]>
Commit | Line | Data |
---|---|---|
91350387 | 1 | shim (15.8-1~deb12u1) bookworm; urgency=medium |
7686deba | 2 | |
5c55ced2 | 3 | [ Steve McIntyre ] |
7686deba | 4 | * Cope with changes in pesign packaging. |
487a9b02 | 5 | * New upstream release fixing more bugs |
bb0763da | 6 | * Remove all our previous patches, no longer needed: |
487a9b02 SM |
7 | + Make-sbat_var.S-parse-right-with-buggy-gcc-binutils.patch (now |
8 | upstream) | |
9 | + Enable-NX.patch (we don't want NX just yet until the whole boot | |
10 | stack is NX-capable) | |
11 | + block-grub-sbat3-debian.patch (not needed now upstream grub SBAT | |
12 | is 4) | |
bb0763da SM |
13 | * Cherry-pick 2 new patches from upstream for grub revocations: |
14 | + 0001-sbat-Add-grub.peimage-2-to-latest-CVE-2024-2312.patch | |
15 | + 0002-sbat-Also-bump-latest-for-grub-4-and-to-todays-date.patch | |
2c85966c | 16 | * Log if the build is nx-compatible or not |
bd9f3bf3 SM |
17 | * Force shim to use the latest revocations by default to block some |
18 | older grub / peimage issues. This is: | |
19 | "shim,4\ngrub,4\ngrub.peimage,2\n" | |
20 | ||
5c55ced2 BR |
21 | [ Bastien Roucariès ] |
22 | * Port autopkgtest from ubuntu | |
192a0b20 BR |
23 | * Import MR-12: "shim-unsigned:amd64 cannot be installed alongside |
24 | shim-unsigned:i386", thanks to adrian15 adrian15 (Closes: #936009). | |
be3d8a28 | 25 | * Fix debian/watch and check signature |
5c55ced2 | 26 | |
91350387 | 27 | -- Steve McIntyre <93sam@debian.org> Sat, 04 May 2024 14:21:04 +0100 |
7686deba | 28 | |
e02f5a25 | 29 | shim (15.7-1) unstable; urgency=medium |
b61b8af8 SM |
30 | |
31 | * New upstream release fixing more bugs | |
77729f4c | 32 | * Add further patches from upstream: |
b61b8af8 | 33 | + Make sbat_var.S parse right with buggy gcc/binutils |
77729f4c SM |
34 | + Enable NX support at build time, as required by policy for signing |
35 | new shim binaries. | |
65f161ee | 36 | * Switch to using gcc-12. Closes: #1022180 |
540e7f54 | 37 | * Update to Standards-Version 4.6.2 (no changes needed) |
ba98d1fe | 38 | * Block Debian grub binaries with sbat < 4 (see #1024617) |
b61b8af8 | 39 | |
77729f4c | 40 | -- Steve McIntyre <93sam@debian.org> Mon, 30 Jan 2023 18:11:23 +0000 |
b61b8af8 | 41 | |
85e5473c | 42 | shim (15.6-1) unstable; urgency=medium |
84c2b7db SM |
43 | |
44 | * New upstream release fixing more bugs | |
45 | + Remove all our old patches, all now upstream: | |
46 | - fix-32b-format-strings.patch | |
47 | - fix-test-includes.patch | |
48 | ||
85e5473c | 49 | -- Steve McIntyre <93sam@debian.org> Thu, 21 Jul 2022 14:04:01 +0200 |
84c2b7db | 50 | |
7c81b875 SM |
51 | shim (15.5-1) UNRELEASED; urgency=medium |
52 | ||
53 | * New upstream release fixing more bugs | |
54 | + Remove all our old patches, all now upstream: | |
55 | - Don-t-call-QueryVariableInfo-on-EFI-1.10-machines.patch | |
56 | - MOK-BootServicesData.patch | |
57 | - fix-broken-ia32-reloc.patch | |
58 | - fix-import_one_mok_state.patch | |
59 | - fix_arm64_rela_sections.patch | |
60 | - relax_check_for_import_mok_state.patch | |
c8efa9ab | 61 | * Fix format strings for 32-bit builds |
b947ca6a | 62 | * Tweak setup for dh_auto_test so the tests work |
