[Bug 1996503] Re: shim 15.7-0ubuntu1

Thu Jun 22 23:31:43 UTC 2023

This bug was fixed in the package shim-signed - 1.37~18.04.13

---------------
shim-signed (1.37~18.04.13) bionic; urgency=medium

  [ dann frazier ]
  * Fix arm64 issues due to hardcoding "x64" as the EFI architecture.
    (LP: #2004208)
  * is-not-revoked: Support vmlinux.gz files as used on arm64.
    (LP: #2004201)

shim-signed (1.37~18.04.12) bionic; urgency=medium

  * New upstream version 15.7 (LP: #1996503)
    - SBAT level: shim,3
    - SBAT policy bumped to for grub,2 in previous and grub,3 in latest:
      SBAT policy: latest="shim,2\ngrub,3\n" previous="grub,2\n"
  * SECURITY FIX: Buffer overflow when loading crafted EFI images.
      - CVE-2022-28737
  * debian/control: Depend on new grub versions (1.191 on lunar+, 1.187.2 elsewhere)
  * Break fwupd-signed signed with old keys
  * Check for revoked fb,mm binaries in build, grubs, fwupd in autopkgtest
  * Install both previous and latest shim as alternatives. On secure boot
    systems, if the current kernel or any newer one is revoked, the previous
    shim will continue to be used until current kernel and all newer ones
    are signed with a non-revoked key.

 -- Julian Andres Klode <juliank at ubuntu.com>  Tue, 31 Jan 2023 12:57:37
+0100

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to shim in Ubuntu.
https://bugs.launchpad.net/bugs/1996503

Title:
  shim 15.7-0ubuntu1

Status in shim package in Ubuntu:
  Fix Committed
Status in shim-signed package in Ubuntu:
  Fix Released
Status in shim source package in Bionic:
  Fix Released
Status in shim-signed source package in Bionic:
  Fix Released
Status in shim source package in Focal:
  Fix Released
Status in shim-signed source package in Focal:
  Fix Released
Status in shim source package in Jammy:
  Fix Released
Status in shim-signed source package in Jammy:
  Fix Released
Status in shim source package in Kinetic:
  Fix Released
Status in shim-signed source package in Kinetic:
  Fix Released

Bug description:
  [Impact]
  New upstream release; shim security update CVE-2022-28737

  [Test plan]
  https://wiki.ubuntu.com/UEFI/SecureBoot/ShimUpdateProcess/TestPlan

  [Where problems could occur]
  Machines could become unbootable due to bugs as usual.

  Key rotations that require newer kernels can't enforce newer kernels
  being on the system prior to updates resulting in unbootable systems
  if kernels are not available.

  Requires the grub2-unsigned >= 2.04-1ubuntu47.4, >= 2.06-2ubuntu10 to be
  published to security and on each machine first too. Maybe should add Breaks to those (though you can set 'latest' policy and it would require upcoming grub uploads, so not _entirely_ useful).

  Also breaks fwupd.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/shim/+bug/1996503/+subscriptions