[efi-boot-shim.git] / debian / changelog

shim (15+1533136590.3beb971-8) unstable; urgency=medium

  [ Steve McIntyre ]
  * Use --padding when calling pesign to generate hashes for the dbx
    list, as recommended by Peter Jones. No actual changes needed in
    our list of hashes at this point - they work out the same either
    way.
  * Switch to using gcc-9 for builds, tweaking a patch from upstream
    to fix a FTBFS. Closes: #925816
  * Update debhelper compat level to 11 for shim and the
    signing-template

 -- Steve McIntyre <93sam@debian.org>  Tue, 24 Mar 2020 16:51:10 +0000

shim (15+1533136590.3beb971-7) unstable; urgency=medium

  [ Ansgar Burchardt ]
  * debian/control: Update Vcs-* fields

  [ Steve McIntyre ]
  * Backport needed crash fixes:
    + VLogError(): Avoid NULL pointer dereferences in (V)Sprint calls
    + Fix OBJ_create() to tolerate a NULL sn and ln
  * Build using gcc-7 to get better control of reproducibility during the
    lifetime of Buster.
  * Build in a dbx list to blacklist binaries that we know to not be
    secure. Build-depend on a new (bug-fixed) version of pesign to
    generate that list at build time, using a list of known bad hashes.
  * Initial list of known bad hashes is just my personal test binary.

 -- Steve McIntyre <93sam@debian.org>  Wed, 08 May 2019 02:05:01 +0100

shim (15+1533136590.3beb971-6) unstable; urgency=medium

  [ Steve McIntyre ]
  * Add Provides: and Breaks: to shim-helpers-$arch-signed to fix
    clashes with the old shim-signed package for fbx64.efi.signed and
    mmx64.efi.signed. Closes: #924619

  [ Helmut Grohne ]
  * Fix FTCBFS: Set CROSS_COMPILE. (Closes: #922152)

 -- Steve McIntyre <93sam@debian.org>  Sat, 23 Mar 2019 18:19:13 +0000

shim (15+1533136590.3beb971-5) unstable; urgency=medium

  [ Ansgar Burchardt ]
  * Correct maintainer address in signing template

  [ Steve McIntyre ]
  * Remove Rules-Requires-Root in the signing template. We manually install
    things owned by root. There might be better ways to do this, but this
    will do for now.

 -- Steve McIntyre <93sam@debian.org>  Tue, 12 Mar 2019 01:38:19 +0000

shim (15+1533136590.3beb971-4) unstable; urgency=medium

  [ Steve McIntyre ]
  * No-change sourceful upload to get rebuilds (and hence build logs) from
    the buildds. Hoping to get this version signed by Microsoft, so let's
    make our setup as clean as possible.

 -- Steve McIntyre <93sam@debian.org>  Sat, 09 Mar 2019 22:24:23 +0000

shim (15+1533136590.3beb971-3) unstable; urgency=medium

  [ Philipp Hahn ]
  * debian/rules: fixing permissions no longer required
  * debian/rules: Disable ephemeral key on Debian.
  * Rename binary package to 'shim-unsigned'
  * Add template for signing {mm,fb}$ARCH.efi. (Closes: #922228)

  [ Luca Boccassi ]
  * Override lintian error about template rules file.
  * Include /usr/share/dpkg/architecture.mk instead of shelling out.
  * Add uname.patch to avoid embedding the kernel architecture in the
    binary and to use a fixed string instead.

  [ Steve McIntyre ]
  * Change maintenance address to be the EFI team
  * Add me and vorlon to the Uploaders list
  * Rename the helper binary packages to shim-helpers-$arch.
  * Update the signing-template JSON metadata to match new practice:
    + Move all the data under a new top-level "packages" key
    + Add an empty "trusted_certs" key - the helper binaries do not do any
      further verification with an embedded key.

 -- Steve McIntyre <93sam@debian.org>  Fri, 08 Mar 2019 21:59:43 +0000

shim (15+1533136590.3beb971-2) unstable; urgency=medium

  * Update debian/watch.
  * Update VCS to point to salsa.
  * Fix debian/rules syntax for arm64 build.
  * Enable build for i386.
  * Ensure DEB_HOST_ARCH is set even if not present in the environment.
  * Update Standards-Version.
  * Update debian/copyright (drop reference to file no longer in source)

 -- Steve Langasek <vorlon@debian.org>  Mon, 11 Feb 2019 05:18:18 +0000

shim (15+1533136590.3beb971-1) unstable; urgency=medium

  * New upstream release.
    - debian/patches/second-stage-path: dropped; the default loader path now
      includes an arch suffix.
    - debian/patches/sbsigntool-no-pesign: dropped; no longer needed.
  * Drop remaining patches that were not being applied.
  * Sync packaging from Ubuntu:
    - debian/copyright: Update upstream source location.
    - debian/control: add a Build-Depends on libelf-dev.
    - Enable arm64 build.
    - debian/patches/fixup_git.patch: don't run git in clean; we're not
      really in a git tree.
    - debian/rules, debian/shim.install: use the upstream install target as
      intended, and move files to the target directory using dh_install.
    - define RELEASE and COMMIT_ID for the snapshot.
    - Set ENABLE_HTTPBOOT to enable the HTTP Boot feature.
    - Update dh_auto_build/dh_auto_clean/dh_auto_install for new upstream
      options: set MAKELEVEL.
    - Define an EFI_ARCH variable, and use that for paths to shim. This
      makes it possible to build a shim for other architectures than amd64.
    - Set EFIDIR=$distro for dh_auto_install; that will let files be installed
      in the "right" final directories, and makes boot.csv for us.
    - Set ENABLE_SHIM_CERT, to keep using ephemeral self-signed certs built
      at compile-time for MokManager and fallback.
    - Set ENABLE_SBSIGN, to use sbsign instead of pesign for signing fallback
      and MokManager.

