[ubuntu/kinetic-proposed] shim_15.7-0ubuntu1_arm64.tar.gz - (Accepted)

Julian Andres Klode juliank at ubuntu.com
Mon Jan 30 09:30:32 UTC 2023 

shim (15.7-0ubuntu1) kinetic; urgency=medium

  * New upstream version 15.7 (LP: #1996503), highlights:
    - Enable TDX measurements (LP: #1995852)
    - Flush the memory region from i-cache before execution (LP: #1987541)
    - Introspectable SBAT payload for TPM resealing efforts
    - Don't measure MokListTrusted to PCR7
    - SBAT level: shim,3
    - SBAT policy bumped to for grub,2 in previous and grub,3 in latest:
      SBAT policy: latest="shim,2\ngrub,3\n" previous="grub,2\n"
      Note that shim requirement was not bumped as shim,2 shims are not
      commonly available yet.
  * SECURITY FIX: Buffer overflow when loading crafted EFI images.
    - CVE-2022-28737
  * Rebase patches, only ubuntu-no-addend-vendor-dbx.patch remains
  * Import 20221103 Canonical vendor dbx.
    This vendor dbx revokes all certificates that have been used
    so far.
    - CN = Canonical Ltd. Secure Boot Signing
    - CN = Canonical Ltd. Secure Boot Signing (2017)
    - CN = Canonical Ltd. Secure Boot Signing (ESM 2018)
    - CN = Canonical Ltd. Secure Boot Signing (2019)
    - CN = Canonical Ltd. Secure Boot Signing (Ubuntu Core 2019)
    - CN = Canonical Ltd. Secure Boot Signing (2021 v1)
    - CN = Canonical Ltd. Secure Boot Signing (2021 v2)
    - CN = Canonical Ltd. Secure Boot Signing (2021 v3)
  * Build-Depend on libefivar-dev
  * debian/rules: Update COMMIT_ID

Date: Fri, 18 Nov 2022 16:00:39 +0100
Changed-By: Julian Andres Klode <juliank at ubuntu.com>
Maintainer: Launchpad Build Daemon <buildd at bos02-arm64-049.buildd>

-------------- next part --------------
Format: 1.8
Date: Fri, 18 Nov 2022 16:00:39 +0100
Source: shim
Binary: shim shim-dbg
Built-For-Profiles: noudeb
Architecture: arm64
Version: 15.7-0ubuntu1
Distribution: kinetic
Urgency: medium
Maintainer: Launchpad Build Daemon <buildd at bos02-arm64-049.buildd>
Changed-By: Julian Andres Klode <juliank at ubuntu.com>
Description:
 shim       - boot loader to chain-load signed boot loaders under Secure Boot
 shim-dbg   - boot loader to chain-load signed boot loaders under Secure Boot (
Launchpad-Bugs-Fixed: 1987541 1995852 1996503
Changes:
 shim (15.7-0ubuntu1) kinetic; urgency=medium
 .
   * New upstream version 15.7 (LP: #1996503), highlights:
     - Enable TDX measurements (LP: #1995852)
     - Flush the memory region from i-cache before execution (LP: #1987541)
     - Introspectable SBAT payload for TPM resealing efforts
     - Don't measure MokListTrusted to PCR7
     - SBAT level: shim,3
     - SBAT policy bumped to for grub,2 in previous and grub,3 in latest:
       SBAT policy: latest="shim,2\ngrub,3\n" previous="grub,2\n"
       Note that shim requirement was not bumped as shim,2 shims are not
       commonly available yet.
   * SECURITY FIX: Buffer overflow when loading crafted EFI images.
     - CVE-2022-28737
   * Rebase patches, only ubuntu-no-addend-vendor-dbx.patch remains
   * Import 20221103 Canonical vendor dbx.
     This vendor dbx revokes all certificates that have been used
     so far.
     - CN = Canonical Ltd. Secure Boot Signing
     - CN = Canonical Ltd. Secure Boot Signing (2017)
     - CN = Canonical Ltd. Secure Boot Signing (ESM 2018)
     - CN = Canonical Ltd. Secure Boot Signing (2019)
     - CN = Canonical Ltd. Secure Boot Signing (Ubuntu Core 2019)
     - CN = Canonical Ltd. Secure Boot Signing (2021 v1)
     - CN = Canonical Ltd. Secure Boot Signing (2021 v2)
     - CN = Canonical Ltd. Secure Boot Signing (2021 v3)
   * Build-Depend on libefivar-dev
   * debian/rules: Update COMMIT_ID
Checksums-Sha1:
 c812fa19a846457c9b1e7200efb6a19e2a184354 1369596 shim-dbg_15.7-0ubuntu1_arm64.deb
 b9195f1b249aa6d179b51416e1f001f08cad8f60 6583 shim_15.7-0ubuntu1_arm64.buildinfo
 abba99c5e3e87e0bbbedc44feb2dcbb1f81d5b28 7152 shim_15.7-0ubuntu1_arm64.deb
 0c4d8ef987c2c988b9e091e218ef2a22d9370c66 760140 shim_15.7-0ubuntu1_arm64.tar.gz
Checksums-Sha256:
 e9dbff09addab3341b766e28ecc44dd23191f135a060ebab1e47b23f962e09d5 1369596 shim-dbg_15.7-0ubuntu1_arm64.deb
 354cfac3873a99b60b64377e58a4cb2a15f3a5d9574094cf1903e83d6e773f28 6583 shim_15.7-0ubuntu1_arm64.buildinfo
 71208dd33046f7d882c9adb50a4ce5007002bb3f23ed21e130656b589f7e4e22 7152 shim_15.7-0ubuntu1_arm64.deb
 63a7a026fe8fc4270200b97dd02f80cdaa62616f7818385af568310ea7947d0e 760140 shim_15.7-0ubuntu1_arm64.tar.gz
Files:
 f69b6a63c6f808cd523f92541266f1ed 1369596 debug optional shim-dbg_15.7-0ubuntu1_arm64.deb
 22bb87c93a88673d392065f0b666b384 6583 admin optional shim_15.7-0ubuntu1_arm64.buildinfo
 e3ad6dc1a860f75456bf890032ac5d40 7152 admin optional shim_15.7-0ubuntu1_arm64.deb
 10c44c08f65d7eab31fe8716d1e29fa2 760140 raw-signing - shim_15.7-0ubuntu1_arm64.tar.gz
Original-Maintainer: Steve Langasek <vorlon at debian.org>

More information about the kinetic-changes mailing list