-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Wed, 14 Feb 2024 07:35:13 -0700 Source: edk2 Architecture: source Version: 2023.11-7 Distribution: unstable Urgency: medium Maintainer: Debian QEMU Team <pkg-qemu-devel@lists.alioth.debian.org> Changed-By: dann frazier <dannf@debian.org> Closes: 1023491 Changes: edk2 (2023.11-7) unstable; urgency=medium . * ovmf, qemu-efi-*: Stop building Secure Boot code into non-secboot images so they can include a built-in shell which is unsafe in Secure Boot mode. * ovmf-ia32: Add non-secboot image. Thanks to Lionel Debroux. (Closes: #1023491). * debian/tests/shell.py: Add tests for ovmf-ia32 non-secboot image. * qemu-efi-aarch64: Add non-secboot variant. AAVMF_CODE.fd is the secboot variant, so name it AAVMF_CODE.no-secboot.fd. * qemu-efi-aarch64: Rename the secboot variant, AAVMF_CODE.fd, to AAVMF_CODE.secboot.fd and add a compat symlink. * ovmf, ovmf-ia32, qemu-efi-aarch64: Stop including a built-in shell in secboot variants, CVE-2023-48733. Thanks to Mate Kukri. LP: #2040137. - d/tests: Drop the boot-to-shell tests for images w/ Secure Boot. - d/tests: Update run_cmd_check_secure_boot() to not expect shell interaction. Checksums-Sha1: a810f66c304dd9e35b04b122eb8ec6b32f4bc2e0 3053 edk2_2023.11-7.dsc eba6d0bd0ac681707670c4a6c8e2f44482e05d0a 79788 edk2_2023.11-7.debian.tar.xz 028077bd5aa9b2dafbee5b94459681635ce3feed 12018 edk2_2023.11-7_source.buildinfo Checksums-Sha256: 86e4d80f382b0e9a7ce11636a379dc8d4844828b5b931dac2295a1969b43c9fb 3053 edk2_2023.11-7.dsc b91506d057612f3ef66e22da087cfa56d0a51aa6a2efc07e04be40999ef61845 79788 edk2_2023.11-7.debian.tar.xz b4e32648af5261a923877b94f69b28ecff5459d40f775f9aa1fe93ed4ceebcc8 12018 edk2_2023.11-7_source.buildinfo Files: a941b895c6af24dec3b684df59972343 3053 misc optional edk2_2023.11-7.dsc c82e713443e1a3c4eca49a89141a2da8 79788 misc optional edk2_2023.11-7.debian.tar.xz c5c43c71232912a6ad1bf43b4376a56e 12018 misc optional edk2_2023.11-7_source.buildinfo -----BEGIN PGP SIGNATURE----- iQJFBAEBCgAvFiEECfR9vy0y7twkQ+vuG/g8XlT8hkAFAmXM0ikRHGRhbm5mQGRl Ymlhbi5vcmcACgkQG/g8XlT8hkAUaQ//S7APF8nqZVv8Q5C1KZwIrO8Xq3KP893l 7NjymqJZ6euIdKaXha0a16GST49MkRPnR3WFg2z1JgRf44qBGYz7MS3+D9ZxAGtX tG1QJrkk9CNbcdxvGTXneCvAU+qI7bXFqhJellQK2OFKB4Hu+SJqCeI7Hd8oyzxo pnc98SoooEdEc4Wyi8WrwQ7IyxdG9Y/KbDNVRoaohM292pFEAv61fXAi87B788VS Xfb/NbFrXZaKs/j3wsKs8tNLlncBtGNAXgPqfZlMCvpwQTY0VW+wOUniYm+BGdKI FLKstD5O4dtBpXpz2rlaSVZ4MY65CPJKNxm8k7T6q+frQWPCTr1wkgYdok7jHfDU ExPk4oJp4R35M/4HVy5mSrLVRsjPQ2w5xQu4yBp2oBXMPu5Tb29Gs9ITwBitLnP/ IUhWVZeM2WBpIm0pKVvbbPNGQN/u5h/OjmkrpU+sXsYvDbiSt7qd25ceoRPTQpAT 1lr+CBqOT6ixqJHw0w0AF7twwElp9Q6xVIcgQjBVD4spbx5LIwhk2OknQcTwJa8Y jma1Wp2uN++eDccWUgzcik1NGI87Z0sHvCpH0uiZPH13S9Fv2QEggvLLxEnR5b07 sRkW8WkLWevm7k3hsQZixueEr7OCVbDCv+rnmC3Xhv7KDHa3InBD7esg3ND/pKt9 dVjUtFxr41U= =nAT+ -----END PGP SIGNATURE-----