- Update to version 4.6.2+20260209.721d6d2a:
  * Dev: pre-migration: Add check for obsolete SAP ASCS/ERS ENSA1 (jsc#SAPSOL-780)
  * Fix: ui_cluster: Stop dlm in maintenance mode correctly (bsc#1253733)
  * Dev: utils: Reuse methods in xmlutil.CrmMonXmlParser
  * Dev: migration: Add check for obsolete SAP ASCS/ERS mount (jsc#SAPSOL-495)
  * Fix: log: Add milliseconds time format to crmsh.log (bsc#1255021)

- Places a hard cap on the amount of mechanisms that can be specified and
  encoded in the payload. (bsc#1253904, CVE-2025-58181)
  * 0007-CVE-2025-58181-fix-vendor-crypto-ssh.patch

- security update
- added patches
  CVE-2026-24515 [bsc#1257144], NULL dereference (CWE-476) due to function XML_ExternalEntityParserCreate() failing to copy the encoding handler data passed to XML_SetUnknownEncodingHandler() from the parent to the subparser
  * expat-CVE-2026-24515.patch
  CVE-2026-25210 [bsc#1257496], lack of buffer size check can lead to an integer overflow
  * expat-CVE-2026-25210.patch

- Adding new fence agent for Nutanix AHV (jsc#PED-13087) (bsc#1253230)
  Fix spec file: add nutanix_ahv to agent_list.

- add new skip_os_shutdown flag to fence_aws fence agent (bsc#1250417)
  o Add upstream patch:
    632.patch

- nss-missing-checks.patch: nss: Missing checks in __nss_configure_lookup,
  __nss_database_get (bsc#1258319, BZ #28940)

- Support dm multipath bootlist on PowerPC (bsc#1254415)
  * 0001-ieee1275-support-dm-multipath-bootlist.patch

- Backport upstream's commit to prevent BIOS assert (bsc#1258022)
  * 0001-kern-efi-mm-Change-grub_efi_mm_add_regions-to-keep-t.patch

- Fix error "grub-core/script/lexer.c:352:out of memory" after PowerPC CAS
  Reboot (bsc#1254299)
  * 0001-Fix-PowerPC-CAS-reboot-to-evaluate-menu-context.patch

- Add gcc14-bsc1257463.patch to fix bogus expression simplification
  [bsc#1257463]

- update to NSS 3.112.3
  * bmo#2009552 - avoid integer overflow in platform-independent ghash

- Add the functionality to allow to specify the hash algorithm for
  the PSK. This fixes a bug in the current implementation where the
  binder is always calculated with SHA256.
  * (bsc#1258083, jsc#PED-15752, jsc#PED-15753)
  * lib/psk: Add gnutls_psk_allocate_{client,server}_credentials2
  * tests/psk-file: Add testing for _credentials2 functions
  * lib/psk: add null check for binder algo
  * pre_shared_key: fix memleak when retrying with different binder algo
  * pre_shared_key: add null check on pskcred
  * Add patches:
  - gnutls-PSK-hash.patch
  - gnutls-PSK-hash-tests.patch
  - gnutls-PSK-hash-NULL-check.patch
  - gnutls-PSK-hash-NULL-check-pskcred.patch
  - gnutls-PSK-hash-fix-memleak.patch

- Security fix:
  * CVE-2025-14831: DoS via excessive resource consumption during
    certificate verification (bsc#1257960)
  * Add gnutls-CVE-2025-14831.patch

- jsc#PED-15735 - expose ldap_log.h in -devel
  * 0246-Include-ldap_log.h-in-devel.patch
- retcon .changes to satisfy source validator

- Fix bsc#1258668: Enable RMDA - Fix missing dependency in spec so libcap
  is built with  RMDA support.

