{"affected":[{"ecosystem_specific":{"binaries":[{"shim":"15.7-25.24.1"}]},"package":{"ecosystem":"SUSE:OpenStack Cloud 9","name":"shim","purl":"pkg:rpm/suse/shim&distro=SUSE%20OpenStack%20Cloud%209"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"15.7-25.24.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"shim":"15.7-25.24.1"}]},"package":{"ecosystem":"SUSE:OpenStack Cloud Crowbar 9","name":"shim","purl":"pkg:rpm/suse/shim&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"15.7-25.24.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"shim":"15.7-25.24.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise Server for SAP Applications 12 SP4","name":"shim","purl":"pkg:rpm/suse/shim&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"15.7-25.24.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"shim":"15.7-25.24.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise Server 12 SP4-ESPOS","name":"shim","purl":"pkg:rpm/suse/shim&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4-ESPOS"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"15.7-25.24.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"shim":"15.7-25.24.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise Server 12 SP4-LTSS","name":"shim","purl":"pkg:rpm/suse/shim&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4-LTSS"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"15.7-25.24.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"shim":"15.7-25.24.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise Server 12 SP5","name":"shim","purl":"pkg:rpm/suse/shim&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"15.7-25.24.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"shim":"15.7-25.24.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise Server for SAP Applications 12 SP5","name":"shim","purl":"pkg:rpm/suse/shim&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"15.7-25.24.1"}],"type":"ECOSYSTEM"}]}],"aliases":[],"details":"This update for shim fixes the following issues:\n\n- Updated shim signature after shim 15.7 be signed back:\n  signature-sles.x86_64.asc, signature-sles.aarch64.asc (bsc#1198458)\n\n- Add POST_PROCESS_PE_FLAGS=-N to the build command in shim.spec to\n  disable the NX compatibility flag when using post-process-pe because\n  grub2 is not ready. (bsc#1205588)\n\n- Enable the NX compatibility flag by default. (jsc#PED-127) \n\nUpdate to 15.7 (bsc#1198458) (jsc#PED-127):\n\n- Make SBAT variable payload introspectable\n- Reference MokListRT instead of MokList\n- Add a link to the test plan in the readme.\n- [V3] Enable TDX measurement to RTMR register\n- Discard load-options that start with a NUL\n- Fixed load_cert_file bugs\n- Add -malign-double to IA32 compiler flags\n- pe: Fix image section entry-point validation\n- make-archive: Build reproducible tarball\n- mok: remove MokListTrusted from PCR 7\n\nOther fixes:\n\n- Support enhance shim measurement to TD RTMR. (jsc#PED-1273) \n\n- shim-install: ensure grub.cfg created is not overwritten after installing grub related files\n- Add logic to shim.spec to only set sbat policy when efivarfs is writeable.  (bsc#1201066)\n- Add logic to shim.spec for detecting --set-sbat-policy option before using mokutil to set sbat policy. (bsc#1202120)\n- Change the URL in SBAT section to mail:security@suse.de. (bsc#1193282)\n\nUpdate to 15.6 (bsc#1198458):\n\n- MokManager: removed Locate graphic output protocol fail error message\n- shim: implement SBAT verification for the shim_lock protocol\n- post-process-pe: Fix a missing return code check\n- Update github actions matrix to be more useful\n- post-process-pe: Fix format string warnings on 32-bit platforms\n- Allow MokListTrusted to be enabled by default\n- Re-add ARM AArch64 support\n- Use ASCII as fallback if Unicode Box Drawing characters fail\n- make: don't treat cert.S specially\n- shim: use SHIM_DEVEL_VERBOSE when built in devel mode\n- Break out of the inner sbat loop if we find the entry.\n- Support loading additional certificates\n- Add support for NX (W^X) mitigations.\n- Fix preserve_sbat_uefi_variable() logic\n- SBAT Policy latest should be a one-shot\n- pe: Fix a buffer overflow when SizeOfRawData > VirtualSize\n- pe: Perform image verification earlier when loading grub\n- Update advertised sbat generation number for shim\n- Update SBAT generation requirements for 05/24/22\n- Also avoid CVE-2022-28737 in verify_image() by @vathpela\n\nUpdate to 15.5 (bsc#1198458):\n\n- Broken ia32 relocs and an unimportant submodule change.