[efi-boot-shim.git] / debian / changelog

shim (0.8-0ubuntu1) UNRELEASED; urgency=medium

  * New upstream release.
    - Clarify meaning of insecure_mode. (LP: #1384973)
  * debian/patches/CVE-2014-3675.patch, debian/patches/CVE-2014-3677.patch,
    debian/patches/0001-Update-openssl-to-0.9.8za.patch: dropped, included
    in the upstream release.
  * debian/patches/sbsigntool-not-pesign,debian/patches/second-stage-path:
    refreshed.

 -- Mathieu Trudel-Lapierre <mathieu-tl@ubuntu.com>  Wed, 06 May 2015 09:49:45 -0400

shim (0.7-0ubuntu4) utopic; urgency=medium

  * SECURITY UPDATE: heap overflow and out-of-bounds read access when
    parsing DHCPv6 information
    - debian/patches/CVE-2014-3675.patch: apply proper bounds checking
      when parsing data provided in DHCPv6 packets.
    - CVE-2014-3675
    - CVE-2014-3676
  * SECURITY UPDATE: memory corruption when processing user-provided key
    lists
    - debian/patches/CVE-2014-3677.patch: detect malformed machine owner
      key (MOK) lists and ignore them, avoiding possible memory corruption.
    - CVE-2014-3677

 -- Steve Langasek <steve.langasek@ubuntu.com>  Wed, 08 Oct 2014 06:40:40 +0000

shim (0.7-0ubuntu2) utopic; urgency=medium

  * Restore debian/patches/prototypes, which still is needed on shim 0.7
    but only detected on the buildds.
  * Update debian/patches/prototypes with some new declarations needed for
    openssl 0.9.8za update.

 -- Steve Langasek <steve.langasek@ubuntu.com>  Tue, 07 Oct 2014 16:20:08 -0700

shim (0.7-0ubuntu1) utopic; urgency=medium

  * New upstream release.
    - fix spurious error message when fallback.efi is not present, as will
      always be the case for removable media.  LP: #1297069.
    - drop most patches, included upstream.
  * debian/patches/0001-Update-openssl-to-0.9.8za.patch: cherry-pick
    openssl 0.9.8za in via upstream.

 -- Steve Langasek <steve.langasek@ubuntu.com>  Tue, 07 Oct 2014 05:40:41 +0000

shim (0.4-0ubuntu5) utopic; urgency=low

  * Install fallback.efi.signed as well, to lay the groundwork for fallback
    handling (wanted when we have to move a drive between machines, or when
    the firmware loses its marbles^W nvram).

 -- Steve Langasek <steve.langasek@ubuntu.com>  Mon, 04 Aug 2014 12:11:13 +0200

shim (0.4-0ubuntu4) saucy; urgency=low

  * debian/patches/fix-tftp-prototype: pass the right arguments to
    EFI_PXE_BASE_CODE_TFTP_READ_FILE.
  * debian/patches/build-with-Werror: Build with -Werror to catch future
    prototype mismatches.
  * debian/patches/fix-compiler-warnings: Fix remaining compiler
    warnings in netboot.c.
  * debian/patches/tftp-proper-nul-termination: fix nul termination
    errors in filenames passed to tftp.
  * debian/patches/netboot-cleanup: roll-up of miscellaneous fixes to
    the netboot code.

 -- Steve Langasek <steve.langasek@ubuntu.com>  Mon, 23 Sep 2013 00:30:00 -0700

shim (0.4-0ubuntu3) saucy; urgency=low

  [ Steve Langasek ]
  * Install MokManager.efi.signed in the package.
  * debian/patches/no-output-by-default.patch: Don't print any
    informational messages.  Closes LP: #1074302.

  [ Stéphane Graber ]
  * debian/patches/no-print-on-unsigned: Don't print an error message when
    validating an unsigned binary as that tends to hang Lenovo machines.
    (LP: #1087501)

 -- Stéphane Graber <stgraber@ubuntu.com>  Thu, 08 Aug 2013 17:12:12 +0200

shim (0.4-0ubuntu2) saucy; urgency=low

  * Add missing build-dependency on openssl.

 -- Steve Langasek <steve.langasek@ubuntu.com>  Tue, 02 Jul 2013 20:30:43 +0000

shim (0.4-0ubuntu1) saucy; urgency=low

  * New upstream release.
  * Drop debian/patches/shim-before-loadimage; upstream has changed this to
    not call loadimage at all.
  * debian/patches/sbsigntool-not-pesign: Sign MokManager with
    sbsigntool instead of pesign.
  * Add a versioned build-dependency on gnu-efi.

