Yep. I mentioned these in my post yesterday but I didn't go into any detail as they've been public for some little
while. The various vendor updates are patching both CVEs, as you noted. Ubuntu punlished an advisory for these a few
days ago (https://ubuntu.com/security/notices/USN-4440-1), we, and others, rolled the kernel fixes in with the rest of
the changes.
Important and necessary as these fixes are they're not the main reason for pushing new kernels out along with updated
grub and shim. Complete mitigation requires updating the entire signature chain and most vendors needed to resign the
kernel. (I'm not only losing track of who resigned what, but the will to live :))
In other breaking news, software is buggy :) As sure as it rains in Lancashire, there will be more secure boot bypass
bugs somewhere along the chain. And we will be ready for them.
Seriously, as I and others have said several times: you must update the entire signature chain then, and only then, you
must update the dbx. Someone, somewhere, probably several someones, are going to decide they know better and wind up
bricking their secure boot systems. Personally, they'll find my sympathy in short supply when they do :/
jch