[ubuntu/kinetic-proposed] shim_15.7-0ubuntu1_amd64.tar.gz - (Accepted)

Julian Andres Klode juliank at ubuntu.com
Mon Jan 30 09:30:32 UTC 2023 

shim (15.7-0ubuntu1) kinetic; urgency=medium

  * New upstream version 15.7 (LP: #1996503), highlights:
    - Enable TDX measurements (LP: #1995852)
    - Flush the memory region from i-cache before execution (LP: #1987541)
    - Introspectable SBAT payload for TPM resealing efforts
    - Don't measure MokListTrusted to PCR7
    - SBAT level: shim,3
    - SBAT policy bumped to for grub,2 in previous and grub,3 in latest:
      SBAT policy: latest="shim,2\ngrub,3\n" previous="grub,2\n"
      Note that shim requirement was not bumped as shim,2 shims are not
      commonly available yet.
  * SECURITY FIX: Buffer overflow when loading crafted EFI images.
    - CVE-2022-28737
  * Rebase patches, only ubuntu-no-addend-vendor-dbx.patch remains
  * Import 20221103 Canonical vendor dbx.
    This vendor dbx revokes all certificates that have been used
    so far.
    - CN = Canonical Ltd. Secure Boot Signing
    - CN = Canonical Ltd. Secure Boot Signing (2017)
    - CN = Canonical Ltd. Secure Boot Signing (ESM 2018)
    - CN = Canonical Ltd. Secure Boot Signing (2019)
    - CN = Canonical Ltd. Secure Boot Signing (Ubuntu Core 2019)
    - CN = Canonical Ltd. Secure Boot Signing (2021 v1)
    - CN = Canonical Ltd. Secure Boot Signing (2021 v2)
    - CN = Canonical Ltd. Secure Boot Signing (2021 v3)
  * Build-Depend on libefivar-dev
  * debian/rules: Update COMMIT_ID

Date: Fri, 18 Nov 2022 16:00:39 +0100
Changed-By: Julian Andres Klode <juliank at ubuntu.com>
Maintainer: Launchpad Build Daemon <buildd at lcy02-amd64-053.buildd>

-------------- next part --------------
Format: 1.8
Date: Fri, 18 Nov 2022 16:00:39 +0100
Source: shim
Binary: shim shim-dbg
Built-For-Profiles: noudeb
Architecture: amd64
Version: 15.7-0ubuntu1
Distribution: kinetic
Urgency: medium
Maintainer: Launchpad Build Daemon <buildd at lcy02-amd64-053.buildd>
Changed-By: Julian Andres Klode <juliank at ubuntu.com>
Description:
 shim       - boot loader to chain-load signed boot loaders under Secure Boot
 shim-dbg   - boot loader to chain-load signed boot loaders under Secure Boot (
Launchpad-Bugs-Fixed: 1987541 1995852 1996503
Changes:
 shim (15.7-0ubuntu1) kinetic; urgency=medium
 .
   * New upstream version 15.7 (LP: #1996503), highlights:
     - Enable TDX measurements (LP: #1995852)
     - Flush the memory region from i-cache before execution (LP: #1987541)
     - Introspectable SBAT payload for TPM resealing efforts
     - Don't measure MokListTrusted to PCR7
     - SBAT level: shim,3
     - SBAT policy bumped to for grub,2 in previous and grub,3 in latest:
       SBAT policy: latest="shim,2\ngrub,3\n" previous="grub,2\n"
       Note that shim requirement was not bumped as shim,2 shims are not
       commonly available yet.
   * SECURITY FIX: Buffer overflow when loading crafted EFI images.
     - CVE-2022-28737
   * Rebase patches, only ubuntu-no-addend-vendor-dbx.patch remains
   * Import 20221103 Canonical vendor dbx.
     This vendor dbx revokes all certificates that have been used
     so far.
     - CN = Canonical Ltd. Secure Boot Signing
     - CN = Canonical Ltd. Secure Boot Signing (2017)
     - CN = Canonical Ltd. Secure Boot Signing (ESM 2018)
     - CN = Canonical Ltd. Secure Boot Signing (2019)
     - CN = Canonical Ltd. Secure Boot Signing (Ubuntu Core 2019)
     - CN = Canonical Ltd. Secure Boot Signing (2021 v1)
     - CN = Canonical Ltd. Secure Boot Signing (2021 v2)
     - CN = Canonical Ltd. Secure Boot Signing (2021 v3)
   * Build-Depend on libefivar-dev
   * debian/rules: Update COMMIT_ID
Checksums-Sha1:
 b080563075a05265230c01326e8e339f24fcd679 1413020 shim-dbg_15.7-0ubuntu1_amd64.deb
 887fa1c78c06f03dc58c0dcf22a8887036dab60f 6584 shim_15.7-0ubuntu1_amd64.buildinfo
 f4f6f613561ffa3041fe7feab226aa218bfef9dc 7152 shim_15.7-0ubuntu1_amd64.deb
 79066fe8b62b26979c76f8f916a1f51bfae9bb79 770375 shim_15.7-0ubuntu1_amd64.tar.gz
Checksums-Sha256:
 90f0636ba84fe2439db009bd5a2938791d7bea9936f8c2a5c3b47a290528c6ff 1413020 shim-dbg_15.7-0ubuntu1_amd64.deb
 39c2a0c1ca3787b14e38daf6ff1695c556b12ce34d92fc7f6423bf9756815420 6584 shim_15.7-0ubuntu1_amd64.buildinfo
 d30046ab983738b47da69e0d81aa401fb1788b21425519474543fc643b81a494 7152 shim_15.7-0ubuntu1_amd64.deb
 aba47e31dfc6cb1612a0a657f204fc298f0c4ddfb90a34a00e5365bba4bd99e1 770375 shim_15.7-0ubuntu1_amd64.tar.gz
Files:
 d1ef0677bf982e893b71539ce4a41b53 1413020 debug optional shim-dbg_15.7-0ubuntu1_amd64.deb
 6dfb038f99264eac5df03460ccb6fab3 6584 admin optional shim_15.7-0ubuntu1_amd64.buildinfo
 c0bbcc24f58d3b29662a7661e3dbe7c3 7152 admin optional shim_15.7-0ubuntu1_amd64.deb
 91a0d69e6ad0945b3a6e7a34b325c8e1 770375 raw-signing - shim_15.7-0ubuntu1_amd64.tar.gz
Original-Maintainer: Steve Langasek <vorlon at debian.org>

More information about the kinetic-changes mailing list