- CVE-2025-11468: preserving parens when folding comments in
  email headers (bsc#1257029, gh#python/cpython#143935).
  CVE-2025-11468-email-hdr-fold-comment.patch
- CVE-2026-0672: rejects control characters in http cookies.
  (bsc#1257031, gh#python/cpython#143919)
  CVE-2026-0672-http-hdr-inject-cookie-Morsel.patch
- CVE-2026-0865: rejecting control characters in
  wsgiref.headers.Headers, which could be abused for injecting
  false HTTP headers. (bsc#1257042, gh#python/cpython#143916)
  CVE-2026-0865-wsgiref-ctrl-chars.patch
- CVE-2025-15366: basically the same as the previous patch for
  IMAP protocol. (bsc#1257044, gh#python/cpython#143921)
  CVE-2025-15366-imap-ctrl-chars.patch
- CVE-2025-15282: basically the same as the previous patch for
  urllib library. (bsc#1257046, gh#python/cpython#143925)
  CVE-2025-15282-urllib-ctrl-chars.patch
- CVE-2025-15367: basically the same as the previous patch for
  poplib library. (bsc#1257041, gh#python/cpython#143923)
  CVE-2025-15367-poplib-ctrl-chars.patch
- CVE-2025-12781: fix decoding with non-standard Base64 alphabet
  (bsc#1257108, gh#python/cpython#125346)
  CVE-2025-12781-b64decode-alt-chars.patch

- CVE-2025-11468: preserving parens when folding comments in
  email headers (bsc#1257029, gh#python/cpython#143935).
  CVE-2025-11468-email-hdr-fold-comment.patch
- CVE-2026-0672: rejects control characters in http cookies.
  (bsc#1257031, gh#python/cpython#143919)
  CVE-2026-0672-http-hdr-inject-cookie-Morsel.patch
- CVE-2026-0865: rejecting control characters in
  wsgiref.headers.Headers, which could be abused for injecting
  false HTTP headers. (bsc#1257042, gh#python/cpython#143916)
  CVE-2026-0865-wsgiref-ctrl-chars.patch
- CVE-2025-15366: basically the same as the previous patch for
  IMAP protocol. (bsc#1257044, gh#python/cpython#143921)
  CVE-2025-15366-imap-ctrl-chars.patch
- CVE-2025-15282: basically the same as the previous patch for
  urllib library. (bsc#1257046, gh#python/cpython#143925)
  CVE-2025-15282-urllib-ctrl-chars.patch
- CVE-2025-15367: basically the same as the previous patch for
  poplib library. (bsc#1257041, gh#python/cpython#143923)
  CVE-2025-15367-poplib-ctrl-chars.patch

- Security fixes:
  * CVE-2026-0964: SCP Protocol Path Traversal in ssh_scp_pull_request() (bsc#1258049)
  * CVE-2026-0965: Possible Denial of Service when parsing unexpected
    configuration files (bsc#1258045)
  * CVE-2026-0966: Buffer underflow in ssh_get_hexa() on invalid input (bsc#1258054)
  * CVE-2026-0967: Specially crafted patterns could cause DoS (bsc#1258081)
  * CVE-2026-0968: OOB Read in sftp_parse_longname() (bsc#1258080)
  * Add patches:
  - libssh-CVE-2026-0964-scp-Reject-invalid-paths-received-thro.patch
  - libssh-CVE-2026-0965-config-Do-not-attempt-to-read-non-regu.patch
  - libssh-CVE-2026-0966-misc-Avoid-heap-buffer-underflow-in-ss.patch
  - libssh-CVE-2026-0966-tests-Test-coverage-for-ssh_get_hexa.patch
  - libssh-CVE-2026-0966-doc-Update-guided-tour-to-use-SHA256-f.patch
  - libssh-CVE-2026-0967-match-Avoid-recursive-matching-ReDoS.patch
  - libssh-CVE-2026-0968-sftp-Sanitize-input-handling-in-sftp_p.patch

- security update:
  * CVE-2025-9900 [bsc#1250413]
    Fix Write-What-Where in libtiff via TIFFReadRGBAImageOriented

- virsh: Introduce new hypervisor-cpu-models command
  jsc#PED-13062
- wireshark: Adapt to wireshark-4.6.0
  jsc#PED-15400

- CVE-2025-10911 will be fixed on libxml2 side instead [bsc#1250553]
- deleted patches
  * libxslt-CVE-2025-10911.patch

- Fix CVE-2026-27171, infinite loop via the crc32_combine64 and
  crc32_combine_gen64 functions due to missing checks for negative
  lengths (bsc#1258392)
  * CVE-2026-27171.patch

- makedumpfile-Fix-data-race-in-multi-threading-mode.patch: Fix a
  data race in multi-threading mode (--num-threads=N)
  (bsc#1245569, bsc#1256455).