e4de7243 | 63 | * Add new build-dep on libefivar-dev for tests |
7c81b875 SM |
64 | |
65 | -- Steve McIntyre <93sam@debian.org> Wed, 27 Apr 2022 22:50:08 +0100 | |
66 | ||
39c311d6 SM |
67 | shim (15.4-7) unstable; urgency=high |
68 | ||
69 | * Tweak how we call grub-install; don't abort on error. Not ideal | |
70 | behaviour either, but don't break upgrades. Copy the behaviour | |
71 | from the grub packages here. Closes: #990966 | |
72 | ||
73 | -- Steve McIntyre <93sam@debian.org> Mon, 12 Jul 2021 08:53:54 +0100 | |
74 | ||
6699b2ef | 75 | shim (15.4-6) unstable; urgency=high |
9ace660b SM |
76 | |
77 | * Add arm64 patch to tweak section layout and stop crashing | |
78 | problems. Upstream issue #371. Closes: #990082, #990190 | |
ec8a172b SM |
79 | * In insecure mode, don't abort if we can't create the MokListXRT |
80 | variable. Upstream issue #372. Closes: #989962, #990158 | |
9ace660b | 81 | |
6699b2ef | 82 | -- Steve McIntyre <93sam@debian.org> Wed, 23 Jun 2021 19:03:54 +0100 |
9ace660b | 83 | |
45dce646 SM |
84 | shim (15.4-5) unstable; urgency=medium |
85 | ||
86 | * Add defensive code around calls to db_get. Don't fail if they | |
87 | return errors. | |
88 | ||
89 | -- Steve McIntyre <93sam@debian.org> Thu, 06 May 2021 00:37:49 +0100 | |
90 | ||
fca69056 SM |
91 | shim (15.4-4) unstable; urgency=medium |
92 | ||
93 | * Fix up those maintainer scripts - if we're not running on an EFI | |
94 | system then exit cleanly. | |
95 | ||
96 | -- Steve McIntyre <93sam@debian.org> Tue, 04 May 2021 17:53:21 +0100 | |
97 | ||
29f231fd SM |
98 | shim (15.4-3) unstable; urgency=medium |
99 | ||
100 | * Add maintainer scripts to the template packages to manage | |
101 | installing and removing fbXXX.efi and mmXXX.efi when we | |
102 | install/remove the shim-helpers-$arch-signed packages. | |
103 | Closes: #966845 | |
104 | ||
105 | -- Steve McIntyre <93sam@debian.org> Mon, 03 May 2021 20:48:49 +0100 | |
106 | ||
11e0f1da SM |
107 | shim (15.4-2) unstable; urgency=medium |
108 | ||
109 | * Add two further patches from upstream: | |
110 | + fix import_one_mok_state() after split | |
111 | + Don't call QueryVariableInfo() on EFI 1.10 machines (e.g. older | |
112 | Intel Mac machines) | |
113 | ||
114 | -- Steve McIntyre <93sam@debian.org> Wed, 21 Apr 2021 00:23:02 +0100 | |
115 | ||
2f7c6c8d | 116 | shim (15.4-1) unstable; urgency=medium |
b43a60b2 | 117 | |
8d2bea5a SM |
118 | * New upstream release fixing more bugs: SBAT and arm64 support |
119 | * Print sha256 checksums of the EFI binaries when the build is done | |
120 | * Add two patches from upstream: | |
121 | + fix i386 binary relocations | |
122 | + allocate MOK config table as BootServicesData | |
b43a60b2 | 123 | |
2f7c6c8d | 124 | -- Steve McIntyre <93sam@debian.org> Wed, 31 Mar 2021 18:25:00 +0100 |
b43a60b2 | 125 | |
90ce8849 SM |
126 | shim (15.3-3) unstable; urgency=medium |
127 | ||
128 | * Update the timestamp for the 15.3-2 upload. | |
129 | * Only include the upstream version in the Debian SBAT metadata, so | |
130 | we don't break reproducibility on every minor packaging change. | |
131 | ||
132 | -- Steve McIntyre <93sam@debian.org> Wed, 24 Mar 2021 13:21:05 +0000 | |
