SUSE-RU-2026:20004-1: important: Recommended update for shim

SLE-UPDATES null at suse.de
Fri Jan 9 16:32:28 UTC 2026 


# Recommended update for shim

Announcement ID: SUSE-RU-2026:20004-1  
Release Date: 2025-12-30T16:21:01Z  
Rating: important  
References:

  * bsc#1205588
  * bsc#1247432
  * bsc#1254336
  * bsc#1254679

  
Affected Products:

  * SUSE Linux Micro 6.0

  
  
An update that has four fixes can now be installed.

## Description:

This update for shim fixes the following issues:

This update for shim fixes the following issues:

shim is updated to version 16.1:

  * shim_start_image(): fix guid/handle pairing when uninstalling protocols
  * Fix uncompressed ipv6 netboot
  * fix test segfaults caused by uninitialized memory
  * SbatLevel_Variable.txt: minor typo fix.
  * Realloc() needs to allocate one more byte for sprintf()
  * IPv6: Add more check to avoid multiple double colon and illegal char
  * Loader proto v2
  * loader-protocol: add workaround for EDK2 2025.02 page fault on FreePages
  * Generate Authenticode for the entire PE file
  * README: mention new loader protocol and interaction with UKIs
  * shim: change automatically enable MOK_POLICY_REQUIRE_NX
  * Save var info
  * add SbatLevel entry 2025051000 for PSA-2025-00012-1
  * Coverity fixes 20250804
  * fix http boot
  * Fix double free and leak in the loader protocol

shim is updated to version 16.0:

  * Validate that a supplied vendor cert is not in PEM format
  * sbat: Add grub.peimage,2 to latest (CVE-2024-2312)
  * sbat: Also bump latest for grub,4 (and to todays date)
  * undo change that limits certificate files to a single file
  * shim: don't set second_stage to the empty string
  * Fix SBAT.md for today's consensus about numbers
  * Update Code of Conduct contact address
  * make-certs: Handle missing OpenSSL installation
  * Update MokVars.txt
  * export DEFINES for sub makefile
  * Drop unused EFI_IMAGE_SECURITY_DATABASE_GUID definition
  * Null-terminate 'arguments' in fallback
  * Fix "Verifiying" typo in error message
  * Update Fedora CI targets
  * Force gcc to produce DWARF4 so that gdb can use it
  * Minor housekeeping 2024121700
  * Discard load-options that start with WINDOWS
  * Fix the issue that the gBS->LoadImage pointer was empty.
  * shim: Allow data after the end of device path node in load options
  * Handle network file not found like disks
  * Update gnu-efi submodule for EFI_HTTP_ERROR
  * Increase EFI file alignment
  * avoid EFIv2 runtime services on Apple x86 machines
  * Improve shortcut performance when comparing two boolean expressions
  * Provide better error message when MokManager is not found
  * tpm: Boot with a warning if the event log is full
  * MokManager: remove redundant logical constraints
  * Test import_mok_state() when MokListRT would be bigger than available size
  * test-mok-mirror: minor bug fix
  * Fix file system browser hang when enrolling MOK from disk
  * Ignore a minor clang-tidy nit
  * Allow fallback to default loader when encountering errors on network boot
  * test.mk: don't use a temporary random.bin
  * pe: Enhance debug report for update_mem_attrs
  * Multiple certificate handling improvements
  * Generate SbatLevel Metadata from SbatLevel_Variable.txt
  * Apply EKU check with compile option
  * Add configuration option to boot an alternative 2nd stage
  * Loader protocol (with Device Path resolution support)
  * netboot cleanup for additional files
  * Document how revocations can be delivered
  * post-process-pe: add tests to validate NX compliance
  * regression: CopyMem() in ad8692e copies out of bounds
  * Save the debug and error logs in mok-variables
  * Add features for the Host Security ID program
  * Mirror some more efi variables to mok-variables
  * This adds DXE Services measurements to HSI and uses them for NX
  * Add shim's current NX_COMPAT status to HSIStatus
  * README.tpm: reflect that vendor_db is in fact logged as "vendor_db"
  * Reject HTTP message with duplicate Content-Length header fields
  * Disable log saving
  * fallback: don't add new boot order entries backwards
  * README.tpm: Update MokList entry to MokListRT
  * SBAT Level update for February 2025 GRUB CVEs

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".  
Alternatively you can run the command listed for your product:

  * SUSE Linux Micro 6.0  
    zypper in -t patch SUSE-SLE-Micro-6.0-541=1

## Package List:

  * SUSE Linux Micro 6.0 (aarch64 x86_64)
    * shim-16.1-1.1
    * shim-debuginfo-16.1-1.1
    * shim-debugsource-16.1-1.1

## References:

  * https://bugzilla.suse.com/show_bug.cgi?id=1205588
  * https://bugzilla.suse.com/show_bug.cgi?id=1247432
  * https://bugzilla.suse.com/show_bug.cgi?id=1254336
  * https://bugzilla.suse.com/show_bug.cgi?id=1254679

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.suse.com/pipermail/sle-updates/attachments/20260109/6ea5e6a8/attachment.htm>

More information about the sle-updates mailing list