UbuntuUpdates.org

Package "shim"


Moved to jammy:main:updates


Name: shim

Description:

boot loader to chain-load signed boot loaders under Secure Boot
Latest version: *DELETED*
Release: jammy (22.04)
Level: proposed
Repository: main

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Download "shim"

APT INSTALL

Other versions of "shim" in Jammy

Repository Area Version
base main 15.4-0ubuntu9
security main 15.7-0ubuntu1
updates main 15.8-0ubuntu1

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: *DELETED* 2024-08-27 17:07:15 UTC
Moved to jammy:main:updates
No changelog for deleted or moved packages.

Version: 15.8-0ubuntu1 2024-08-19 15:07:09 UTC

  shim (15.8-0ubuntu1) mantic; urgency=medium

  * New upstream version 15.8 (LP: #2051151):
    - pe: Align section size up to page size for mem attrs (LP: #2036604)
    - SBAT level: shim,4
    - SBAT policy:
      - Latest: "shim,4\ngrub,3\ngrub.debian,4\n"
      - Automatic: "shim,2\ngrub,3\ngrub.debian,4\n"
      - Note that this does not yet revoke pre NTFS CVE fix GRUB binaries.
  * SECURITY UPDATE: a bug in an error message [LP: #2051151]
    - mok: fix LogError() invocation
    - CVE-2023-40546
  * SECURITY UPDATE: out-of-bounds write and UEFI Secure Boot bypass
    when booting via HTTP [LP: #2051151]
    - avoid incorrectly trusting HTTP headers
    - CVE-2023-40547
  * SECURITY UPDATE: out-of-bounds write and possible bug [LP: #2051151]
    - Fix integer overflow on SBAT section size on 32-bit system
    - CVE-2023-40548
  * SECURITY UPDATE: out-of-bounds read and possible bug [LP: #2051151]
    - Authenticode: verify that the signature header is in bounds.
    - CVE-2023-40549
  * SECURITY UPDATE: out-of-bounds read and possible bug [LP: #2051151]
    - pe: Fix an out-of-bound read in verify_buffer_sbat()
    - CVE-2023-40550
  * SECURITY UPDATE: out-of-bounds read and possible bug [LP: #2051151]
    - pe-relocate: Fix bounds check for MZ binaries
    - CVE-2023-40551
  * debian/rules: Update COMMIT_ID

 -- Mate Kukri <email address hidden> Thu, 25 Jan 2024 08:55:28 +0000
CVE-2023-40546 A flaw was found in Shim when an error happened while creating a new ESL variable. If Shim fails to create the new variable, it tries to print an err
CVE-2023-40547 A remote code execution vulnerability was found in Shim. The Shim boot support trusts attacker-controlled values when parsing an HTTP response. This
CVE-2023-40548 A buffer overflow was found in Shim in the 32-bit system. The overflow happens due to an addition operation involving a user-controlled value parsed
CVE-2023-40549 An out-of-bounds read flaw was found in Shim due to the lack of proper boundary verification during the load of a PE binary. This flaw allows an atta
CVE-2023-40550 An out-of-bounds read flaw was found in Shim when it tried to validate the SBAT information. This issue may expose sensitive data during the system's
CVE-2023-40551 A flaw was found in the MZ binary format in Shim. An out-of-bounds read may occur, leading to a crash or possible exposure of sensitive data during t

Version: *DELETED* 2023-02-17 03:06:58 UTC
Moved to jammy:main:updates
No changelog for deleted or moved packages.

Version: 15.7-0ubuntu1 2023-01-28 09:06:48 UTC

  shim (15.7-0ubuntu1) kinetic; urgency=medium

  * New upstream version 15.7 (LP: #1996503), highlights:
    - Enable TDX measurements (LP: #1995852)
    - Flush the memory region from i-cache before execution (LP: #1987541)
    - Introspectable SBAT payload for TPM resealing efforts
    - Don't measure MokListTrusted to PCR7
    - SBAT level: shim,3
    - SBAT policy bumped to for grub,2 in previous and grub,3 in latest:
      SBAT policy: latest="shim,2\ngrub,3\n" previous="grub,2\n"
      Note that shim requirement was not bumped as shim,2 shims are not
      commonly available yet.
  * SECURITY FIX: Buffer overflow when loading crafted EFI images.
    - CVE-2022-28737
  * Rebase patches, only ubuntu-no-addend-vendor-dbx.patch remains
  * Import 20221103 Canonical vendor dbx.
    This vendor dbx revokes all certificates that have been used
    so far.
    - CN = Canonical Ltd. Secure Boot Signing
    - CN = Canonical Ltd. Secure Boot Signing (2017)
    - CN = Canonical Ltd. Secure Boot Signing (ESM 2018)
    - CN = Canonical Ltd. Secure Boot Signing (2019)
    - CN = Canonical Ltd. Secure Boot Signing (Ubuntu Core 2019)
    - CN = Canonical Ltd. Secure Boot Signing (2021 v1)
    - CN = Canonical Ltd. Secure Boot Signing (2021 v2)
    - CN = Canonical Ltd. Secure Boot Signing (2021 v3)
  * Build-Depend on libefivar-dev
  * debian/rules: Update COMMIT_ID

 -- Julian Andres Klode <email address hidden> Fri, 18 Nov 2022 16:00:39 +0100
1996503 shim 15.7-0ubuntu1
1995852 shim TDX enablement
1987541 shim executes GRUB w/ dirty instruction cache on arm64


About   -   Send Feedback to @ubuntu_updates