*** This bug is a security vulnerability *** Public security bug reported:
[Impact] * New upstream shim release 15.3 * It includes and enforces SBAT validation [Test Plan] * https://wiki.ubuntu.com/UEFI/SecureBoot/ShimUpdateProcess/TestPlan [Where problems could occur] * Upgrading to new shim, without upgrading to the new grub with sbat will fail to boot, as grub must include SBAT section. * Upgrading to new shim, without upgrading to the new fwupdate with sbat will fail to boot, as fwupdate must include SBAT section. [Other Info] * All patches are dropped, as all got included in the v15.3 upstream release * Embedded ephemeral shim certificate is now gone, and archive key is used to sign fb/mm * Vendor DBX is included that revokes Boothole & ACPI-bypass vulnerable grubs and shims * This upload obsoletes shim-signed-canonical package ** Affects: shim (Ubuntu) Importance: Undecided Status: New ** Affects: shim-signed (Ubuntu) Importance: Undecided Status: New ** Also affects: shim-signed (Ubuntu) Importance: Undecided Status: New ** Description changed: [Impact] - * New upstream shim release 15.3 - * It includes and enforces SBAT validation + * New upstream shim release 15.3 + * It includes and enforces SBAT validation [Test Plan] - * https://wiki.ubuntu.com/UEFI/SecureBoot/ShimUpdateProcess/TestPlan + * https://wiki.ubuntu.com/UEFI/SecureBoot/ShimUpdateProcess/TestPlan [Where problems could occur] - * Upgrading to new shim, without upgrading to the new grub with sbat + * Upgrading to new shim, without upgrading to the new grub with sbat will fail to boot, as grub must include SBAT section. - * Upgrading to new shim, without upgrading to the new fwupdate with + * Upgrading to new shim, without upgrading to the new fwupdate with sbat will fail to boot, as fwupdate must include SBAT section. [Other Info] - - * All patches are dropped, as all got included in the v15.3 upstream release - * Embedded ephemeral shim certificate is now gone, and archive key is used to sign fb/mm - * Vendor DBX is included that revokes Boothole & ACPI-bypass vulnerable grubs and shims + + * All patches are dropped, as all got included in the v15.3 upstream release + * Embedded ephemeral shim certificate is now gone, and archive key is used to sign fb/mm + * Vendor DBX is included that revokes Boothole & ACPI-bypass vulnerable grubs and shims + * This upload obsoletes shim-signed-canonical package -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1921134 Title: SBAT shim 15.3 release To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/shim/+bug/1921134/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
