Security update for shim (important)

An update that solves one vulnerability and has 7 fixes is
now available.

Description:

This update for shim fixes the following issues:

• Updated openSUSE x86 signature

• Avoid the error message during linux system boot (boo#1184454)

• Prevent the build id being added to the binary. That can cause issues
  with the signature

Update to 15.4 (boo#1182057)

• Rename the SBAT variable and fix the self-check of SBAT
• sbat: add more dprint()
• arm/aa64: Swizzle some sections to make old sbsign happier
• arm/aa64 targets: put .rel* and .dyn* in .rodata

• Change the SBAT variable name and enhance the handling of SBAT
  (boo#1182057)

Update to 15.3 for SBAT support (boo#1182057)

• Drop gnu-efi from BuildRequires since upstream pull it into the

• Generate vender-specific SBAT metadata

  • Add dos2unix to BuildRequires since Makefile requires it for vendor
    SBAT

• Update dbx-cert.tar.xz and vendor-dbx.bin to block the following sign
  keys:

  • SLES-UEFI-SIGN-Certificate-2020-07.crt
  • openSUSE-UEFI-SIGN-Certificate-2020-07.crt

• Check CodeSign in the signer’s EKU (boo#1177315)

• Fixed NULL pointer dereference in AuthenticodeVerify() (boo#1177789,
  CVE-2019-14584)

• All newly released openSUSE kernels enable kernel lockdown and signature
  verification, so there is no need to add the prompt anymore.

• shim-install: Support changing default shim efi binary in
  /usr/etc/default/shim and /etc/default/shim (boo#1177315)

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or “zypper patch”.

Alternatively you can run the command listed for your product:

• openSUSE Leap 15.2:

  zypper in -t patch openSUSE-2021-598=1