]>
Commit | Line | Data |
---|---|---|
4c03444e MTL |
1 | shim (0.8-0ubuntu1) UNRELEASED; urgency=medium |
2 | ||
3 | * New upstream release. | |
37358ddb | 4 | - Clarify meaning of insecure_mode. (LP: #1384973) |
e42efbd9 MTL |
5 | * debian/patches/CVE-2014-3675.patch, debian/patches/CVE-2014-3677.patch, |
6 | debian/patches/0001-Update-openssl-to-0.9.8za.patch: dropped, included | |
7 | in the upstream release. | |
28da53af MTL |
8 | * debian/patches/sbsigntool-not-pesign,debian/patches/second-stage-path: |
9 | refreshed. | |
4c03444e MTL |
10 | |
11 | -- Mathieu Trudel-Lapierre <mathieu-tl@ubuntu.com> Wed, 06 May 2015 09:49:45 -0400 | |
12 | ||
8b0389dd | 13 | shim (0.7-0ubuntu4) utopic; urgency=medium |
3586772f SL |
14 | |
15 | * SECURITY UPDATE: heap overflow and out-of-bounds read access when | |
16 | parsing DHCPv6 information | |
17 | - debian/patches/CVE-2014-3675.patch: apply proper bounds checking | |
18 | when parsing data provided in DHCPv6 packets. | |
19 | - CVE-2014-3675 | |
20 | - CVE-2014-3676 | |
21 | * SECURITY UPDATE: memory corruption when processing user-provided key | |
22 | lists | |
23 | - debian/patches/CVE-2014-3677.patch: detect malformed machine owner | |
24 | key (MOK) lists and ignore them, avoiding possible memory corruption. | |
25 | - CVE-2014-3677 | |
26 | ||
e82e7706 | 27 | -- Steve Langasek <steve.langasek@ubuntu.com> Wed, 08 Oct 2014 06:40:40 +0000 |
3586772f | 28 | |
bc9b5d63 | 29 | shim (0.7-0ubuntu2) utopic; urgency=medium |
172647da SL |
30 | |
31 | * Restore debian/patches/prototypes, which still is needed on shim 0.7 | |
4960f358 SL |
32 | but only detected on the buildds. |
33 | * Update debian/patches/prototypes with some new declarations needed for | |
34 | openssl 0.9.8za update. | |
172647da | 35 | |
bc9b5d63 | 36 | -- Steve Langasek <steve.langasek@ubuntu.com> Tue, 07 Oct 2014 16:20:08 -0700 |
172647da | 37 | |
db8383ad | 38 | shim (0.7-0ubuntu1) utopic; urgency=medium |
59945b25 SL |
39 | |
40 | * New upstream release. | |
41 | - fix spurious error message when fallback.efi is not present, as will | |
42 | always be the case for removable media. LP: #1297069. | |
c61b06bc | 43 | - drop most patches, included upstream. |
1e963007 SL |
44 | * debian/patches/0001-Update-openssl-to-0.9.8za.patch: cherry-pick |
45 | openssl 0.9.8za in via upstream. | |
59945b25 | 46 | |
db8383ad | 47 | -- Steve Langasek <steve.langasek@ubuntu.com> Tue, 07 Oct 2014 05:40:41 +0000 |
59945b25 | 48 | |
5fc0e7f6 | 49 | shim (0.4-0ubuntu5) utopic; urgency=low |
d53fb652 SL |
50 | |
51 | * Install fallback.efi.signed as well, to lay the groundwork for fallback | |
52 | handling (wanted when we have to move a drive between machines, or when | |
53 | the firmware loses its marbles^W nvram). | |
54 | ||
5fc0e7f6 | 55 | -- Steve Langasek <steve.langasek@ubuntu.com> Mon, 04 Aug 2014 12:11:13 +0200 |
d53fb652 | 56 | |
eb32f5ba | 57 | shim (0.4-0ubuntu4) saucy; urgency=low |
50ab550a SL |
58 | |
59 | * debian/patches/fix-tftp-prototype: pass the right arguments to | |
60 | EFI_PXE_BASE_CODE_TFTP_READ_FILE. | |
c43e3c7c SL |
61 | * debian/patches/build-with-Werror: Build with -Werror to catch future |
62 | prototype mismatches. | |
63 | * debian/patches/fix-compiler-warnings: Fix remaining compiler | |
64 | warnings in netboot.c. | |
0c74470d SL |
65 | * debian/patches/tftp-proper-nul-termination: fix nul termination |
