]>
Commit | Line | Data |
---|---|---|
2f799ca9 | 1 | shim (0.9+1474479173.6c180c6-1) unstable; urgency=medium |
b65e78ec | 2 | |
2f799ca9 SL |
3 | * Initial Debian upload. Closes: #820052. |
4 | * Update Standards-Version. | |
5 | * Embed the newly-minted Debian CA certificate. | |
6 | * Vendorize debian/rules so that the same package can be used in both | |
7 | Debian and Ubuntu without modification. | |
8 | * Fix debian/copyright to match the spec (last match wins, not first) | |
9 | * Fix shim.efi to not be executable. | |
10 | * Add watchfile. | |
11 | * Support parallel builds, because eh why not | |
12 | * Update Vcs-Bzr. | |
b65e78ec SL |
13 | * Resync with Ubuntu, including patch to fix debian/copyright. |
14 | ||
2f799ca9 | 15 | -- Steve Langasek <vorlon@debian.org> Sat, 01 Oct 2016 14:18:53 -0700 |
b65e78ec | 16 | |
5998f019 | 17 | shim (0.9+1474479173.6c180c6-0ubuntu1) UNRELEASED; urgency=medium |
879d307f | 18 | |
e3ef28ac | 19 | [ Helen Koike ] |
879d307f HK |
20 | * debian/copyright: add OpenSSL license |
21 | ||
e3ef28ac | 22 | [ Mathieu Trudel-Lapierre ] |
5998f019 | 23 | * New upstream release. |
e3ef28ac HK |
24 | * debian/copyright: patches should be BSD, like the rest of the upstream |
25 | code. | |
c2463d38 MTL |
26 | * debian/patches/unused-variable: dropped; applied upstream. |
27 | * debian/patches/binutils-version-matching: dropped, fixed upstream. | |
86b44a70 MTL |
28 | * debian/shim.install: built EFI binaries were renamed; update our install |
29 | file to properly pick up shim (shim$arch), MokManager (mm$arch), and | |
30 | fallback (fb$arch). | |
e3ef28ac | 31 | |
5998f019 | 32 | -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> Wed, 21 Sep 2016 20:29:44 -0400 |
879d307f | 33 | |
cffaa507 | 34 | shim (0.9+1465500757.14a5905-0ubuntu1) yakkety; urgency=medium |
1854cb28 MTL |
35 | |
36 | * New upstream release. | |
d191cf2c | 37 | - Better handle LoadOptions. (LP: #1581299) |
110c669f MTL |
38 | - Measure state and second stage in TPM. |
39 | - Mirror MokSBState in runtime as MokSBStateRT. | |
d191cf2c | 40 | - Fix failure to build with GCC 5. (LP: #1429978) |
110c669f MTL |
41 | - Various bug fixes and other improvements. |
42 | * Refreshed patches. | |
43 | - Remaining patches: | |
44 | + second-stage-path | |
45 | + sbsigntool-not-pesign | |
7fbc200d MTL |
46 | * debian/patches/unused-variable: remove unused variable size. |
47 | * debian/patches/binutils-version-matching: revert d9a4c912 to correctly | |
48 | match objcopy's version on Ubuntu. | |
9fa1d28f | 49 | * debian/copyright: update copyright for patches. |
c2f285a9 | 50 | |
cffaa507 | 51 | -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> Tue, 26 Jul 2016 16:48:32 -0400 |
d6f876b8 | 52 | |
8fa98d6d SL |
53 | shim (0.8-0ubuntu2) wily; urgency=medium |
54 | ||
55 | * No-change rebuild against gnu-efi 3.0v-5ubuntu1. | |
56 | ||
57 | -- Steve Langasek <steve.langasek@ubuntu.com> Tue, 12 May 2015 17:48:30 +0000 | |
58 | ||
acd2cc1e | 59 | shim (0.8-0ubuntu1) wily; urgency=medium |
4c03444e MTL |
60 | |
61 | * New upstream release. | |
37358ddb | 62 | - Clarify meaning of insecure_mode. (LP: #1384973) |
e42efbd9 MTL |
63 | * debian/patches/CVE-2014-3675.patch, debian/patches/CVE-2014-3677.patch, |
