[Bug 1996503] Re: shim 15.7-0ubuntu1

Launchpad Bug Tracker 1996503 at bugs.launchpad.net
Fri Mar 3 04:54:53 UTC 2023 

This bug was fixed in the package shim - 15.7-0ubuntu1

---------------
shim (15.7-0ubuntu1) kinetic; urgency=medium

  * New upstream version 15.7 (LP: #1996503), highlights:
    - Enable TDX measurements (LP: #1995852)
    - Flush the memory region from i-cache before execution (LP: #1987541)
    - Introspectable SBAT payload for TPM resealing efforts
    - Don't measure MokListTrusted to PCR7
    - SBAT level: shim,3
    - SBAT policy bumped to for grub,2 in previous and grub,3 in latest:
      SBAT policy: latest="shim,2\ngrub,3\n" previous="grub,2\n"
      Note that shim requirement was not bumped as shim,2 shims are not
      commonly available yet.
  * SECURITY FIX: Buffer overflow when loading crafted EFI images.
    - CVE-2022-28737
  * Rebase patches, only ubuntu-no-addend-vendor-dbx.patch remains
  * Import 20221103 Canonical vendor dbx.
    This vendor dbx revokes all certificates that have been used
    so far.
    - CN = Canonical Ltd. Secure Boot Signing
    - CN = Canonical Ltd. Secure Boot Signing (2017)
    - CN = Canonical Ltd. Secure Boot Signing (ESM 2018)
    - CN = Canonical Ltd. Secure Boot Signing (2019)
    - CN = Canonical Ltd. Secure Boot Signing (Ubuntu Core 2019)
    - CN = Canonical Ltd. Secure Boot Signing (2021 v1)
    - CN = Canonical Ltd. Secure Boot Signing (2021 v2)
    - CN = Canonical Ltd. Secure Boot Signing (2021 v3)
  * Build-Depend on libefivar-dev
  * debian/rules: Update COMMIT_ID

 -- Julian Andres Klode <juliank at ubuntu.com>  Fri, 18 Nov 2022 16:00:39
+0100

** Changed in: shim (Ubuntu)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to shim in Ubuntu.
https://bugs.launchpad.net/bugs/1996503

Title:
  shim 15.7-0ubuntu1

Status in shim package in Ubuntu:
  Fix Released
Status in shim-signed package in Ubuntu:
  Fix Committed
Status in shim source package in Bionic:
  Fix Committed
Status in shim-signed source package in Bionic:
  Fix Committed
Status in shim source package in Focal:
  Fix Committed
Status in shim-signed source package in Focal:
  Fix Committed
Status in shim source package in Jammy:
  Fix Released
Status in shim-signed source package in Jammy:
  Fix Released
Status in shim source package in Kinetic:
  Fix Released
Status in shim-signed source package in Kinetic:
  Fix Released

Bug description:
  [Impact]
  New upstream release; shim security update CVE-2022-28737

  [Test plan]
  https://wiki.ubuntu.com/UEFI/SecureBoot/ShimUpdateProcess/TestPlan

  [Where problems could occur]
  Machines could become unbootable due to bugs as usual.

  Key rotations that require newer kernels can't enforce newer kernels
  being on the system prior to updates resulting in unbootable systems
  if kernels are not available.

  Requires the grub2-unsigned >= 2.04-1ubuntu47.4, >= 2.06-2ubuntu10 to be
  published to security and on each machine first too. Maybe should add Breaks to those (though you can set 'latest' policy and it would require upcoming grub uploads, so not _entirely_ useful).

  Also breaks fwupd.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/shim/+bug/1996503/+subscriptions

More information about the foundations-bugs mailing list