-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Sat, 04 May 2024 23:29:52 +0100 Source: shim Architecture: source Version: 15.8-1 Distribution: unstable Urgency: medium Maintainer: Debian EFI team <debian-efi@lists.debian.org> Changed-By: Steve McIntyre <93sam@debian.org> Closes: 936009 1043485 1046268 1054210 1057606 1061519 1064220 1069054 Changes: shim (15.8-1) unstable; urgency=medium . [ Steve McIntyre ] * Cope with changes in pesign packaging. Closes: #1057606 * New upstream release fixing more bugs. Closes: #1061519, #1064220 + CVE-2023-40546 mok: fix LogError() invocation (Closes: #1054210) + CVE-2023-40547 - avoid incorrectly trusting HTTP headers + CVE-2023-40548 Fix integer overflow on SBAT section size on 32-bit system + CVE-2023-40549 Authenticode: verify that the signature header is in bounds. + CVE-2023-40550 pe: Fix an out-of-bound read in verify_buffer_sbat() + CVE-2023-40551: pe-relocate: Fix bounds check for MZ binaries * Remove all our previous patches, no longer needed: + Make-sbat_var.S-parse-right-with-buggy-gcc-binutils.patch (now upstream) + Enable-NX.patch (we don't want NX just yet until the whole boot stack is NX-capable) + block-grub-sbat3-debian.patch (not needed now upstream grub SBAT is 4) * Cherry-pick 2 new patches from upstream for grub revocations: + 0001-sbat-Add-grub.peimage-2-to-latest-CVE-2024-2312.patch + 0002-sbat-Also-bump-latest-for-grub-4-and-to-todays-date.patch * NOTE: Stop building for i386 + Debian kernels are no longer signed for i386, it's time to stop supporting i386 SB. * Log if the build is nx-compatible or not * Force shim to use the latest revocations by default to block some older grub / peimage issues. This is: "shim,4\ngrub,4\ngrub.peimage,2\n" * Install a copy of the Debian CA certificate into /usr/share/shim. Closes: #1069054 * Clean up better after build. Closes: #1046268 . [ Bastien Roucariès ] * Port autopkgtest from ubuntu * Import MR-12: "shim-unsigned:amd64 cannot be installed alongside shim-unsigned:i386", thanks to adrian15 adrian15 (Closes: #936009). * Fix debian/watch and check signature (Closes: #1043485) Checksums-Sha1: 8a2d725f65087e1a6c7f012c4c70666666fef4f3 2490 shim_15.8-1.dsc cdec924ca437a4509dcb178396996ddf92c11183 2315201 shim_15.8.orig.tar.bz2 5b62d9edbaad7ece7546868dfd6e6e5be42de236 59308 shim_15.8-1.debian.tar.xz 062041702d5cdb3828fb0e3bdecf6515fa1a7062 7121 shim_15.8-1_source.buildinfo Checksums-Sha256: 65ca82c131a66362a0bb222497eebbca5d64ba9efd44738d7889eb0500b5e4fa 2490 shim_15.8-1.dsc a79f0a9b89f3681ab384865b1a46ab3f79d88b11b4ca59aa040ab03fffae80a9 2315201 shim_15.8.orig.tar.bz2 fad222c56f31a20b65753f16c66e270082295a2cccf2909686a980f19be665de 59308 shim_15.8-1.debian.tar.xz 647867dea6c5dc9d7d5d59fa70629f322379593675a7ccc3667d2dc2f1024b03 7121 shim_15.8-1_source.buildinfo Files: 96fd60cb002486370c4176382044041e 2490 admin optional shim_15.8-1.dsc a9452c2e6fafe4e1b87ab2e1cac9ec00 2315201 admin optional shim_15.8.orig.tar.bz2 4689fb8317f8a9a5ca53107743d67a27 59308 admin optional shim_15.8-1.debian.tar.xz 66bbd0b3ac2a98555d32f3f47ca1fb7e 7121 admin optional shim_15.8-1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQJFBAEBCAAvFiEEzrtSMB1hfpEDkP4WWHl5VzRCaE4FAmY40QURHDkzc2FtQGRl Ymlhbi5vcmcACgkQWHl5VzRCaE6F5Q/9F2uB+m9hTJDk2PIn5LAn8b39vBzYkoju lirfsA/FJzygJR+qJQG70nrPe+TutO8BFPdo+yhfc2G9RdLd3CXsslkl6QdNpTau LUc4FRMzHsis3Wn/7BO8WZPzPBf+2N/NUucIe02h+6gabpiXqpwt5EZf6WTGUC8D LOinr/l3iDDoymjogTBvp0PMEph0luqE95deOeXmJ6CbLQ2Ozzi40g47E4uUQ4ao jGD6yPk3PulHdaW8oXbab14e94akfrXUe0P26Y8oUUji+6mRtfckNWjhY78udMwD Cxy8gTULqPdDfjjGleVDppD+C2+pGTNs3tCPr1PdM9XOjlm0bGHzDNSkeOc39eA9 CZvOvXmQ/V9qG8puj5U1Bh+S5dPjP//gKpKnnowAc/fgMaWjP+Li/hW7TTvnilxi vMhQ6XizySj3DDEkCvGK1uH2Z75ryTsAbT3WmL9KubxKrWDGImMJKYs7soePGwPL VDFaPqEBKhAwlXO3nBDJWqSOP/QoQmAxZ6x0P7z4nLcnKK2KS9eWuFt9cBawuPYE XwDIcAFoLXyFuZGlQFinBElvdIYbreS7LGm9zKkBQDWpmu01HcT0WAlhd6fNVMOk CnT5Pg1KTUtSmyauYoc4CmcBmipH2fKCdJIFVtAaeU8qVcIV77RS46y2XnhGVst8 aJ4tOJYtaAk= =+QSm -----END PGP SIGNATURE-----