- Update to version 4.4+39.g6e1c3b06:
  * platform-intel: Deal with hot-unplugged devices (bsc#1258265)
  * imsm: Fix UEFI backward compatibility for RAID10D4 (bsc#1257009)

- Update to version 4.4+37.gea219956:
- Backport upstream fixes from 4.5 (bsc#1257009)
  * Re-enable mdadm --monitor ... for /dev/mdX
  * Allow RAID0 to be created with v0.90 metadata
  * Moves memory management into Assemble to avoid null pointer dereference
  * Support non-absolute name during monitor scan
  * Don't set badblock flag when adding a new disk
  * Fix metadata corruption when managing new imsm array

- Add python36-certifi provides/obsoletes to enable SLE-12 ->
  SLE-15 migration, bsc#1233012

- Add python36-idna provides/obsoletes to enable SLE-12 ->
  SLE-15 migration, bsc#1233012

- Add python36-packaging provides/obsoletes to enable SLE-12 ->
  SLE-15 migration, bsc#1233012

- Add python36-pycparser provides/obsoletes to enable SLE-12 ->
  SLE-15 migration, bsc#1233012

- Add python36-python-dateutil provides/obsoletes to enable SLE-12 ->
  SLE-15 migration, bsc#1233012

- Add python36-py provides/obsoletes to enable SLE-12 ->
  SLE-15 migration, bsc#1233012

- Add python36- provides/obsoletes to enable SLE-12 ->
  SLE-15 migration, bsc#1233012

- Add python36-six provides/obsoletes to enable SLE-12 ->
  SLE-15 migration, bsc#1233012

- 15.7.20260227 (tracked in bsc#933411)
- Added note about Nutanix AVH (jsc#13089)

- Add Microsoft-signed 16.1 shim
- shim.spec: Temporarily disable nx-shim
  - We still need time to test nx (non-executable) shim and develop
    the script for delivery. We will not support nx-shim on all Leap
    and SLE distros because the function should also be supported by
    grub2 and kernel.
- shim.spec: Remove the reproducibility check for the shim binary
  - The binutils on Leap 15.6 and SLE-15-SP3 has been upgraded to 2.45
    when we are waiting shim-review and Microsoft signing. It causes
    that the shim binary is NOT reproducible on build services.
  - We just direct use the Microsoft signed-back shim binaries
    because we build this binary before and have the logs to prove it.
    Before we find a good approach to save/restore the build service
    environment, let’s directly use the Microsoft signed-back shim for
    delivery.
- Certificates: Add Microsoft UEFI CA files to the target certificates
  array in pretrans script.
- Certificates: Convert the SUSE certificates from PEM to DER format
- timestamp.pl: fix the size of checksum in PE Optional Header
- shim.spec: Workaround the string comparison issue in elif directive
- shim.spec: Specify the certificate format in openssl commands
- shim.spec: Use io.open instead of pcall rpm.open in pretrans lua script

- Add a pretrans script to verify that the UEFI db should have the
  necessary certificate to allow the shim binary to boot. The installation
  will be aborted if the db is missing the target certificate. To proceed,
  the user must enroll the target certificate in the db or disable UEFI
  Secure Boot.

