| Package | shim |
|---|---|
| Version | 15.8-1~deb10u2 (buster) |
In order to support Secure Boot in buster ELTS, the shim needs to have the Freexian public certificate used to sign Linux kernels and other packages. This update adds that certificate to the shim alongside the Debian public CA, which allows to boot both old (signed by Debian) and new (signed by Freexian) packages.
The respective shim-signed package has also been updated to reflect this change.
In order to be able to boot future kernel security updates on setups where Secure Boot is enabled, these shim packages need to be upgraded, otherwise the old versions will not be able to verify the new signatures and the bootloader will refuse to load those kernel versions.
For Debian 10 buster, these problems have been fixed in version 15.8-1~deb10u2.
We recommend that you upgrade your shim packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.