 -- Steve Langasek <steve.langasek@ubuntu.com>  Tue, 02 Jul 2013 12:53:24 -0700

shim (0~20120906.bcd0a4e8-0ubuntu4) quantal-proposed; urgency=low

  * debian/patches/shim-before-loadimage: Use direct verification first
    before LoadImage.  Addresses an issue where Lenovo's SecureBoot
    implementation pops an error message on any verification failure - avoid
    calling LoadImage at all unless we have to.

 -- Steve Langasek <steve.langasek@ubuntu.com>  Wed, 10 Oct 2012 15:28:40 -0700

shim (0~20120906.bcd0a4e8-0ubuntu3) quantal; urgency=low

  * debian/patches/second-stage-path: Chainload grubx64.efi, not
    grub.efi.

 -- Steve Langasek <steve.langasek@ubuntu.com>  Fri, 05 Oct 2012 11:20:58 -0700

shim (0~20120906.bcd0a4e8-0ubuntu2) quantal; urgency=low

  * debian/patches/prototypes: Include missing prototypes, and disable
    use of BIO_new_file.
  * Only build the package for amd64; we're not signing an i386 shim at this
    stage so there's no point in building it.

 -- Steve Langasek <steve.langasek@ubuntu.com>  Thu, 04 Oct 2012 17:47:04 +0000

shim (0~20120906.bcd0a4e8-0ubuntu1) quantal; urgency=low

  * Initial release.
  * Include the Canonical Secure Boot master CA.

