*** This bug is a security vulnerability *** Public security bug reported:
A signed variable update for secureboot dbx has been published by Microsoft to uefi.org; last updated 2016-08-11: http://www.uefi.org/sites/default/files/resources/dbxupdate.zip This file has not been included in the secureboot-db package in Ubuntu; so users who only boot Ubuntu and not Windows will not have these revocations applied, meaning their firmware will trust (and possibly be exploitable by) whatever binaries these revoked hashes correspond to. Separately, I seem in testing to be unable to apply this signed database update to my system using sbkeysync, despite having the Microsoft CA in my KEK. So it's possible that sbkeysync doesn't work; we may need to either fix it, or switch to other code that does work, such as the dbxtool in Fedora. ** Affects: secureboot-db (Ubuntu) Importance: Medium Status: Triaged ** Changed in: secureboot-db (Ubuntu) Status: New => Triaged ** Changed in: secureboot-db (Ubuntu) Importance: Undecided => Critical ** Changed in: secureboot-db (Ubuntu) Importance: Critical => Medium ** Information type changed from Public to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1776996 Title: secureboot-db out of date, missing revocations from Aug 2016 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/secureboot-db/+bug/1776996/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