133 | ||
f1d23e72 SM |
134 | shim (15.3-2) unstable; urgency=medium |
135 | ||
136 | * Add missing build-dep on xxd for build-time unit tests | |
137 | ||
90ce8849 | 138 | -- Steve McIntyre <93sam@debian.org> Wed, 24 Mar 2021 02:21:53 +0000 |
f1d23e72 | 139 | |
85b40923 | 140 | shim (15.3-1) unstable; urgency=medium |
371ed906 SM |
141 | |
142 | [ Steve McIntyre ] | |
85b40923 | 143 | * Switch to much-newer release with many fixes |
371ed906 | 144 | + Particularly pulling in SBAT changes for better revocation support |
e105392d SM |
145 | + Remove all our old patches, no longer needed: |
146 | - avoid_null_vsprint.patch | |
147 | - check_null_sn_ln.patch | |
148 | - fixup_git.patch | |
149 | - uname.patch | |
150 | - use_compare_mem_gcc9.patch | |
85b40923 SM |
151 | + Now includes a vendor copy of gnu-efi with quite a few extra |
152 | fixes needed. | |
153 | + Update copyright file to cover these changes | |
334e9afa | 154 | * Switch to using gcc-10 rather than gcc-9. Closes: #978521 |
58195ca3 SM |
155 | * Add dbx entries for all our existing grub binaries |
156 | + They're insecure, let's break the chainloading hole. | |
2e0a83e1 SM |
157 | * Add Debian SBAT data |
158 | + Add a Debian SBAT template, and rules to use it | |
159 | + Adds a build-dep on dos2unix | |
371ed906 | 160 | |
85b40923 | 161 | -- Steve McIntyre <93sam@debian.org> Tue, 23 Mar 2021 23:39:48 +0000 |
371ed906 | 162 | |
379f0954 | 163 | shim (15+1533136590.3beb971-10) unstable; urgency=medium |
69a55e24 | 164 | |
07cb34b4 | 165 | [ Debian Janitor ] |
69a55e24 | 166 | * Trim trailing whitespace. |
1a8bb34c | 167 | * Use secure copyright file specification URI. |
e1df2a1d DJ |
168 | * debian/copyright: use spaces rather than tabs to start continuation |
169 | lines. | |
6ce7b6e0 | 170 | * Bump debhelper from old 11 to 12. |
7d69650c | 171 | * Set debhelper-compat version in Build-Depends. |
90f64dae | 172 | * Set upstream metadata fields: Bug-Database, Bug-Submit. |
434300fc | 173 | * Update standards version to 4.4.1, no changes needed. |
69a55e24 | 174 | |
07cb34b4 SM |
175 | [ Steve McIntyre ] |
176 | * Trivial changes to generating the inbuilt dbx if we're using it. | |
379f0954 | 177 | * Upload to pick up rotated Debian signing keys |
07cb34b4 SM |
178 | |
179 | -- Steve McIntyre <93sam@debian.org> Fri, 24 Jul 2020 01:22:46 +0100 | |
69a55e24 | 180 | |
a7788a21 SM |
181 | shim (15+1533136590.3beb971-9) unstable; urgency=medium |
182 | ||
183 | [ Steve McIntyre ] | |
a7788a21 SM |
184 | * In the -helpers-ARCH-signed packages, change the version |
185 | dependency on shim-unsigned to be >= and not =. This will allow | |
186 | for installation to still work in the window while we wait for the | |
187 | template package to do its second trip through the | |
188 | archive. Closes: #955356 | |
189 | ||
190 | -- Steve McIntyre <93sam@debian.org> Mon, 30 Mar 2020 15:19:08 +0100 | |
191 | ||
8e0de2bd | 192 | shim (15+1533136590.3beb971-8) unstable; urgency=medium |
3a1cdbfd SM |
193 | |
194 | [ Steve McIntyre ] | |
195 | * Use --padding when calling pesign to generate hashes for the dbx | |
196 | list, as recommended by Peter Jones. No actual changes needed in | |