\n- mok: allocate MOK config table as BootServicesData\n- Don't call QueryVariableInfo() on EFI 1.10 machines (bsc#1187260)\n- Relax the check for import_mok_state()  (bsc#1185261)\n- SBAT.md: trivial changes\n- shim: another attempt to fix load options handling\n- Add tests for our load options parsing.\n- arm/aa64: fix the size of .rela* sections\n- mok: fix potential buffer overrun in import_mok_state\n- mok: relax the maximum variable size check\n- Don't unhook ExitBootServices when EBS protection is disabled\n- fallback: find_boot_option() needs to return the index for the boot entry in optnum\n- httpboot: Ignore case when checking HTTP headers\n- Fallback allocation errors\n- shim: avoid BOOTx64.EFI in message on other architectures\n- str: remove duplicate parameter check\n- fallback: add compile option FALLBACK_NONINTERACTIVE\n- Test mok mirror\n- Modify sbat.md to help with readability.\n- csv: detect end of csv file correctly\n- Specify that the .sbat section is ASCII not UTF-8\n- tests: add 'include-fixed' GCC directory to include directories\n- pe: simplify generate_hash()\n- Don't make shim abort when TPM log event fails (RHBZ #2002265)\n- Fallback to default loader if parsed one does not exist\n- fallback: Fix for BootOrder crash when index returned\n- Better console checks\n- docs: update SBAT UEFI variable name\n- Don't parse load options if invoked from removable media path\n- fallback: fix fallback not passing arguments of the first boot option\n- shim: Don't stop forever at 'Secure Boot not enabled' notification\n- Allocate mokvar table in runtime memory.\n- Remove post-process-pe on 'make clean'\n- pe: missing perror argument\n\n\n- CVE-2022-28737: Fixed a buffer overflow when SizeOfRawData > VirtualSize (bsc#1198458)\n\n- Add mokutil command to post script for setting sbat policy to latest mode\n  when the SbatPolicy-605dab50-e046-4300-abb6-3dd810dd8b23 is not created.\n  (bsc#1198458)\n\n- Updated vendor dbx binary and script (bsc#1198458)\n\n  - Updated dbx-cert.tar.xz and vendor-dbx-sles.bin for adding\n    SLES-UEFI-SIGN-Certificate-2021-05.crt to vendor dbx list.\n  - Updated dbx-cert.tar.xz and vendor-dbx-opensuse.bin for adding\n    openSUSE-UEFI-SIGN-Certificate-2021-05.crt to vendor dbx list.\n  - Updated vendor-dbx.bin for adding SLES-UEFI-SIGN-Certificate-2021-05.crt\n    and openSUSE-UEFI-SIGN-Certificate-2021-05.crt for testing environment.\n  - Updated generate-vendor-dbx.sh script for generating a vendor-dbx.bin\n    file which includes all .der for testing environment.\n\n- avoid buffer overflow when copying data to the MOK config table (bsc#1185232)\n- Disable exporting vendor-dbx to MokListXRT since writing a large RT variable could crash some machines (bsc#1185261)\n- ignore the odd LoadOptions length (bsc#1185232)\n- shim-install: reset def_shim_efi to 'shim.efi' if the given file doesn't exist\n- relax the maximum variable size check for u-boot (bsc#1185621)\n- handle ignore_db and user_insecure_mode correctly (bsc#1185441, bsc#1187071)\n\n- Split the keys in vendor-dbx.bin to vendor-dbx-sles and\n  vendor-dbx-opensuse for shim-sles and shim-opensuse to reduce\n  the size of MokListXRT (bsc#1185261) \n  + Also update generate-vendor-dbx.sh in dbx-cert.tar.xz\n","id":"SUSE-SU-2023:1863-1","modified":"2023-04-17T07:34:56Z","published":"2023-04-17T07:34:56Z","references":[{"type":"ADVISORY","url":"https://www.suse.com/support/update/announcement/2023/suse-su-20231863-1/"},{"type":"REPORT","url":"https://bugzilla.suse.com/1185232"},{"type":"REPORT","url":"https://bugzilla.suse.com/1185261"},{"type":"REPORT","url":"https://bugzilla.suse.com/1185441"},{"type":"REPORT","url":"https://bugzilla.suse.com/1185621"},{"type":"REPORT","url":"https://bugzilla.suse.com/1187071"},{"type":"REPORT","url":"https://bugzilla.suse.com/1187260"},{"type":"REPORT","url":"https://bugzilla.suse.com/1193282"},{"type":"REPORT","url":"https://bugzilla.suse.com/1193315"},{"type":"REPORT","url":"https://bugzilla.suse.com/1198458"},{"type":"REPORT","url":"https://bugzilla.suse.com/1201066"},{"type":"REPORT","url":"https://bugzilla.suse.com/1202120"},{"type":"REPORT","url":"https://bugzilla.suse.com/1205588"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2022-28737"}],"related":["CVE-2022-28737"],"summary":"Security update for shim","upstream":["CVE-2022-28737"]}