- Update to 16.1
  - Patches (git log --oneline --reverse 16.0..16.1)
    4040ec4 shim_start_image(): fix guid/handle pairing when uninstalling protocols
    39c0aa1 str2ip6(): parsing of "uncompressed" ipv6 addresses
    3133d19 test-mock-variables: make our filter list entries safer.
    d44405e mock-variables: remove unused variable
    0e8459f Update CI to use ubuntu-24.04 instead of ubuntu-20.04
    d16a5a6 SbatLevel_Variable.txt: minor typo fix.
    32804cf Realloc() needs one more byte for sprintf()
    431d370 IPv6: Add more check to avoid multiple double colon and illegal char
    5e4d93c Loader Proto: make freeing of bprop.buffer conditional.
    33deac2 Prepare to move things from shim.c to verify.c
    030e7df Move a bunch of stuff from shim.c to verify.c
    f3ddda7 handle_image(): make verification conditional
    774f226 Cache sections of a loaded image and sub-images from them.
    eb0d20b loader-protocol: handle sub-section loading for UKIs
    2f64bb9 loader-protocol: add workaround for EDK2 2025.02 page fault on FreePages
    1abc7ca loader-protocol: NULL output variable in load_image on failure
    fb77b44 Generate Authenticode for the entire PE file
    b86b909 README: mention new loader protocol and interaction with UKIs
    8522612 ci: add mkosi configuration and CI
    9ebab84 mkosi workflow: fix the branch name for main.
    72a4c41 shim: change automatically enable MOK_POLICY_REQUIRE_NX
    a2f0dfa This is an organizational patch to move some things around in mok.c
    54b9946 Update to the shim-16.1 branch of gnu-efi to get AsciiSPrint()
    a5a6922 get_max_var_sz(): add more debugging for apple platforms
    77a2922 Add a "VariableInfo" variable to mok-variables.
    efc71c9 build: Avoid passing *FLAGS to sub-make
    7670932 Fixes for 'make TOPDIR=... clean'
    13ab598 add SbatLevel entry 2025051000 for PSA-2025-00012-1
    617aed5 Update version to 16.1~rc1
    d316ba8 format_variable_info(): fix wrong size test.
    f5fad0e _do_sha256_sum(): Fix missing error check.
    3a9734d doc: add howto for running mkosi locally
    ced5f71 mkosi: remove spurious slashes from script
    0076155 ci: update mkosi commit
    5481105 fix http boot
    121cddf loader-protocol: Handle UnloadImage after StartImage properly
    6a1d1a9 loader-protocol: Fix memory leaks
    27a5d22 gitignore: add more mkosi dirs and vscode dir
    346ed15 mkosi: disable repository key check on Fedora
    afc4955 Update version to 16.1
  - 16.1 release note https://github.com/rhboot/shim/releases
    shim_start_image(): fix guid/handle pairing when uninstalling protocols by @vathpela in #738
    Fix uncompressed ipv6 netboot by @hrvach in #742
    fix test segfaults caused by uninitialized memory by @Fabian-Gruenbichler in #739
    Update CI to use ubuntu-24.04 instead of ubuntu-20.04 by @vathpela in #749
    SbatLevel_Variable.txt: minor typo fix. by @vathpela in #751
    Realloc() needs to allocate one more byte for sprintf() by @dennis-tseng99 in #746
    IPv6: Add more check to avoid multiple double colon and illegal char by @dennis-tseng99 in #753
    Loader proto v2 by @vathpela in #748
    loader-protocol: add workaround for EDK2 2025.02 page fault on FreePages by @bluca in #750
    Generate Authenticode for the entire PE file by @esnowberg in #604
    README: mention new loader protocol and interaction with UKIs by @bluca in #755
    ci: add mkosi configuration and CI by @bluca in #764
    shim: change automatically enable MOK_POLICY_REQUIRE_NX by @vathpela in #761
    Save var info by @vathpela in #763
    build: Avoid passing *FLAGS to sub-make by @rosslagerwall in #758
    Fixes for 'make TOPDIR=... clean' by @bluca in #762
    add SbatLevel entry 2025051000 for PSA-2025-00012-1 by @Fabian-Gruenbichler in #766
    Coverity fixes 20250804 by @vathpela in #767
    ci: fixlets and docs for mkosi workflow by @bluca in #768
    fix http boot by @jsetje in #770
    Fix double free and leak in the loader protocol by @rosslagerwall in #769
    gitignore: add more mkosi dirs and vscode dir by @bluca in #771
  - Drop upstreamed patch:
    The following patches are merged to 16.1
  - shim-alloc-one-more-byte-for-sprintf.patch
  - 32804cf5d9 Realloc() needs one more byte for sprintf()    [16.1]
  - shim-change-automatically-enable-MOK_POLICY_REQUIRE_NX.patch
  - 72a4c41877 shim: change automatically enable MOK_POLICY_REQUIRE_NX [16.1]

- Building with the latest version of gcc in the codebase:
  - We prefer that building shim with the latest version of gcc in
    codebase.
  - Set the minimum version is gcc-13.
    if gcc_version < 13
    define gcc_version 13
    endif
  (bsc#1247432)

- SLE shim should includes vendor-dbx-sles.esl instead of
  vendor-dbx-opensuse.esl. Fixed it in shim.spec.
    verify='SUSE Linux Enterprise Secure Boot CA1'
-       vendor_dbx='vendor-dbx-opensuse.esl'
  +       vendor_dbx='vendor-dbx-sles.esl'

