shim (15.8-1)
[PTS] [DDPO]
COMMITS: VCS has seen 3 commits since the debian/15.8-1 tag
- Git: https://salsa.debian.org/efi-team/shim.git
-
- Branch: master
- Path: debian/changelog
- Repo size: 2437120
- Browser: https://salsa.debian.org/efi-team/shim
- Last scan: 2024-11-11 13:28:04+00
- Next scan: 2024-11-20 08:02:00+00
- Merge requests: 1
- CI pipeline status: failed
- Debian changelog in Git:
shim (15.8-1) unstable; urgency=medium
[ Steve McIntyre ]
* Cope with changes in pesign packaging. Closes: #1057606
* New upstream release fixing more bugs. Closes: #1061519, #1064220
+ CVE-2023-40546 mok: fix LogError() invocation (Closes: #1054210)
+ CVE-2023-40547 - avoid incorrectly trusting HTTP headers
+ CVE-2023-40548 Fix integer overflow on SBAT section size on
32-bit system
+ CVE-2023-40549 Authenticode: verify that the signature header is
in bounds.
+ CVE-2023-40550 pe: Fix an out-of-bound read in
verify_buffer_sbat()
+ CVE-2023-40551: pe-relocate: Fix bounds check for MZ binaries
* Remove all our previous patches, no longer needed:
+ Make-sbat_var.S-parse-right-with-buggy-gcc-binutils.patch (now
upstream)
+ Enable-NX.patch (we don't want NX just yet until the whole boot
stack is NX-capable)
+ block-grub-sbat3-debian.patch (not needed now upstream grub SBAT
is 4)
* Cherry-pick 2 new patches from upstream for grub revocations:
+ 0001-sbat-Add-grub.peimage-2-to-latest-CVE-2024-2312.patch
+ 0002-sbat-Also-bump-latest-for-grub-4-and-to-todays-date.patch
* NOTE: Stop building for i386
+ Debian kernels are no longer signed for i386, it's time to stop
supporting i386 SB.
* Log if the build is nx-compatible or not
* Force shim to use the latest revocations by default to block some
older grub / peimage issues. This is:
"shim,4\ngrub,4\ngrub.peimage,2\n"
* Install a copy of the Debian CA certificate into /usr/share/shim.
Closes: #1069054
* Clean up better after build. Closes: #1046268
[ Bastien Roucariès ]
* Port autopkgtest from ubuntu
* Import MR-12: "shim-unsigned:amd64 cannot be installed alongside
shim-unsigned:i386", thanks to adrian15 adrian15 (Closes: #936009).
* Fix debian/watch and check signature (Closes: #1043485)
-- Steve McIntyre <93sam@debian.org> Sat, 04 May 2024 23:29:52 +0100
- This branch is 3 commits ahead of tag debian/15.8-1
- Git log:
commit 5757ae8a5b8f58817b1c6906f39bbd339b0e2aba
Merge: 35d8c4a 57b6c43
Author: Steve McIntyre <93sam@debian.org>
Date: Sun May 26 21:26:55 2024 +0000
Merge branch 'remove-ubuntu-files' into 'master'
Remove Ubuntu CA and dbx files from the repository
See merge request efi-team/shim!16
commit 57b6c43301b1943197eef3d816639277869231d7
Author: Mate Kukri <mate.kukri@canonical.com>
Date: Sun May 26 21:26:55 2024 +0000
Remove Ubuntu CA and dbx files from the repository
commit 35d8c4ab76290f6e0402f2d5c2b0ae8cc6f807a7
Author: Steve McIntyre <steve@einval.com>
Date: Sun May 5 21:26:43 2024 +0100
salsa-ci config: Disable i386 builds and arm64 cross-builds