Thank you for your contribution to Debian.
Accepted:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 04 May 2024 23:29:52 +0100
Source: shim
Architecture: source
Version: 15.8-1
Distribution: unstable
Urgency: medium
Maintainer: Debian EFI team <debian-efi@lists.debian.org>
Changed-By: Steve McIntyre <93sam@debian.org>
Closes: 936009 1043485 1046268 1054210 1057606 1061519 1064220 1069054
Changes:
shim (15.8-1) unstable; urgency=medium
.
[ Steve McIntyre ]
* Cope with changes in pesign packaging. Closes: #1057606
* New upstream release fixing more bugs. Closes: #1061519, #1064220
+ CVE-2023-40546 mok: fix LogError() invocation (Closes: #1054210)
+ CVE-2023-40547 - avoid incorrectly trusting HTTP headers
+ CVE-2023-40548 Fix integer overflow on SBAT section size on
32-bit system
+ CVE-2023-40549 Authenticode: verify that the signature header is
in bounds.
+ CVE-2023-40550 pe: Fix an out-of-bound read in
verify_buffer_sbat()
+ CVE-2023-40551: pe-relocate: Fix bounds check for MZ binaries
* Remove all our previous patches, no longer needed:
+ Make-sbat_var.S-parse-right-with-buggy-gcc-binutils.patch (now
upstream)
+ Enable-NX.patch (we don't want NX just yet until the whole boot
stack is NX-capable)
+ block-grub-sbat3-debian.patch (not needed now upstream grub SBAT
is 4)
* Cherry-pick 2 new patches from upstream for grub revocations:
+ 0001-sbat-Add-grub.peimage-2-to-latest-CVE-2024-2312.patch
+ 0002-sbat-Also-bump-latest-for-grub-4-and-to-todays-date.patch
* NOTE: Stop building for i386
+ Debian kernels are no longer signed for i386, it's time to stop
supporting i386 SB.
* Log if the build is nx-compatible or not
* Force shim to use the latest revocations by default to block some
older grub / peimage issues. This is:
"shim,4\ngrub,4\ngrub.peimage,2\n"
* Install a copy of the Debian CA certificate into /usr/share/shim.
Closes: #1069054
* Clean up better after build. Closes: #1046268
.
[ Bastien Roucariès ]
* Port autopkgtest from ubuntu
* Import MR-12: "shim-unsigned:amd64 cannot be installed alongside
shim-unsigned:i386", thanks to adrian15 adrian15 (Closes: #936009).
* Fix debian/watch and check signature (Closes: #1043485)
Checksums-Sha1:
8a2d725f65087e1a6c7f012c4c70666666fef4f3 2490 shim_15.8-1.dsc
cdec924ca437a4509dcb178396996ddf92c11183 2315201 shim_15.8.orig.tar.bz2
5b62d9edbaad7ece7546868dfd6e6e5be42de236 59308 shim_15.8-1.debian.tar.xz
062041702d5cdb3828fb0e3bdecf6515fa1a7062 7121 shim_15.8-1_source.buildinfo
Checksums-Sha256:
65ca82c131a66362a0bb222497eebbca5d64ba9efd44738d7889eb0500b5e4fa 2490 shim_15.8-1.dsc
a79f0a9b89f3681ab384865b1a46ab3f79d88b11b4ca59aa040ab03fffae80a9 2315201 shim_15.8.orig.tar.bz2
fad222c56f31a20b65753f16c66e270082295a2cccf2909686a980f19be665de 59308 shim_15.8-1.debian.tar.xz
647867dea6c5dc9d7d5d59fa70629f322379593675a7ccc3667d2dc2f1024b03 7121 shim_15.8-1_source.buildinfo
Files:
96fd60cb002486370c4176382044041e 2490 admin optional shim_15.8-1.dsc
a9452c2e6fafe4e1b87ab2e1cac9ec00 2315201 admin optional shim_15.8.orig.tar.bz2
4689fb8317f8a9a5ca53107743d67a27 59308 admin optional shim_15.8-1.debian.tar.xz
66bbd0b3ac2a98555d32f3f47ca1fb7e 7121 admin optional shim_15.8-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJFBAEBCAAvFiEEzrtSMB1hfpEDkP4WWHl5VzRCaE4FAmY40QURHDkzc2FtQGRl
Ymlhbi5vcmcACgkQWHl5VzRCaE6F5Q/9F2uB+m9hTJDk2PIn5LAn8b39vBzYkoju
lirfsA/FJzygJR+qJQG70nrPe+TutO8BFPdo+yhfc2G9RdLd3CXsslkl6QdNpTau
LUc4FRMzHsis3Wn/7BO8WZPzPBf+2N/NUucIe02h+6gabpiXqpwt5EZf6WTGUC8D
LOinr/l3iDDoymjogTBvp0PMEph0luqE95deOeXmJ6CbLQ2Ozzi40g47E4uUQ4ao
jGD6yPk3PulHdaW8oXbab14e94akfrXUe0P26Y8oUUji+6mRtfckNWjhY78udMwD
Cxy8gTULqPdDfjjGleVDppD+C2+pGTNs3tCPr1PdM9XOjlm0bGHzDNSkeOc39eA9
CZvOvXmQ/V9qG8puj5U1Bh+S5dPjP//gKpKnnowAc/fgMaWjP+Li/hW7TTvnilxi
vMhQ6XizySj3DDEkCvGK1uH2Z75ryTsAbT3WmL9KubxKrWDGImMJKYs7soePGwPL
VDFaPqEBKhAwlXO3nBDJWqSOP/QoQmAxZ6x0P7z4nLcnKK2KS9eWuFt9cBawuPYE
XwDIcAFoLXyFuZGlQFinBElvdIYbreS7LGm9zKkBQDWpmu01HcT0WAlhd6fNVMOk
CnT5Pg1KTUtSmyauYoc4CmcBmipH2fKCdJIFVtAaeU8qVcIV77RS46y2XnhGVst8
aJ4tOJYtaAk=
=+QSm
-----END PGP SIGNATURE-----
Attachment:
pgp15YDOBMyY4.pgp
Description: PGP signature