- Using gcc12 for building shim/shim-nx
  - The gcc12 can workaround dxe_get_mem_attrs() hsi_status problem
  - Add the following changes to shim.spec :
    define gcc_version 12
    global cc_compiler /usr/bin/gcc-%{gcc_version}
    BuildRequires  gcc%{gcc_version}
    make CC=%{cc_compiler} RELEASE=0
- Remove shim-disable-dxe-get-mem-attrs.patch
  - This downstream patch can be removed after moving to gcc12
  (bsc#1247432)

- Add shim-disable-dxe-get-mem-attrs.patch
  - On old edk2-stable202308 ovmf, running dxe_get_mem_attrs() causes
    get_hsi_mem_info() confusion on hsi_status. It looks that hsi_status
    has a copy after running dxe_get_mem_attrs(). Those elements in
    hsi_nx_is_enforced(), HEAPX|STACKX|ROW can NOT set into hsi_status.
    Let's disabling the approach of DXE get memory attributes until
    we found the root cause.
  (bsc#1247432)

- Building out shim.nx.efi for supporting non-executable
  - Building additional shim with POST_PROCESS_PE_FLAGS=-n to set
    the PE NX-compatibility DLL. (NxCompatible field in DllCharacteristics)
  - Packaging shim.nx.efi to shim-nx RPM.
  - Add MS signatures for shim.nx
  - signature-opensuse-nx.x86_64.asc
    signature-sles-nx.x86_64.asc
    signature-opensuse-nx.aarch64.asc
    signature-sles-nx.aarch64.asc
  - We direc copy signatures of shim for shim.nx before we got
    signatures from Microsoft.
- Building MokManager.efi and fallback.efi with POST_PROCESS_PE_FLAGS=-n
  (bsc#1205588)

Factory: Fri Jul 25 05:44:51 UTC 2025 - Joey Lee <jlee@suse.com>
- Add shim-change-automatically-enable-MOK_POLICY_REQUIRE_NX.patch
  - shim: change automatically enable MOK_POLICY_REQUIRE_NX (PR #761)
  (bsc#1205588)

Factory: Wed May 28 03:37:04 UTC 2025 - Tseng <dennis.tseng@suse.com>
- add revoked-openSUSE-UEFI-SIGN-Certificate-2022-06.crt into dbx
- build shim with EKU enable flag (ENABLE_CODESIGN_EKU)

