* Update to Standards-Version 4.6.2 (no changes needed)
* Enable NX support at build time, as required by policy for signing
new shim binaries.
+ * Block Debian grub binaries with sbat < 4 (see #1024617)
- -- Steve McIntyre <93sam@debian.org> Sun, 22 Jan 2023 13:12:14 +0000
+ -- Steve McIntyre <93sam@debian.org> Sun, 29 Jan 2023 23:34:40 +0000
shim (15.6-1) unstable; urgency=medium
--- /dev/null
+diff --git a/include/sbat_var_defs.h b/include/sbat_var_defs.h
+index 6b01573e..5b1a764f 100644
+--- a/include/sbat_var_defs.h
++++ b/include/sbat_var_defs.h
+@@ -35,8 +35,12 @@
+ SBAT_VAR_SIG SBAT_VAR_VERSION SBAT_VAR_PREVIOUS_DATE "\n" \
+ SBAT_VAR_PREVIOUS_REVOCATIONS
+
+-#define SBAT_VAR_LATEST_DATE "2022111500"
+-#define SBAT_VAR_LATEST_REVOCATIONS "shim,2\ngrub,3\n"
++/*
++ * Debian's grub.3 update was broken - some binaries included the SBAT
++ * data update but not the security patches :-(
++ */
++#define SBAT_VAR_LATEST_DATE "2023012900"
++#define SBAT_VAR_LATEST_REVOCATIONS "shim,2\ngrub,3\ngrub.debian,4\n"
+ #define SBAT_VAR_LATEST \
+ SBAT_VAR_SIG SBAT_VAR_VERSION SBAT_VAR_LATEST_DATE "\n" \
+ SBAT_VAR_LATEST_REVOCATIONS