197 | our list of hashes at this point - they work out the same either | |
198 | way. | |
10b051f3 SM |
199 | * Switch to using gcc-9 for builds, tweaking a patch from upstream |
200 | to fix a FTBFS. Closes: #925816 | |
f320bcac SM |
201 | * Update debhelper compat level to 11 for shim and the |
202 | signing-template | |
3a1cdbfd | 203 | |
10b051f3 | 204 | -- Steve McIntyre <93sam@debian.org> Tue, 24 Mar 2020 16:51:10 +0000 |
3a1cdbfd | 205 | |
ee2d7bb9 | 206 | shim (15+1533136590.3beb971-7) unstable; urgency=medium |
99879366 | 207 | |
cd186442 | 208 | [ Ansgar Burchardt ] |
99879366 AB |
209 | * debian/control: Update Vcs-* fields |
210 | ||
878d860c SM |
211 | [ Steve McIntyre ] |
212 | * Backport needed crash fixes: | |
213 | + VLogError(): Avoid NULL pointer dereferences in (V)Sprint calls | |
315e8767 | 214 | + Fix OBJ_create() to tolerate a NULL sn and ln |
e17b0af4 SM |
215 | * Build using gcc-7 to get better control of reproducibility during the |
216 | lifetime of Buster. | |
88a7a650 SM |
217 | * Build in a dbx list to blacklist binaries that we know to not be |
218 | secure. Build-depend on a new (bug-fixed) version of pesign to | |
219 | generate that list at build time, using a list of known bad hashes. | |
220 | * Initial list of known bad hashes is just my personal test binary. | |
878d860c | 221 | |
ee2d7bb9 | 222 | -- Steve McIntyre <93sam@debian.org> Wed, 08 May 2019 02:05:01 +0100 |
99879366 | 223 | |
cb7c0af0 | 224 | shim (15+1533136590.3beb971-6) unstable; urgency=medium |
6bb31652 SM |
225 | |
226 | [ Steve McIntyre ] | |
227 | * Add Provides: and Breaks: to shim-helpers-$arch-signed to fix | |
228 | clashes with the old shim-signed package for fbx64.efi.signed and | |
229 | mmx64.efi.signed. Closes: #924619 | |
230 | ||
aa19fc4d HG |
231 | [ Helmut Grohne ] |
232 | * Fix FTCBFS: Set CROSS_COMPILE. (Closes: #922152) | |
233 | ||
6bb31652 SM |
234 | -- Steve McIntyre <93sam@debian.org> Sat, 23 Mar 2019 18:19:13 +0000 |
235 | ||
6a35a720 | 236 | shim (15+1533136590.3beb971-5) unstable; urgency=medium |
424d859c SM |
237 | |
238 | [ Ansgar Burchardt ] | |
239 | * Correct maintainer address in signing template | |
240 | ||
14b8b20e SM |
241 | [ Steve McIntyre ] |
242 | * Remove Rules-Requires-Root in the signing template. We manually install | |
243 | things owned by root. There might be better ways to do this, but this | |
244 | will do for now. | |
245 | ||
6a35a720 | 246 | -- Steve McIntyre <93sam@debian.org> Tue, 12 Mar 2019 01:38:19 +0000 |
424d859c | 247 | |
208bd43b SM |
248 | shim (15+1533136590.3beb971-4) unstable; urgency=medium |
249 | ||
250 | [ Steve McIntyre ] | |
251 | * No-change sourceful upload to get rebuilds (and hence build logs) from | |
252 | the buildds. Hoping to get this version signed by Microsoft, so let's | |
253 | make our setup as clean as possible. | |
254 | ||
255 | -- Steve McIntyre <93sam@debian.org> Sat, 09 Mar 2019 22:24:23 +0000 | |
256 | ||
b197d74e | 257 | shim (15+1533136590.3beb971-3) unstable; urgency=medium |
4bb202a0 PH |
258 | |
259 | [ Philipp Hahn ] | |
260 | * debian/rules: fixing permissions no longer required | |
