diff --git a/redhatsecurebootca8.cer b/redhatsecurebootca8.cer new file mode 100644 index 0000000..75bc46b Binary files /dev/null and b/redhatsecurebootca8.cer differ diff --git a/sbat.redhat.csv b/sbat.redhat.csv index 2135543..be9e036 100644 --- a/sbat.redhat.csv +++ b/sbat.redhat.csv @@ -1 +1 @@ -shim.redhat,1,Red Hat Inc,shim,15.5,secalert@redhat.com +shim.redhat,3,Red Hat Inc,shim,15.8,secalert@redhat.com diff --git a/shim-unsigned-x64.spec b/shim-unsigned-x64.spec index 6064d69..b8099ad 100644 --- a/shim-unsigned-x64.spec +++ b/shim-unsigned-x64.spec @@ -19,14 +19,14 @@ %global dbxfile %{nil} Name: shim-unsigned-%{efiarch} -Version: 15.6 +Version: 15.8 Release: 1.el9 Summary: First-stage UEFI bootloader ExclusiveArch: x86_64 License: BSD URL: https://github.com/rhboot/shim Source0: https://github.com/rhboot/shim/releases/download/%{version}/shim-%{version}.tar.bz2 -Source1: redhatsecurebootca5.cer +Source1: vendordb.esl %if 0%{?dbxfile} Source2: %{dbxfile} %endif @@ -107,9 +107,10 @@ COMMITID=$(cat commit) MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMITID=${COMMITID} " MAKEFLAGS+="EFIDIR=%{efidir} PKGNAME=shim RELEASE=%{release} " MAKEFLAGS+="ENABLE_SHIM_HASH=true " +MAKEFLAGS+="SBAT_AUTOMATIC_DATE=2023012900 " MAKEFLAGS+="%{_smp_mflags}" if [ -f "%{SOURCE1}" ]; then - MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1}" + MAKEFLAGS="$MAKEFLAGS VENDOR_DB_FILE=%{SOURCE1}" fi %if 0%{?dbxfile} if [ -f "%{SOURCE2}" ]; then @@ -128,8 +129,9 @@ COMMITID=$(cat commit) MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMITID=${COMMITID} " MAKEFLAGS+="EFIDIR=%{efidir} PKGNAME=shim RELEASE=%{release} " MAKEFLAGS+="ENABLE_SHIM_HASH=true " +MAKEFLAGS+="SBAT_AUTOMATIC_DATE=2023012900 " if [ -f "%{SOURCE1}" ]; then - MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1}" + MAKEFLAGS="$MAKEFLAGS VENDOR_DB_FILE=%{SOURCE1}" fi %if 0%{?dbxfile} if [ -f "%{SOURCE2}" ]; then @@ -158,6 +160,10 @@ cd .. %files debugsource -f build-%{efiarch}/debugsource.list %changelog +* Tue Jan 23 2024 Peter Jones - 15.8-1.el9 +- Update to shim-15.8 for CVE-2023-40547 + Resolves: RHEL-56466 + * Wed Jun 01 2022 Peter Jones - 15.6-1.el9 - Update to shim-15.6 Resolves: CVE-2022-28737 diff --git a/sources b/sources index bcb0302..5428b75 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (shim-15.6.tar.bz2) = ddc5d5234851d05ed7124ad748ad3fee2df8a335493948a045653322c873f3f055d34894aeb2ac7495086984ca62183907d341e46e6bdf108856e39c646455fc +SHA512 (shim-15.8.tar.bz2) = 30b3390ae935121ea6fe728d8f59d37ded7b918ad81bea06e213464298b4bdabbca881b30817965bd397facc596db1ad0b8462a84c87896ce6c1204b19371cd1 diff --git a/vendordb.esl b/vendordb.esl new file mode 100644 index 0000000..8991b3e Binary files /dev/null and b/vendordb.esl differ