64 | debian/patches/0001-Update-openssl-to-0.9.8za.patch: dropped, included | |
65 | in the upstream release. | |
28da53af MTL |
66 | * debian/patches/sbsigntool-not-pesign,debian/patches/second-stage-path: |
67 | refreshed. | |
4c03444e | 68 | |
acd2cc1e | 69 | -- Mathieu Trudel-Lapierre <mathieu-tl@ubuntu.com> Mon, 11 May 2015 19:50:49 -0400 |
4c03444e | 70 | |
8b0389dd | 71 | shim (0.7-0ubuntu4) utopic; urgency=medium |
3586772f SL |
72 | |
73 | * SECURITY UPDATE: heap overflow and out-of-bounds read access when | |
74 | parsing DHCPv6 information | |
75 | - debian/patches/CVE-2014-3675.patch: apply proper bounds checking | |
76 | when parsing data provided in DHCPv6 packets. | |
77 | - CVE-2014-3675 | |
78 | - CVE-2014-3676 | |
79 | * SECURITY UPDATE: memory corruption when processing user-provided key | |
80 | lists | |
81 | - debian/patches/CVE-2014-3677.patch: detect malformed machine owner | |
82 | key (MOK) lists and ignore them, avoiding possible memory corruption. | |
83 | - CVE-2014-3677 | |
84 | ||
e82e7706 | 85 | -- Steve Langasek <steve.langasek@ubuntu.com> Wed, 08 Oct 2014 06:40:40 +0000 |
3586772f | 86 | |
bc9b5d63 | 87 | shim (0.7-0ubuntu2) utopic; urgency=medium |
172647da SL |
88 | |
89 | * Restore debian/patches/prototypes, which still is needed on shim 0.7 | |
4960f358 SL |
90 | but only detected on the buildds. |
91 | * Update debian/patches/prototypes with some new declarations needed for | |
92 | openssl 0.9.8za update. | |
172647da | 93 | |
bc9b5d63 | 94 | -- Steve Langasek <steve.langasek@ubuntu.com> Tue, 07 Oct 2014 16:20:08 -0700 |
172647da | 95 | |
db8383ad | 96 | shim (0.7-0ubuntu1) utopic; urgency=medium |
59945b25 SL |
97 | |
98 | * New upstream release. | |
99 | - fix spurious error message when fallback.efi is not present, as will | |
100 | always be the case for removable media. LP: #1297069. | |
c61b06bc | 101 | - drop most patches, included upstream. |
1e963007 SL |
102 | * debian/patches/0001-Update-openssl-to-0.9.8za.patch: cherry-pick |
103 | openssl 0.9.8za in via upstream. | |
59945b25 | 104 | |
db8383ad | 105 | -- Steve Langasek <steve.langasek@ubuntu.com> Tue, 07 Oct 2014 05:40:41 +0000 |
59945b25 | 106 | |
5fc0e7f6 | 107 | shim (0.4-0ubuntu5) utopic; urgency=low |
d53fb652 SL |
108 | |
109 | * Install fallback.efi.signed as well, to lay the groundwork for fallback | |
110 | handling (wanted when we have to move a drive between machines, or when | |
111 | the firmware loses its marbles^W nvram). | |
112 | ||
5fc0e7f6 | 113 | -- Steve Langasek <steve.langasek@ubuntu.com> Mon, 04 Aug 2014 12:11:13 +0200 |
d53fb652 | 114 | |
eb32f5ba | 115 | shim (0.4-0ubuntu4) saucy; urgency=low |
50ab550a SL |
116 | |
117 | * debian/patches/fix-tftp-prototype: pass the right arguments to | |
118 | EFI_PXE_BASE_CODE_TFTP_READ_FILE. | |
c43e3c7c SL |
119 | * debian/patches/build-with-Werror: Build with -Werror to catch future |
120 | prototype mismatches. | |
121 | * debian/patches/fix-compiler-warnings: Fix remaining compiler | |
122 | warnings in netboot.c. | |
0c74470d SL |
123 | * debian/patches/tftp-proper-nul-termination: fix nul termination |
124 | errors in filenames passed to tftp. | |
84a3bbdf SL |
125 | * debian/patches/netboot-cleanup: roll-up of miscellaneous fixes to |
126 | the netboot code. | |
50ab550a | 127 | |