e914483c | 261 | * debian/rules: Disable ephemeral key on Debian. |
c2dbb9ef | 262 | * Rename binary package to 'shim-unsigned' |
f7add225 | 263 | * Add template for signing {mm,fb}$ARCH.efi. (Closes: #922228) |
4bb202a0 | 264 | |
8c00485c LB |
265 | [ Luca Boccassi ] |
266 | * Override lintian error about template rules file. | |
9bfbee89 | 267 | * Include /usr/share/dpkg/architecture.mk instead of shelling out. |
51b45b03 LB |
268 | * Add uname.patch to avoid embedding the kernel architecture in the |
269 | binary and to use a fixed string instead. | |
8c00485c | 270 | |
d71a71f4 SM |
271 | [ Steve McIntyre ] |
272 | * Change maintenance address to be the EFI team | |
273 | * Add me and vorlon to the Uploaders list | |
ba30131d | 274 | * Rename the helper binary packages to shim-helpers-$arch. |
90609be3 SM |
275 | * Update the signing-template JSON metadata to match new practice: |
276 | + Move all the data under a new top-level "packages" key | |
277 | + Add an empty "trusted_certs" key - the helper binaries do not do any | |
278 | further verification with an embedded key. | |
d71a71f4 | 279 | |
90609be3 | 280 | -- Steve McIntyre <93sam@debian.org> Fri, 08 Mar 2019 21:59:43 +0000 |
4bb202a0 | 281 | |
88190087 | 282 | shim (15+1533136590.3beb971-2) unstable; urgency=medium |
100e3b0c SL |
283 | |
284 | * Update debian/watch. | |
2fab563a | 285 | * Update VCS to point to salsa. |
cebae05a | 286 | * Fix debian/rules syntax for arm64 build. |
21efb35c | 287 | * Enable build for i386. |
1d945f76 | 288 | * Ensure DEB_HOST_ARCH is set even if not present in the environment. |
2b9acc73 | 289 | * Update Standards-Version. |
47660e67 | 290 | * Update debian/copyright (drop reference to file no longer in source) |
100e3b0c | 291 | |
88190087 | 292 | -- Steve Langasek <vorlon@debian.org> Mon, 11 Feb 2019 05:18:18 +0000 |
100e3b0c | 293 | |
ab4c731c | 294 | shim (15+1533136590.3beb971-1) unstable; urgency=medium |
fac86c74 | 295 | |
ab4c731c SL |
296 | * New upstream release. |
297 | - debian/patches/second-stage-path: dropped; the default loader path now | |
298 | includes an arch suffix. | |
299 | - debian/patches/sbsigntool-no-pesign: dropped; no longer needed. | |
300 | * Drop remaining patches that were not being applied. | |
301 | * Sync packaging from Ubuntu: | |
302 | - debian/copyright: Update upstream source location. | |
303 | - debian/control: add a Build-Depends on libelf-dev. | |
304 | - Enable arm64 build. | |
305 | - debian/patches/fixup_git.patch: don't run git in clean; we're not | |
306 | really in a git tree. | |
307 | - debian/rules, debian/shim.install: use the upstream install target as | |
308 | intended, and move files to the target directory using dh_install. | |
f42b58fc MTL |
309 | - define RELEASE and COMMIT_ID for the snapshot. |
310 | - Set ENABLE_HTTPBOOT to enable the HTTP Boot feature. | |
f841331c MTL |
311 | - Update dh_auto_build/dh_auto_clean/dh_auto_install for new upstream |
312 | options: set MAKELEVEL. | |
5d42729f MTL |
313 | - Define an EFI_ARCH variable, and use that for paths to shim. This |
314 | makes it possible to build a shim for other architectures than amd64. | |
ab4c731c | 315 | - Set EFIDIR=$distro for dh_auto_install; that will let files be installed |