Factory: Tue May  6 06:19:02 UTC 2025 - Dennis <dennis.tseng@suse.com>
- Update to version 16.0
  - https://github.com/rhboot/shim/releases/download/16.0/shim-16.0.tar.bz2
  - remove shim-bsc1177315-verify-eku-codesign.patch
    remove it because shim github upstream has accepted it (PR #664)
  - add revoked-SLES-UEFI-SIGN-Certificate-2022-05.crt to revoked certificates for dbx
    SLES-UEFI-SIGN-Certificate-20220525.crt can be blacklisted,
    and can be added to the vendor dbx.
  - add shim-alloc-one-more-byte-for-sprintf.patch (bsc#1240871)
    The codes already submitted to git upstream (PR #746)
    In generate_sbat_var_defs.c, realloc() should allocate one more byte for
    the end of string '\0' when running sprintf() later.
  - Patches (git log --oneline --reverse 15.8..16.0)
    126a07e Validate that a supplied vendor cert is not in PEM format
    63edf92 sbat: Add grub.peimage,2 to latest (CVE-2024-2312)
    3e1394e sbat: Also bump latest for grub,4 (and to todays date)
    470a8cd undo change that limits certificate files to a single file
    0287c6b shim: don't set second_stage to the empty string
    3685b13 Fix SBAT.md for today's consensus about numbers
    dc07432 Realize the suggestions as part of PR #672
    e064e7d Update Code of Conduct contact address
    e68f4ca make-certs: Handle missing OpenSSL installation
    74a1f29 Update MokVars.txt  - Update documented mirrored variable attributes from RT to BS,RT  - Add missing MokSBStateRT  - Clarify that MokIgnoreDB is a mirror of MokDBState  - Add missing attributes for MokPWStore
    f6674fe export DEFINES for sub makefile
    47bbb5e Drop unused EFI_IMAGE_SECURITY_DATABASE_GUID definition
    338fded Null-terminate 'arguments' in fallback
    3d1dcd4 Fix "Verifiying" typo in error message
    b5d359a CI: use checkout@v4
    1d8365f CI: work around ownership issue on github
    20094ca Update fedora CI targets
    3cf0e09 Force gcc to produce DWARF4 so that gdb can use it
    5f54182 includes: work around CLANG_PREREQ() double-definition
    ab06527 Makefile: don't warn about clang when building compile_commands.json
    0c9249d Suppress some warnings even harder in Cryptlib and OpenSSL.
    fd7e16f Add building compile_commands.json to CI
    314aecf Discard load-options that start with WINDOWS
    ac85ba4 Fix the issue that the gBS->LoadImage pointer was empty.
    d8c86b7 shim: Allow data after the end of device path node in load options
    d197220 Backport EFI_HTTP_ERROR status code
    6410312 netboot: Convert TFTP error codes to EFI status codes
    ef8e729 httpboot: Convert HTTP status codes to EFI status codes
    2a1cbe6 Update gnu-efi submodule for EFI_HTTP_ERROR
    196cbb9 Increase EFI file alignment
    ad8692e avoid EFIv2 runtime services on Apple x86 machines
    0345331 Improve shortcut performance when comparing two boolean expressions
    27562ea Fix bad reference to PathName in image loading
    1508ece Move is_removable_media_path() to a shared location.
    7864c10 Provide better error message when MokManager is not found
    3e60895 tpm: Boot with a warning if the event log is full
    b560c52 MokManager: remove redundant logical constraints
    9229e7c Make mock_set_variable() correctly account for resource usage.
    f7e1d72 tests: make it possible to use different limits for variable space
    67efdfc test-mok-mirror: refactor the validation of test_mok_mirror_0
    70366a2 test-mok-mirror: add a test case where MokListRT won't fit.
    3caa75e test-mok-mirror: minor bug fix
    dc45aa6 lib/simple_file.c: Allocate zeroed pool for SimpleFS entries
    9415d3c simple_file: Allow to form a volume name from DevicePath
    d6076cb simple_file: Use second variable to create filesystem entries
    f99749a Ignore a minor clang-tidy nit
    98173f0 Fall back to default loader when encountering errors on network boot
    e42c319 test.mk: don't use a temporary random.bin
    c66c157 pe: Enhance debug report for update_mem_attrs
    1125212 Fix leak in error path
    2daf1db Load concatenated EFI_SIGNATURE_LISTs from shim_certificate.efi
    eeca60a Update SbatLevel_Variable.txt with peimage CVE-2024-2312 revocation
    743f3fa Add generate_sbat_var_defs utility program
    5ae408a Generate and use generated_sbat_var_defs.h
    e886fb3 SbatLevel_Variable.txt: clarify where and how revocation data is tracked
    15c1a9a Implement the CodeSign EKU check to fulfill the requirements of NIAP OS_PP.
    eb02afc Optionally enabling codesign EKU check in compiling time.
    7ae0ee6 Add docs for ENABLE_CODESIGN_EKU
    38dfa37 Create utils file
    83850cd Add configuration option to boot an alternative 2nd stage
    bb114a3 Implement shim image load protocol
    e7b3598 Move some stuff around
    0322e10 Implement the rest of the loader protocol functions
    e43aea8 Add EFI_LOAD_FILE2_PROTOCOL to gnu-efi
    2bff460 loader-proto: Add support for loading files from disk to LoadImage()
    5d17278 loader-proto: Mark load_image()'s handle_image() call as "in_protocol"
    fe2ad36 Don't print full screen error dialog from handle_image() when called in_protocol
    c57af36 loader-proto: Respect optional DevicePath parameter to load_image()
    2b49dc1 Suppress file open failures for some netboot cases
    3c3295d netboot: process revocations.efi as revocations not shim_certificate
    c66ce2a Allow indepdent SkuSi and SBAT revocation updates
    6b8e40c netboot can try to load shim_certificate_[0..9].efi
    301cf52 Document how revocations can be delivered
    7cde2cc post-process-pe: add tests to validate NX compliance
    1294b47 regression: out of bounds read in CopyMem() in ad8692e
    765f294 compiler.h: minor ALIGN_... fixes
    5c1e6e4 Move error logging decls out of shim.h
    d972515 Save the debug and error logs in mok-variables
    e3f0338 Silence minor nit in load-options parsing debug output
    3d7c057 get_mem_attrs(): ensure an error code is set on failure
    49db3de mok: add MOK_VARIABLE_CONFIG_ONLY
    887c0ed mok variables: add a format callback
    e4857b4 Make test-mok-error failures *slightly* more clear.
    589c3f2 Move memory attribute support to its own file.
    848667d shim: add HSIStatus feature
    e136e64 mock-variables: fix debugging printf format specifier oopsie
    f0958ba test-mock-variables: improve some debug prints
    b216543 Move mok state variable data flag definitions to the header.
    fc0cfac Mirror some more efi variables to mok-variables
    eeda3fa gnu-efi: add some DXE services.
    c41b1f0 Add support for DXE memory attribute updates.
    9269e9b Add DXE Services information to HSI
    c868d54 hexdump: give a different debug log for size==0
    1baf1ef HSI: Add decode_hsi_bits() for easier reading of the debug log
    3bce118 pe: read_header(): allow skipping SecDir content validation
    89e6150 Add shim's current NX_COMPAT status to HSIStatus
    c5c5287 peimage.h: minor whitespace fixes
    5007d83 peimage: add a bunch of comments to read_header()
    489af5e README.tpm: reflect that vendor_db is in fact logged as "vendor_db"
    1958b0f reject message with different values in multiple Content-Length header field
    9c423e0 Some save_logs() improvements.
    81d40e3 Disable log saving for now.
    498b149 fallback: don't add new boot order entries backwards
    06d8dec makefiles: Make GITTAG swizzle tildes to dashes
    f02b2c1 make-archive: some minor housekeeping
    794d237 Update version to 16.0~rc1
    d45c610 SetSecureVariable(): free Cert on failure
    76fab7b generate_sbat_var_defs: run clang-format on readfile()
    6dadb70 generate_sbat_var_defs: Fix memory leak on realloc failure and fd leak.
    f58c77e generate_sbat_var_defs: Ensure revlistentry->revocations is initialized.
    b427a34 mirror_mok_db(): get rid of an unused variable+allocation
    92630f2 mirror_one_mok_variable(): fix a memory leak on TPM log error.
    38f0a9c mirror_mok_db(): Free our mok variable name correctly
    db04321 shim_load_image(): initialize the buffer fully
    7b75382 simple_dir_filter(): test our 'next' pointer
    db1f1da Make 'make fanalyzer' work again.
    28d8871 README.tpm: Update MokList entry to MokListRT
    8932527 SBAT Level update for February 2025 GRUB CVEs
    18d98bf Update version to 16.0

