Changelog
shim (15.8-1) unstable; urgency=medium
[ Steve McIntyre ]
* Cope with changes in pesign packaging. Closes: #1057606
* New upstream release fixing more bugs. Closes: #1061519, #1064220
+ CVE-2023-40546 mok: fix LogError() invocation (Closes: #1054210)
+ CVE-2023-40547 - avoid incorrectly trusting HTTP headers
+ CVE-2023-40548 Fix integer overflow on SBAT section size on
32-bit system
+ CVE-2023-40549 Authenticode: verify that the signature header is
in bounds.
+ CVE-2023-40550 pe: Fix an out-of-bound read in
verify_buffer_sbat()
+ CVE-2023-40551: pe-relocate: Fix bounds check for MZ binaries
* Remove all our previous patches, no longer needed:
+ Make-sbat_var.S-parse-right-with-buggy-gcc-binutils.patch (now
upstream)
+ Enable-NX.patch (we don't want NX just yet until the whole boot
stack is NX-capable)
+ block-grub-sbat3-debian.patch (not needed now upstream grub SBAT
is 4)
* Cherry-pick 2 new patches from upstream for grub revocations:
+ 0001-sbat-Add-grub.peimage-2-to-latest-CVE-2024-2312.patch
+ 0002-sbat-Also-bump-latest-for-grub-4-and-to-todays-date.patch
* NOTE: Stop building for i386
+ Debian kernels are no longer signed for i386, it's time to stop
supporting i386 SB.
* Log if the build is nx-compatible or not
* Force shim to use the latest revocations by default to block some
older grub / peimage issues. This is:
"shim,4\ngrub,4\ngrub.peimage,2\n"
* Install a copy of the Debian CA certificate into /usr/share/shim.
Closes: #1069054
* Clean up better after build. Closes: #1046268
[ Bastien Roucariès ]
* Port autopkgtest from ubuntu
* Import MR-12: "shim-unsigned:amd64 cannot be installed alongside
shim-unsigned:i386", thanks to adrian15 adrian15 (Closes: #936009).
* Fix debian/watch and check signature (Closes: #1043485)
-- Steve McIntyre <email address hidden> Sat, 04 May 2024 23:29:52 +0100