3f5806e4 | 316 | in the "right" final directories, and makes boot.csv for us. |
661d3ea1 MTL |
317 | - Set ENABLE_SHIM_CERT, to keep using ephemeral self-signed certs built |
318 | at compile-time for MokManager and fallback. | |
402fafb4 MTL |
319 | - Set ENABLE_SBSIGN, to use sbsign instead of pesign for signing fallback |
320 | and MokManager. | |
11c5b79d | 321 | |
ab4c731c | 322 | -- Steve Langasek <vorlon@debian.org> Sat, 09 Feb 2019 07:23:19 +0000 |
bd98c8fd | 323 | |
c117735c JC |
324 | shim (0.9+1474479173.6c180c6-1) unstable; urgency=medium |
325 | ||
326 | [ Steve Langasek ] | |
327 | * Initial Debian upload. Closes: #820052. | |
328 | * Update Standards-Version. | |
329 | * Embed the newly-minted Debian CA certificate. | |
330 | * Vendorize debian/rules so that the same package can be used in both | |
331 | Debian and Ubuntu without modification. | |
332 | * Fix debian/copyright to match the spec (last match wins, not first) | |
333 | * Fix shim.efi to not be executable. | |
334 | * Add watchfile. | |
335 | * Support parallel builds, because eh why not | |
336 | * Update Vcs-Bzr. | |
337 | * Resync with Ubuntu, including patch to fix debian/copyright. | |
338 | ||
339 | [ Julien Cristau ] | |
340 | * Add some missing copyright holders in d/copyright, update | |
341 | Upstream-Contact. Thanks to Helen Koike for the help. | |
342 | ||
343 | -- Julien Cristau <jcristau@debian.org> Sat, 15 Oct 2016 15:17:34 +0200 | |
344 | ||
345 | shim (0.9+1474479173.6c180c6-0ubuntu1) UNRELEASED; urgency=medium | |
346 | ||
347 | [ Helen Koike ] | |
69a55e24 | 348 | * debian/copyright: add OpenSSL license |
c117735c JC |
349 | |
350 | [ Mathieu Trudel-Lapierre ] | |
351 | * New upstream release. | |
352 | * debian/copyright: patches should be BSD, like the rest of the upstream | |
353 | code. | |
354 | * debian/patches/unused-variable: dropped; applied upstream. | |
355 | * debian/patches/binutils-version-matching: dropped, fixed upstream. | |
356 | * debian/shim.install: built EFI binaries were renamed; update our install | |
357 | file to properly pick up shim (shim$arch), MokManager (mm$arch), and | |
358 | fallback (fb$arch). | |
359 | ||
360 | -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> Wed, 21 Sep 2016 20:29:44 -0400 | |
361 | ||
362 | shim (0.9+1465500757.14a5905-0ubuntu1) yakkety; urgency=medium | |
363 | ||
364 | * New upstream release. | |
365 | - Better handle LoadOptions. (LP: #1581299) | |
366 | - Measure state and second stage in TPM. | |
367 | - Mirror MokSBState in runtime as MokSBStateRT. | |
368 | - Fix failure to build with GCC 5. (LP: #1429978) | |
369 | - Various bug fixes and other improvements. | |
370 | * Refreshed patches. | |
371 | - Remaining patches: | |
372 | + second-stage-path | |
69a55e24 | 373 | + sbsigntool-not-pesign |
c117735c JC |
374 | * debian/patches/unused-variable: remove unused variable size. |
375 | * debian/patches/binutils-version-matching: revert d9a4c912 to correctly | |
376 | match objcopy's version on Ubuntu. | |
377 | * debian/copyright: update copyright for patches. | |
378 | ||
379 | -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> Tue, 26 Jul 2016 16:48:32 -0400 | |
