Overview

File _patchinfo of Package patchinfo.20877

<patchinfo incident="20877">
  <issue tracker="bnc" id="1184454">[Build B.403.1] openQA test fails in journal_check</issue>
  <issue tracker="bnc" id="1185261">UEFI Boot fail after standard update - could not create MoklistXRT, import_mok_state() failed: Out of Resources</issue>
  <issue tracker="bnc" id="1177315">VUL-1: shim: does not enforce codesigning certificate in x509 key chain</issue>
  <issue tracker="bnc" id="1185464"></issue>
  <issue tracker="bnc" id="1185232">something has gone seriously wrong: shim_init() - system does not boot anymore after installing today's updates</issue>
  <issue tracker="bnc" id="1187260">installation openuse 15.3 does not start on macbook</issue>
  <issue tracker="bnc" id="1187696">Micro Focus Open Enterprise Secure Boot UEFI Cert is failing to load</issue>
  <issue tracker="bnc" id="1185621">Jetson tx2: shim: import_mok_state() failed: Unsupported</issue>
  <issue tracker="bnc" id="1185441">"system is compromised" during boot after grub2+shim update</issue>
  <issue tracker="bnc" id="1177789">VUL-1: CVE-2019-14584: ovmf,shim: NULL pointer dereference in AuthenticodeVerify()</issue>
  <issue tracker="bnc" id="1185961">[Build 391.4] 15-SP2 QU3 openQA test fails in grub_test on hyperv-uefi</issue>
  <issue tracker="bnc" id="1182057">VUL-0: grub2,shim: implement new SBAT method</issue>
  <packager>joeyli</packager>
  <rating>moderate</rating>
  <category>recommended</category>
  <summary>Recommended update for shim-susesigned</summary>
  <description>This update for shim-susesigned fixes the following issues:

Sync with Microsoft signed shim to Thu Jul 15 08:13:26 UTC 2021.

This update addresses the "susesigned" shim component.

shim was updated to 15.4 (bsc#1182057)

- console: Move the countdown function to console.c 
- fallback: show a countdown menu before reset 
- MOK: Fix the missing vendor cert in MokListRT  
- mok: fix the mirroring of RT variables
- Add the license change statement for errlog.c and mok.c
- Remove a couple of incorrect license claims.
- MokManager: Use CompareMem on MokListNode.Type instead of CompareGuid
- Make EFI variable copying fatal only on secureboot enabled systems
- Remove call to TPM2 get_event_log
- tpm: Fix off-by-one error when calculating event size
- tpm: Define EFI_VARIABLE_DATA_TREE as packed
- tpm: Don't log duplicate identical events
- VLogError(): Avoid NULL pointer dereferences in (V)Sprint calls
- OpenSSL: always provide OBJ_create() with name strings.
- translate_slashes(): don't write to string literals
- Fix a use of strlen() instead of Strlen()
- shim: Update EFI_LOADED_IMAGE with the second stage loader file path
- tpm: Include information about PE/COFF images in the TPM Event Log
- Fix a broken tpm type
- All newly released openSUSE kernels enable kernel lockdown
  and signature verification, so there is no need to add the
  prompt anymore.
- Fix the NULL pointer dereference in AuthenticodeVerify()
- Remove the build ID to make the binary reproducible when building with AArch64 container
- Prevent the build id being added to the binary. That can cause issues with the signature
- Allocate MOK config table as BootServicesData to avoid the error message from linux kernel
- Handle ignore_db and user_insecure_mode correctly (bsc#1185441)
- Relax the maximum variable size check for u-boot
- Relax the check for import_mok_state() when Secure Boot is off
- Relax the check for the LoadOptions length
- Fix the size of rela* sections for AArch64
- Disable exporting vendor-dbx to MokListXRT
- Don't call QueryVariableInfo() on EFI 1.10 machines
- Avoid buffer overflow when copying the MOK config table
- Avoid deleting the mirrored RT variables
- Update to 15.3 for SBAT support (bsc#1182057)
- Generate vender-specific SBAT metadata
- Rename the SBAT variable and fix the self-check of SBAT
- Split the keys in vendor-dbx.bin to vendor-dbx-sles and
  vendor-dbx-opensuse for shim-sles and shim-opensuse to reduce
  the size of MokListXRT (bsc#1185261)
- shim-install: reset def_shim_efi to "shim.efi" if the given file doesn't exist
- shim-install: instead of assuming "removable" for Azure, remove
  fallback.efi from \EFI\Boot and copy grub.efi/cfg to \EFI\Boot
  to make \EFI\Boot bootable and keep the boot option created by
  efibootmgr (bsc#1185464, bsc#1185961)
- shim-install: always assume "removable" for Azure to avoid the endless reset loop (bsc#1185464)
- shim-install: Support changing default shim efi binary in /usr/etc/default/shim and /etc/default/shim (bsc#1177315)
- Update dbx-cert.tar.xz and vendor-dbx.bin to block the following sign keys:
  + SLES-UEFI-SIGN-Certificate-2020-07.crt
  + openSUSE-UEFI-SIGN-Certificate-2020-07.crt
</description>
</patchinfo>
openSUSE Build Service is sponsored by
Places