openSUSE-RU-2026:20325-1

This update for shim fixes the following issues:

This update for shim fixes the following issues:

shim is updated to version 16.1:

• shimstartimage(): fix guid/handle pairing when uninstalling protocols
• Fix uncompressed ipv6 netboot
• fix test segfaults caused by uninitialized memory
• SbatLevel_Variable.txt: minor typo fix.
• Realloc() needs to allocate one more byte for sprintf()
• IPv6: Add more check to avoid multiple double colon and illegal char
• Loader proto v2
• loader-protocol: add workaround for EDK2 2025.02 page fault on FreePages
• Generate Authenticode for the entire PE file
• README: mention new loader protocol and interaction with UKIs
• shim: change automatically enable MOKPOLICYREQUIRE_NX
• Save var info
• add SbatLevel entry 2025051000 for PSA-2025-00012-1
• Coverity fixes 20250804
• fix http boot
• Fix double free and leak in the loader protocol

shim is updated to version 16.0:

• Validate that a supplied vendor cert is not in PEM format
• sbat: Add grub.peimage,2 to latest (CVE-2024-2312)
• sbat: Also bump latest for grub,4 (and to todays date)
• undo change that limits certificate files to a single file
• shim: don't set second_stage to the empty string
• Fix SBAT.md for today's consensus about numbers
• Update Code of Conduct contact address
• make-certs: Handle missing OpenSSL installation
• Update MokVars.txt
• export DEFINES for sub makefile
• Drop unused EFIIMAGESECURITYDATABASEGUID definition
• Null-terminate 'arguments' in fallback
• Fix "Verifiying" typo in error message
• Update Fedora CI targets
• Force gcc to produce DWARF4 so that gdb can use it
• Minor housekeeping 2024121700
• Discard load-options that start with WINDOWS
• Fix the issue that the gBS->LoadImage pointer was empty.
• shim: Allow data after the end of device path node in load options
• Handle network file not found like disks
• Update gnu-efi submodule for EFIHTTPERROR
• Increase EFI file alignment
• avoid EFIv2 runtime services on Apple x86 machines
• Improve shortcut performance when comparing two boolean expressions
• Provide better error message when MokManager is not found
• tpm: Boot with a warning if the event log is full
• MokManager: remove redundant logical constraints
• Test importmokstate() when MokListRT would be bigger than available size
• test-mok-mirror: minor bug fix
• Fix file system browser hang when enrolling MOK from disk
• Ignore a minor clang-tidy nit
• Allow fallback to default loader when encountering errors on network boot
• test.mk: don't use a temporary random.bin
• pe: Enhance debug report for updatememattrs
• Multiple certificate handling improvements
• Generate SbatLevel Metadata from SbatLevel_Variable.txt
• Apply EKU check with compile option
• Add configuration option to boot an alternative 2nd stage
• Loader protocol (with Device Path resolution support)
• netboot cleanup for additional files
• Document how revocations can be delivered
• post-process-pe: add tests to validate NX compliance
• regression: CopyMem() in ad8692e copies out of bounds
• Save the debug and error logs in mok-variables
• Add features for the Host Security ID program
• Mirror some more efi variables to mok-variables
• This adds DXE Services measurements to HSI and uses them for NX
• Add shim's current NX_COMPAT status to HSIStatus
• README.tpm: reflect that vendordb is in fact logged as "vendordb"
• Reject HTTP message with duplicate Content-Length header fields
• Disable log saving
• fallback: don't add new boot order entries backwards
• README.tpm: Update MokList entry to MokListRT
• SBAT Level update for February 2025 GRUB CVEs