66 | errors in filenames passed to tftp. | |
84a3bbdf SL |
67 | * debian/patches/netboot-cleanup: roll-up of miscellaneous fixes to |
68 | the netboot code. | |
50ab550a | 69 | |
eb32f5ba | 70 | -- Steve Langasek <steve.langasek@ubuntu.com> Mon, 23 Sep 2013 00:30:00 -0700 |
50ab550a | 71 | |
4c13d15a | 72 | shim (0.4-0ubuntu3) saucy; urgency=low |
0c50644a | 73 | |
0929c5e5 | 74 | [ Steve Langasek ] |
0c50644a | 75 | * Install MokManager.efi.signed in the package. |
44ecc6a3 SL |
76 | * debian/patches/no-output-by-default.patch: Don't print any |
77 | informational messages. Closes LP: #1074302. | |
0c50644a | 78 | |
0929c5e5 SG |
79 | [ Stéphane Graber ] |
80 | * debian/patches/no-print-on-unsigned: Don't print an error message when | |
81 | validating an unsigned binary as that tends to hang Lenovo machines. | |
82 | (LP: #1087501) | |
83 | ||
4c13d15a | 84 | -- Stéphane Graber <stgraber@ubuntu.com> Thu, 08 Aug 2013 17:12:12 +0200 |
0c50644a | 85 | |
6657ac38 | 86 | shim (0.4-0ubuntu2) saucy; urgency=low |
15d7c608 SL |
87 | |
88 | * Add missing build-dependency on openssl. | |
89 | ||
6657ac38 | 90 | -- Steve Langasek <steve.langasek@ubuntu.com> Tue, 02 Jul 2013 20:30:43 +0000 |
15d7c608 | 91 | |
63eea134 | 92 | shim (0.4-0ubuntu1) saucy; urgency=low |
0565508e | 93 | |
1b5fb6c0 | 94 | * New upstream release. |
0565508e SL |
95 | * Drop debian/patches/shim-before-loadimage; upstream has changed this to |
96 | not call loadimage at all. | |
c37196e7 SL |
97 | * debian/patches/sbsigntool-not-pesign: Sign MokManager with |
98 | sbsigntool instead of pesign. | |
e77adb28 | 99 | * Add a versioned build-dependency on gnu-efi. |
0565508e | 100 | |
63eea134 | 101 | -- Steve Langasek <steve.langasek@ubuntu.com> Tue, 02 Jul 2013 12:53:24 -0700 |
0565508e | 102 | |
3cd870ac | 103 | shim (0~20120906.bcd0a4e8-0ubuntu4) quantal-proposed; urgency=low |
3180a8dd SL |
104 | |
105 | * debian/patches/shim-before-loadimage: Use direct verification first | |
106 | before LoadImage. Addresses an issue where Lenovo's SecureBoot | |
107 | implementation pops an error message on any verification failure - avoid | |
108 | calling LoadImage at all unless we have to. | |
109 | ||
3cd870ac | 110 | -- Steve Langasek <steve.langasek@ubuntu.com> Wed, 10 Oct 2012 15:28:40 -0700 |
3180a8dd | 111 | |
1d8992c5 | 112 | shim (0~20120906.bcd0a4e8-0ubuntu3) quantal; urgency=low |
5ea013bd SL |
113 | |
114 | * debian/patches/second-stage-path: Chainload grubx64.efi, not | |
115 | grub.efi. | |
116 | ||
1d8992c5 | 117 | -- Steve Langasek <steve.langasek@ubuntu.com> Fri, 05 Oct 2012 11:20:58 -0700 |
5ea013bd | 118 | |
be30a850 | 119 | shim (0~20120906.bcd0a4e8-0ubuntu2) quantal; urgency=low |
76e675cb SL |
120 | |
121 | * debian/patches/prototypes: Include missing prototypes, and disable | |
122 | use of BIO_new_file. | |
63e313d7 SL |
123 | * Only build the package for amd64; we're not signing an i386 shim at this |
124 | stage so there's no point in building it. | |
76e675cb | 125 | |
be30a850 | 126 | -- Steve Langasek <steve.langasek@ubuntu.com> Thu, 04 Oct 2012 17:47:04 +0000 |
76e675cb | 127 | |
b54fc10a | 128 | shim (0~20120906.bcd0a4e8-0ubuntu1) quantal; urgency=low |
c86d9dac SL |
129 | |
130 | * Initial release. | |
10d096d4 | 131 | * Include the Canonical Secure Boot master CA. |
c86d9dac | 132 | |
b54fc10a | 133 | -- Steve Langasek <steve.langasek@ubuntu.com> Thu, 04 Oct 2012 00:01:06 -0700 |