380 | ||
381 | shim (0.8-0ubuntu2) wily; urgency=medium | |
382 | ||
383 | * No-change rebuild against gnu-efi 3.0v-5ubuntu1. | |
384 | ||
385 | -- Steve Langasek <steve.langasek@ubuntu.com> Tue, 12 May 2015 17:48:30 +0000 | |
386 | ||
387 | shim (0.8-0ubuntu1) wily; urgency=medium | |
388 | ||
389 | * New upstream release. | |
390 | - Clarify meaning of insecure_mode. (LP: #1384973) | |
391 | * debian/patches/CVE-2014-3675.patch, debian/patches/CVE-2014-3677.patch, | |
392 | debian/patches/0001-Update-openssl-to-0.9.8za.patch: dropped, included | |
393 | in the upstream release. | |
394 | * debian/patches/sbsigntool-not-pesign,debian/patches/second-stage-path: | |
395 | refreshed. | |
396 | ||
397 | -- Mathieu Trudel-Lapierre <mathieu-tl@ubuntu.com> Mon, 11 May 2015 19:50:49 -0400 | |
398 | ||
399 | shim (0.7-0ubuntu4) utopic; urgency=medium | |
400 | ||
401 | * SECURITY UPDATE: heap overflow and out-of-bounds read access when | |
402 | parsing DHCPv6 information | |
403 | - debian/patches/CVE-2014-3675.patch: apply proper bounds checking | |
404 | when parsing data provided in DHCPv6 packets. | |
405 | - CVE-2014-3675 | |
406 | - CVE-2014-3676 | |
407 | * SECURITY UPDATE: memory corruption when processing user-provided key | |
408 | lists | |
409 | - debian/patches/CVE-2014-3677.patch: detect malformed machine owner | |
410 | key (MOK) lists and ignore them, avoiding possible memory corruption. | |
411 | - CVE-2014-3677 | |
412 | ||
413 | -- Steve Langasek <steve.langasek@ubuntu.com> Wed, 08 Oct 2014 06:40:40 +0000 | |
414 | ||
415 | shim (0.7-0ubuntu2) utopic; urgency=medium | |
416 | ||
417 | * Restore debian/patches/prototypes, which still is needed on shim 0.7 | |
418 | but only detected on the buildds. | |
419 | * Update debian/patches/prototypes with some new declarations needed for | |
420 | openssl 0.9.8za update. | |
421 | ||
422 | -- Steve Langasek <steve.langasek@ubuntu.com> Tue, 07 Oct 2014 16:20:08 -0700 | |
423 | ||
424 | shim (0.7-0ubuntu1) utopic; urgency=medium | |
425 | ||
426 | * New upstream release. | |
427 | - fix spurious error message when fallback.efi is not present, as will | |
428 | always be the case for removable media. LP: #1297069. | |
429 | - drop most patches, included upstream. | |
430 | * debian/patches/0001-Update-openssl-to-0.9.8za.patch: cherry-pick | |
431 | openssl 0.9.8za in via upstream. | |
432 | ||
433 | -- Steve Langasek <steve.langasek@ubuntu.com> Tue, 07 Oct 2014 05:40:41 +0000 | |
434 | ||
435 | shim (0.4-0ubuntu5) utopic; urgency=low | |
436 | ||
437 | * Install fallback.efi.signed as well, to lay the groundwork for fallback | |
438 | handling (wanted when we have to move a drive between machines, or when | |
439 | the firmware loses its marbles^W nvram). | |
440 | ||
441 | -- Steve Langasek <steve.langasek@ubuntu.com> Mon, 04 Aug 2014 12:11:13 +0200 | |
442 | ||
443 | shim (0.4-0ubuntu4) saucy; urgency=low | |
444 | ||
445 | * debian/patches/fix-tftp-prototype: pass the right arguments to | |
446 | EFI_PXE_BASE_CODE_TFTP_READ_FILE. | |
447 | * debian/patches/build-with-Werror: Build with -Werror to catch future | |
448 | prototype mismatches. | |