Factory: Tue Jun 25 04:12:39 UTC 2024 - Dennis Tseng <dennis.tseng@suse.com>
- Update asc files of shim-15.8 after being signed back from
  Microsoft, including:
  signature-opensuse.x86_64.asc,
  signature-opensuse.aarch64.asc
  - asc files of shim-15.8 for sles is already updated on Apr 18, 2024
    signature-sles.x86_64.asc,
    signature-sles.aarch64.asc.

Factory: Mon Feb 26 13:09:29 UTC 2024 - Dominique Leuenberger <dimstar@opensuse.org>
- Use %autosetup macro. Allows to eliminate the usage of deprecated
  PatchN.

Factory: Sat Feb 17 07:51:01 UTC 2024 - Joey Lee <jlee@suse.com>
- Modified shim.spec file to add suffix string of project to filename
  of included certificates. e.g.
    rpm -pql shim-15.8-lp155.6.1.x86_64.rpm
    /etc/uefi
    /etc/uefi/certs
    /etc/uefi/certs/2B697CB1-shim-devel.crt
    /etc/uefi/certs/4659838C-shim-opensuse.crt
    /etc/uefi/certs/BCA4E38E-shim-sles.crt
  The original name of crt files are:
    /etc/uefi/certs/2B697CB1-shim.crt
    /etc/uefi/certs/4659838C-shim.crt
    /etc/uefi/certs/BCA4E38E-shim.crt
  It can indicate the souce project of certificates.

- Drop last sysvinit Requirement/Provide (PED-13698)