[Deepin Integration]~[v25-Release] feat: update shim to 15.8-1 安全启动_CRP_25008

[deepin-bot]

Package information | 软件包信息

包名	版本
shim	15.8-1
grub-efi-amd64-signed	1.67.5+2.12+deepin1
shim-signed	1.36.7
kernel-6.12	25.01.01.10
deepin-installer	7.0.46

Package repository address | 软件包仓库地址

deb [trusted=yes] https://ci.deepin.com/repo/obs/deepin:/CI:/TestingIntegration:/test-integration-pr-3551/testing/ ./
deb [trusted=yes] https://ci.deepin.com/repo/deepin/deepin-community/obs-repos/ kernel main

Changelog | 更新信息

shim (15.8-1) unstable; urgency=medium

[ Steve McIntyre ]

• Cope with changes in pesign packaging. Closes: #1057606
• New upstream release fixing more bugs. Closes: #1061519, #1064220
  • CVE-2023-40546 mok: fix LogError() invocation (Closes: #1054210)
  • CVE-2023-40547 - avoid incorrectly trusting HTTP headers
  • CVE-2023-40548 Fix integer overflow on SBAT section size on
    32-bit system
  • CVE-2023-40549 Authenticode: verify that the signature header is
    in bounds.
  • CVE-2023-40550 pe: Fix an out-of-bound read in
    verify_buffer_sbat()
  • CVE-2023-40551: pe-relocate: Fix bounds check for MZ binaries
• Remove all our previous patches, no longer needed:
  • Make-sbat_var.S-parse-right-with-buggy-gcc-binutils.patch (now
    upstream)
  • Enable-NX.patch (we don't want NX just yet until the whole boot
    stack is NX-capable)
  • block-grub-sbat3-debian.patch (not needed now upstream grub SBAT
    is 4)
• Cherry-pick 2 new patches from upstream for grub revocations:
  • 0001-sbat-Add-grub.peimage-2-to-latest-CVE-2024-2312.patch
  • 0002-sbat-Also-bump-latest-for-grub-4-and-to-todays-date.patch
• NOTE: Stop building for i386
  • Debian kernels are no longer signed for i386, it's time to stop
    supporting i386 SB.
• Log if the build is nx-compatible or not
• Force shim to use the latest revocations by default to block some
  older grub / peimage issues. This is:
  "shim,4\ngrub,4\ngrub.peimage,2\n"
• Install a copy of the Debian CA certificate into /usr/share/shim.
  Closes: #1069054
• Clean up better after build. Closes: #1046268

[ Bastien Roucariès ]

• Port autopkgtest from ubuntu
• Import MR-12: "shim-unsigned:amd64 cannot be installed alongside
  shim-unsigned:i386", thanks to adrian15 adrian15 (Closes: #936009).
• Fix debian/watch and check signature (Closes: #1043485)

[deepin-bot]

Integration Test Info

Test suggestion | 测试建议

6.12内核更新 解决https://bbs.deepin.org/post/294344
安装器回退至7.0.46
x86架构安全启动支持，用最新款x86 机器测试升级+镜像安装
https://cdimage.uniontech.com/daily-iso/image-beige/CUSTOM/lichenggang/20251230/

Influence | 影响范围

ADDITIONAL INFORMATION | 额外补充

[deepin-bot]

IntegrationProjector Notify the author
@deepin: Integrated issue updated

[deepin-bot]

IntegrationProjector Bot
Deepin Testing Integration Project Manager Info
Link to deepin-community/Repository-Integration#3551