eb32f5ba | 128 | -- Steve Langasek <steve.langasek@ubuntu.com> Mon, 23 Sep 2013 00:30:00 -0700 |
50ab550a | 129 | |
4c13d15a | 130 | shim (0.4-0ubuntu3) saucy; urgency=low |
0c50644a | 131 | |
0929c5e5 | 132 | [ Steve Langasek ] |
0c50644a | 133 | * Install MokManager.efi.signed in the package. |
44ecc6a3 SL |
134 | * debian/patches/no-output-by-default.patch: Don't print any |
135 | informational messages. Closes LP: #1074302. | |
0c50644a | 136 | |
0929c5e5 SG |
137 | [ Stéphane Graber ] |
138 | * debian/patches/no-print-on-unsigned: Don't print an error message when | |
139 | validating an unsigned binary as that tends to hang Lenovo machines. | |
140 | (LP: #1087501) | |
141 | ||
4c13d15a | 142 | -- Stéphane Graber <stgraber@ubuntu.com> Thu, 08 Aug 2013 17:12:12 +0200 |
0c50644a | 143 | |
6657ac38 | 144 | shim (0.4-0ubuntu2) saucy; urgency=low |
15d7c608 SL |
145 | |
146 | * Add missing build-dependency on openssl. | |
147 | ||
6657ac38 | 148 | -- Steve Langasek <steve.langasek@ubuntu.com> Tue, 02 Jul 2013 20:30:43 +0000 |
15d7c608 | 149 | |
63eea134 | 150 | shim (0.4-0ubuntu1) saucy; urgency=low |
0565508e | 151 | |
1b5fb6c0 | 152 | * New upstream release. |
0565508e SL |
153 | * Drop debian/patches/shim-before-loadimage; upstream has changed this to |
154 | not call loadimage at all. | |
c37196e7 SL |
155 | * debian/patches/sbsigntool-not-pesign: Sign MokManager with |
156 | sbsigntool instead of pesign. | |
e77adb28 | 157 | * Add a versioned build-dependency on gnu-efi. |
0565508e | 158 | |
63eea134 | 159 | -- Steve Langasek <steve.langasek@ubuntu.com> Tue, 02 Jul 2013 12:53:24 -0700 |
0565508e | 160 | |
3cd870ac | 161 | shim (0~20120906.bcd0a4e8-0ubuntu4) quantal-proposed; urgency=low |
3180a8dd SL |
162 | |
163 | * debian/patches/shim-before-loadimage: Use direct verification first | |
164 | before LoadImage. Addresses an issue where Lenovo's SecureBoot | |
165 | implementation pops an error message on any verification failure - avoid | |
166 | calling LoadImage at all unless we have to. | |
167 | ||
3cd870ac | 168 | -- Steve Langasek <steve.langasek@ubuntu.com> Wed, 10 Oct 2012 15:28:40 -0700 |
3180a8dd | 169 | |
1d8992c5 | 170 | shim (0~20120906.bcd0a4e8-0ubuntu3) quantal; urgency=low |
5ea013bd SL |
171 | |
172 | * debian/patches/second-stage-path: Chainload grubx64.efi, not | |
173 | grub.efi. | |
174 | ||
1d8992c5 | 175 | -- Steve Langasek <steve.langasek@ubuntu.com> Fri, 05 Oct 2012 11:20:58 -0700 |
5ea013bd | 176 | |
be30a850 | 177 | shim (0~20120906.bcd0a4e8-0ubuntu2) quantal; urgency=low |
76e675cb SL |
178 | |
179 | * debian/patches/prototypes: Include missing prototypes, and disable | |
180 | use of BIO_new_file. | |
63e313d7 SL |
181 | * Only build the package for amd64; we're not signing an i386 shim at this |
182 | stage so there's no point in building it. | |
76e675cb | 183 | |
be30a850 | 184 | -- Steve Langasek <steve.langasek@ubuntu.com> Thu, 04 Oct 2012 17:47:04 +0000 |
76e675cb | 185 | |
b54fc10a | 186 | shim (0~20120906.bcd0a4e8-0ubuntu1) quantal; urgency=low |
c86d9dac SL |
187 | |
188 | * Initial release. | |
10d096d4 | 189 | * Include the Canonical Secure Boot master CA. |
c86d9dac | 190 | |
b54fc10a | 191 | -- Steve Langasek <steve.langasek@ubuntu.com> Thu, 04 Oct 2012 00:01:06 -0700 |