449 | * debian/patches/fix-compiler-warnings: Fix remaining compiler | |
450 | warnings in netboot.c. | |
451 | * debian/patches/tftp-proper-nul-termination: fix nul termination | |
452 | errors in filenames passed to tftp. | |
453 | * debian/patches/netboot-cleanup: roll-up of miscellaneous fixes to | |
454 | the netboot code. | |
455 | ||
456 | -- Steve Langasek <steve.langasek@ubuntu.com> Mon, 23 Sep 2013 00:30:00 -0700 | |
457 | ||
458 | shim (0.4-0ubuntu3) saucy; urgency=low | |
459 | ||
460 | [ Steve Langasek ] | |
461 | * Install MokManager.efi.signed in the package. | |
462 | * debian/patches/no-output-by-default.patch: Don't print any | |
463 | informational messages. Closes LP: #1074302. | |
464 | ||
465 | [ Stéphane Graber ] | |
466 | * debian/patches/no-print-on-unsigned: Don't print an error message when | |
467 | validating an unsigned binary as that tends to hang Lenovo machines. | |
468 | (LP: #1087501) | |
469 | ||
470 | -- Stéphane Graber <stgraber@ubuntu.com> Thu, 08 Aug 2013 17:12:12 +0200 | |
471 | ||
472 | shim (0.4-0ubuntu2) saucy; urgency=low | |
473 | ||
474 | * Add missing build-dependency on openssl. | |
475 | ||
476 | -- Steve Langasek <steve.langasek@ubuntu.com> Tue, 02 Jul 2013 20:30:43 +0000 | |
477 | ||
478 | shim (0.4-0ubuntu1) saucy; urgency=low | |
479 | ||
480 | * New upstream release. | |
481 | * Drop debian/patches/shim-before-loadimage; upstream has changed this to | |
482 | not call loadimage at all. | |
483 | * debian/patches/sbsigntool-not-pesign: Sign MokManager with | |
484 | sbsigntool instead of pesign. | |
485 | * Add a versioned build-dependency on gnu-efi. | |
486 | ||
487 | -- Steve Langasek <steve.langasek@ubuntu.com> Tue, 02 Jul 2013 12:53:24 -0700 | |
488 | ||
489 | shim (0~20120906.bcd0a4e8-0ubuntu4) quantal-proposed; urgency=low | |
490 | ||
491 | * debian/patches/shim-before-loadimage: Use direct verification first | |
492 | before LoadImage. Addresses an issue where Lenovo's SecureBoot | |
493 | implementation pops an error message on any verification failure - avoid | |
494 | calling LoadImage at all unless we have to. | |
495 | ||
496 | -- Steve Langasek <steve.langasek@ubuntu.com> Wed, 10 Oct 2012 15:28:40 -0700 | |
497 | ||
498 | shim (0~20120906.bcd0a4e8-0ubuntu3) quantal; urgency=low | |
499 | ||
500 | * debian/patches/second-stage-path: Chainload grubx64.efi, not | |
501 | grub.efi. | |
502 | ||
503 | -- Steve Langasek <steve.langasek@ubuntu.com> Fri, 05 Oct 2012 11:20:58 -0700 | |
504 | ||
505 | shim (0~20120906.bcd0a4e8-0ubuntu2) quantal; urgency=low | |
506 | ||
507 | * debian/patches/prototypes: Include missing prototypes, and disable | |
508 | use of BIO_new_file. | |
509 | * Only build the package for amd64; we're not signing an i386 shim at this | |
510 | stage so there's no point in building it. | |
511 | ||
512 | -- Steve Langasek <steve.langasek@ubuntu.com> Thu, 04 Oct 2012 17:47:04 +0000 | |
513 | ||
514 | shim (0~20120906.bcd0a4e8-0ubuntu1) quantal; urgency=low | |
515 | ||
516 | * Initial release. | |
517 | * Include the Canonical Secure Boot master CA. | |
518 | ||
519 | -- Steve Langasek <steve.langasek@ubuntu.com> Thu, 04 Oct 2012 00:01:06 -0700 |