Package "shim-dbg"
| Name: |
shim-dbg
|
Description: |
boot loader to chain-load signed boot loaders under Secure Boot (dbg symbols)
|
| Latest version: |
15.8-0ubuntu1 |
| Release: |
focal (20.04) |
| Level: |
updates |
| Repository: |
main |
| Head package: |
shim |
Links
Download "shim-dbg"
Other versions of "shim-dbg" in Focal
Changelog
|
shim (15.8-0ubuntu1) mantic; urgency=medium
* New upstream version 15.8 (LP: #2051151):
- pe: Align section size up to page size for mem attrs (LP: #2036604)
- SBAT level: shim,4
- SBAT policy:
- Latest: "shim,4\ngrub,3\ngrub.debian,4\n"
- Automatic: "shim,2\ngrub,3\ngrub.debian,4\n"
- Note that this does not yet revoke pre NTFS CVE fix GRUB binaries.
* SECURITY UPDATE: a bug in an error message [LP: #2051151]
- mok: fix LogError() invocation
- CVE-2023-40546
* SECURITY UPDATE: out-of-bounds write and UEFI Secure Boot bypass
when booting via HTTP [LP: #2051151]
- avoid incorrectly trusting HTTP headers
- CVE-2023-40547
* SECURITY UPDATE: out-of-bounds write and possible bug [LP: #2051151]
- Fix integer overflow on SBAT section size on 32-bit system
- CVE-2023-40548
* SECURITY UPDATE: out-of-bounds read and possible bug [LP: #2051151]
- Authenticode: verify that the signature header is in bounds.
- CVE-2023-40549
* SECURITY UPDATE: out-of-bounds read and possible bug [LP: #2051151]
- pe: Fix an out-of-bound read in verify_buffer_sbat()
- CVE-2023-40550
* SECURITY UPDATE: out-of-bounds read and possible bug [LP: #2051151]
- pe-relocate: Fix bounds check for MZ binaries
- CVE-2023-40551
* debian/rules: Update COMMIT_ID
-- Mate Kukri <email address hidden> Thu, 25 Jan 2024 08:55:28 +0000
|
| Source diff to previous version |
| CVE-2023-40546 |
A flaw was found in Shim when an error happened while creating a new ESL variable. If Shim fails to create the new variable, it tries to print an err |
| CVE-2023-40547 |
A remote code execution vulnerability was found in Shim. The Shim boot support trusts attacker-controlled values when parsing an HTTP response. This |
| CVE-2023-40548 |
A buffer overflow was found in Shim in the 32-bit system. The overflow happens due to an addition operation involving a user-controlled value parsed |
| CVE-2023-40549 |
An out-of-bounds read flaw was found in Shim due to the lack of proper boundary verification during the load of a PE binary. This flaw allows an atta |
| CVE-2023-40550 |
An out-of-bounds read flaw was found in Shim when it tried to validate the SBAT information. This issue may expose sensitive data during the system's |
| CVE-2023-40551 |
A flaw was found in the MZ binary format in Shim. An out-of-bounds read may occur, leading to a crash or possible exposure of sensitive data during t |
|
|
shim (15.7-0ubuntu1) kinetic; urgency=medium
* New upstream version 15.7 (LP: #1996503), highlights:
- Enable TDX measurements (LP: #1995852)
- Flush the memory region from i-cache before execution (LP: #1987541)
- Introspectable SBAT payload for TPM resealing efforts
- Don't measure MokListTrusted to PCR7
- SBAT level: shim,3
- SBAT policy bumped to for grub,2 in previous and grub,3 in latest:
SBAT policy: latest="shim,2\ngrub,3\n" previous="grub,2\n"
Note that shim requirement was not bumped as shim,2 shims are not
commonly available yet.
* SECURITY FIX: Buffer overflow when loading crafted EFI images.
- CVE-2022-28737
* Rebase patches, only ubuntu-no-addend-vendor-dbx.patch remains
* Import 20221103 Canonical vendor dbx.
This vendor dbx revokes all certificates that have been used
so far.
- CN = Canonical Ltd. Secure Boot Signing
- CN = Canonical Ltd. Secure Boot Signing (2017)
- CN = Canonical Ltd. Secure Boot Signing (ESM 2018)
- CN = Canonical Ltd. Secure Boot Signing (2019)
- CN = Canonical Ltd. Secure Boot Signing (Ubuntu Core 2019)
- CN = Canonical Ltd. Secure Boot Signing (2021 v1)
- CN = Canonical Ltd. Secure Boot Signing (2021 v2)
- CN = Canonical Ltd. Secure Boot Signing (2021 v3)
* Build-Depend on libefivar-dev
* debian/rules: Update COMMIT_ID
-- Julian Andres Klode <email address hidden> Fri, 18 Nov 2022 16:00:39 +0100
|
| Source diff to previous version |
| 1996503 |
shim 15.7-0ubuntu1 |
| 1995852 |
shim TDX enablement |
| 1987541 |
shim executes GRUB w/ dirty instruction cache on arm64 |
|
|
shim (15.4-0ubuntu9) hirsute; urgency=medium
* Fix booting installer media on some machines (LP: #1937115)
- Always fallback to the default loader (PR #393)
- Dump load options parsed (PR #393)
- Disable load option parsing on removable media path (PR #399)
* trivial: Fix a minor overflow in the mok importing code (PR #365)
* Fix fall back loader to find the correct boot entry, avoiding potential
corruption of firmware (PR #396).
-- Julian Andres Klode <email address hidden> Fri, 06 Aug 2021 13:16:33 +0200
|
| Source diff to previous version |
| 1937115 |
Unable to boot/install Impish daily in UEFI boot mode |
|
|
shim (15.4-0ubuntu7) hirsute; urgency=medium
* Fix load option parsing, and thus fwupd execution (LP: #1929471) (PR #379)
* Fix occasional crashes in _relocate() on arm64 (LP: #1928010) (PR #383)
* Fix accidental deletion of RT variables (LP: #1934506) (PR #387)
* mok: relax the maximum variable size check (LP: #1934780) (PR #369)
-- Julian Andres Klode <email address hidden> Wed, 07 Jul 2021 10:57:35 +0200
|
| Source diff to previous version |
| 1929471 |
Shim apparently fails to run fwupd64 (hirsute regression?) |
| 1928010 |
Occasionally crashes in _relocate() on arm64 |
| 1934506 |
Mirrored MOK variables could be accidentally deleted |
| 1934780 |
shim crashes on Mellanox BF1 SmartNIC |
|
|
shim (15+1552672080.a4a1fbe-0ubuntu2) focal; urgency=medium
* d/patches/fix-path-checks.patch: Cherry-pick upstream fix for regression
in loading fwupd, or anything else specified as an argument (LP: #1864223)
-- Julian Andres Klode <email address hidden> Fri, 20 Mar 2020 16:19:14 +0100
|
| 1864223 |
shim 15+1552672080.a4a1fbe-0ubuntu1 fails to load fwupd |
|
About
-
Send Feedback to @ubuntu_updates