 -- Steve Langasek <steve.langasek@ubuntu.com>  Thu, 04 Oct 2012 00:01:06 -0700
Commit	Line	Data
4c03444e MTL	1	shim (0.8-0ubuntu1) UNRELEASED; urgency=medium
	2
	3	* New upstream release.
37358ddb	4	- Clarify meaning of insecure_mode. (LP: #1384973)
e42efbd9 MTL	5	* debian/patches/CVE-2014-3675.patch, debian/patches/CVE-2014-3677.patch,
	6	debian/patches/0001-Update-openssl-to-0.9.8za.patch: dropped, included
	7	in the upstream release.
28da53af MTL	8	* debian/patches/sbsigntool-not-pesign,debian/patches/second-stage-path:
28da53af MTL	9	refreshed.
4c03444e MTL	10
	11	-- Mathieu Trudel-Lapierre <mathieu-tl@ubuntu.com> Wed, 06 May 2015 09:49:45 -0400
	12
8b0389dd	13	shim (0.7-0ubuntu4) utopic; urgency=medium
3586772f SL	14
	15	* SECURITY UPDATE: heap overflow and out-of-bounds read access when
	16	parsing DHCPv6 information
	17	- debian/patches/CVE-2014-3675.patch: apply proper bounds checking
	18	when parsing data provided in DHCPv6 packets.
	19	- CVE-2014-3675
	20	- CVE-2014-3676
	21	* SECURITY UPDATE: memory corruption when processing user-provided key
	22	lists
	23	- debian/patches/CVE-2014-3677.patch: detect malformed machine owner
	24	key (MOK) lists and ignore them, avoiding possible memory corruption.
	25	- CVE-2014-3677
	26
e82e7706	27	-- Steve Langasek <steve.langasek@ubuntu.com> Wed, 08 Oct 2014 06:40:40 +0000
3586772f	28
bc9b5d63	29	shim (0.7-0ubuntu2) utopic; urgency=medium
172647da SL	30
172647da SL	31	* Restore debian/patches/prototypes, which still is needed on shim 0.7
4960f358 SL	32	but only detected on the buildds.
	33	* Update debian/patches/prototypes with some new declarations needed for
	34	openssl 0.9.8za update.
172647da	35
bc9b5d63	36	-- Steve Langasek <steve.langasek@ubuntu.com> Tue, 07 Oct 2014 16:20:08 -0700
172647da	37
db8383ad	38	shim (0.7-0ubuntu1) utopic; urgency=medium
59945b25 SL	39
	40	* New upstream release.
	41	- fix spurious error message when fallback.efi is not present, as will
	42	always be the case for removable media. LP: #1297069.
c61b06bc	43	- drop most patches, included upstream.
1e963007 SL	44	* debian/patches/0001-Update-openssl-to-0.9.8za.patch: cherry-pick
1e963007 SL	45	openssl 0.9.8za in via upstream.
59945b25	46
db8383ad	47	-- Steve Langasek <steve.langasek@ubuntu.com> Tue, 07 Oct 2014 05:40:41 +0000
59945b25	48
5fc0e7f6	49	shim (0.4-0ubuntu5) utopic; urgency=low
d53fb652 SL	50
	51	* Install fallback.efi.signed as well, to lay the groundwork for fallback
	52	handling (wanted when we have to move a drive between machines, or when
	53	the firmware loses its marbles^W nvram).
	54
5fc0e7f6	55	-- Steve Langasek <steve.langasek@ubuntu.com> Mon, 04 Aug 2014 12:11:13 +0200
d53fb652	56
eb32f5ba	57	shim (0.4-0ubuntu4) saucy; urgency=low
50ab550a SL	58
	59	* debian/patches/fix-tftp-prototype: pass the right arguments to
	60	EFI_PXE_BASE_CODE_TFTP_READ_FILE.
c43e3c7c SL	61	* debian/patches/build-with-Werror: Build with -Werror to catch future
	62	prototype mismatches.
	63	* debian/patches/fix-compiler-warnings: Fix remaining compiler
	64	warnings in netboot.c.
0c74470d SL	65	* debian/patches/tftp-proper-nul-termination: fix nul termination
0c74470d SL	66	errors in filenames passed to tftp.
84a3bbdf SL	67	* debian/patches/netboot-cleanup: roll-up of miscellaneous fixes to
84a3bbdf SL	68	the netboot code.
50ab550a	69
eb32f5ba	70	-- Steve Langasek <steve.langasek@ubuntu.com> Mon, 23 Sep 2013 00:30:00 -0700
50ab550a	71
4c13d15a	72	shim (0.4-0ubuntu3) saucy; urgency=low
0c50644a	73
0929c5e5	74	[ Steve Langasek ]
0c50644a	75	* Install MokManager.efi.signed in the package.
44ecc6a3 SL	76	* debian/patches/no-output-by-default.patch: Don't print any
44ecc6a3 SL	77	informational messages. Closes LP: #1074302.
0c50644a	78
0929c5e5 SG	79	[ Stéphane Graber ]
	80	* debian/patches/no-print-on-unsigned: Don't print an error message when
	81	validating an unsigned binary as that tends to hang Lenovo machines.
	82	(LP: #1087501)
	83
4c13d15a	84	-- Stéphane Graber <stgraber@ubuntu.com> Thu, 08 Aug 2013 17:12:12 +0200
0c50644a	85
6657ac38	86	shim (0.4-0ubuntu2) saucy; urgency=low
15d7c608 SL	87
	88	* Add missing build-dependency on openssl.
	89
6657ac38	90	-- Steve Langasek <steve.langasek@ubuntu.com> Tue, 02 Jul 2013 20:30:43 +0000
15d7c608	91
63eea134	92	shim (0.4-0ubuntu1) saucy; urgency=low
0565508e	93
1b5fb6c0	94	* New upstream release.
0565508e SL	95	* Drop debian/patches/shim-before-loadimage; upstream has changed this to
0565508e SL	96	not call loadimage at all.
c37196e7 SL	97	* debian/patches/sbsigntool-not-pesign: Sign MokManager with
c37196e7 SL	98	sbsigntool instead of pesign.
e77adb28	99	* Add a versioned build-dependency on gnu-efi.
0565508e	100
63eea134	101	-- Steve Langasek <steve.langasek@ubuntu.com> Tue, 02 Jul 2013 12:53:24 -0700
0565508e	102
3cd870ac	103	shim (0~20120906.bcd0a4e8-0ubuntu4) quantal-proposed; urgency=low
3180a8dd SL	104
	105	* debian/patches/shim-before-loadimage: Use direct verification first
	106	before LoadImage. Addresses an issue where Lenovo's SecureBoot
	107	implementation pops an error message on any verification failure - avoid
	108	calling LoadImage at all unless we have to.
	109
3cd870ac	110	-- Steve Langasek <steve.langasek@ubuntu.com> Wed, 10 Oct 2012 15:28:40 -0700
3180a8dd	111
1d8992c5	112	shim (0~20120906.bcd0a4e8-0ubuntu3) quantal; urgency=low
5ea013bd SL	113
	114	* debian/patches/second-stage-path: Chainload grubx64.efi, not
	115	grub.efi.
	116
1d8992c5	117	-- Steve Langasek <steve.langasek@ubuntu.com> Fri, 05 Oct 2012 11:20:58 -0700
5ea013bd	118
be30a850	119	shim (0~20120906.bcd0a4e8-0ubuntu2) quantal; urgency=low
76e675cb SL	120
	121	* debian/patches/prototypes: Include missing prototypes, and disable
	122	use of BIO_new_file.
63e313d7 SL	123	* Only build the package for amd64; we're not signing an i386 shim at this
63e313d7 SL	124	stage so there's no point in building it.
76e675cb	125
be30a850	126	-- Steve Langasek <steve.langasek@ubuntu.com> Thu, 04 Oct 2012 17:47:04 +0000
76e675cb	127
b54fc10a	128	shim (0~20120906.bcd0a4e8-0ubuntu1) quantal; urgency=low
c86d9dac SL	129
c86d9dac SL	130	* Initial release.
10d096d4	131	* Include the Canonical Secure Boot master CA.
c86d9dac	132
b54fc10a	133	-- Steve Langasek <steve.langasek@ubuntu.com> Thu, 04 Oct 2012 00:01:06 -0700