1.97.1 password check does not work, see e.g. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=555195 We have only masked versions of grub2, so we probably don't need a glsa, but anyway, it should be bumped.
That's correct.
now in the tree
*** Bug 295536 has been marked as a duplicate of this bug. ***