 -- Steve Langasek <vorlon@debian.org>  Sat, 09 Feb 2019 07:23:19 +0000

shim (0.9+1474479173.6c180c6-1) unstable; urgency=medium

  [ Steve Langasek ]
  * Initial Debian upload.  Closes: #820052.
  * Update Standards-Version.
  * Embed the newly-minted Debian CA certificate.
  * Vendorize debian/rules so that the same package can be used in both
    Debian and Ubuntu without modification.
  * Fix debian/copyright to match the spec (last match wins, not first)
  * Fix shim.efi to not be executable.
  * Add watchfile.
  * Support parallel builds, because eh why not
  * Update Vcs-Bzr.
  * Resync with Ubuntu, including patch to fix debian/copyright.

  [ Julien Cristau ]
  * Add some missing copyright holders in d/copyright, update
    Upstream-Contact.  Thanks to Helen Koike for the help.

 -- Julien Cristau <jcristau@debian.org>  Sat, 15 Oct 2016 15:17:34 +0200

shim (0.9+1474479173.6c180c6-0ubuntu1) UNRELEASED; urgency=medium

  [ Helen Koike ]
  * debian/copyright: add OpenSSL license 

  [ Mathieu Trudel-Lapierre ]
  * New upstream release.
  * debian/copyright: patches should be BSD, like the rest of the upstream
    code.
  * debian/patches/unused-variable: dropped; applied upstream.
  * debian/patches/binutils-version-matching: dropped, fixed upstream.
  * debian/shim.install: built EFI binaries were renamed; update our install
    file to properly pick up shim (shim$arch), MokManager (mm$arch), and
    fallback (fb$arch).

 -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com>  Wed, 21 Sep 2016 20:29:44 -0400

shim (0.9+1465500757.14a5905-0ubuntu1) yakkety; urgency=medium

  * New upstream release.
    - Better handle LoadOptions. (LP: #1581299)
    - Measure state and second stage in TPM.
    - Mirror MokSBState in runtime as MokSBStateRT.
    - Fix failure to build with GCC 5. (LP: #1429978)
    - Various bug fixes and other improvements.
  * Refreshed patches.
    - Remaining patches:
      + second-stage-path
      + sbsigntool-not-pesign 
  * debian/patches/unused-variable: remove unused variable size.
  * debian/patches/binutils-version-matching: revert d9a4c912 to correctly
    match objcopy's version on Ubuntu.
  * debian/copyright: update copyright for patches.

 -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com>  Tue, 26 Jul 2016 16:48:32 -0400

shim (0.8-0ubuntu2) wily; urgency=medium

  * No-change rebuild against gnu-efi 3.0v-5ubuntu1.

 -- Steve Langasek <steve.langasek@ubuntu.com>  Tue, 12 May 2015 17:48:30 +0000

shim (0.8-0ubuntu1) wily; urgency=medium

  * New upstream release.
    - Clarify meaning of insecure_mode. (LP: #1384973)
  * debian/patches/CVE-2014-3675.patch, debian/patches/CVE-2014-3677.patch,
    debian/patches/0001-Update-openssl-to-0.9.8za.patch: dropped, included
    in the upstream release.
  * debian/patches/sbsigntool-not-pesign,debian/patches/second-stage-path:
    refreshed.

 -- Mathieu Trudel-Lapierre <mathieu-tl@ubuntu.com>  Mon, 11 May 2015 19:50:49 -0400

shim (0.7-0ubuntu4) utopic; urgency=medium

  * SECURITY UPDATE: heap overflow and out-of-bounds read access when
    parsing DHCPv6 information
    - debian/patches/CVE-2014-3675.patch: apply proper bounds checking
      when parsing data provided in DHCPv6 packets.
    - CVE-2014-3675
    - CVE-2014-3676
  * SECURITY UPDATE: memory corruption when processing user-provided key
    lists
    - debian/patches/CVE-2014-3677.patch: detect malformed machine owner
      key (MOK) lists and ignore them, avoiding possible memory corruption.
    - CVE-2014-3677

 -- Steve Langasek <steve.langasek@ubuntu.com>  Wed, 08 Oct 2014 06:40:40 +0000

shim (0.7-0ubuntu2) utopic; urgency=medium

  * Restore debian/patches/prototypes, which still is needed on shim 0.7
    but only detected on the buildds.
  * Update debian/patches/prototypes with some new declarations needed for
    openssl 0.9.8za update.

 -- Steve Langasek <steve.langasek@ubuntu.com>  Tue, 07 Oct 2014 16:20:08 -0700

shim (0.7-0ubuntu1) utopic; urgency=medium

  * New upstream release.
    - fix spurious error message when fallback.efi is not present, as will
      always be the case for removable media.  LP: #1297069.
    - drop most patches, included upstream.
  * debian/patches/0001-Update-openssl-to-0.9.8za.patch: cherry-pick
    openssl 0.9.8za in via upstream.

 -- Steve Langasek <steve.langasek@ubuntu.com>  Tue, 07 Oct 2014 05:40:41 +0000

shim (0.4-0ubuntu5) utopic; urgency=low

  * Install fallback.efi.signed as well, to lay the groundwork for fallback
    handling (wanted when we have to move a drive between machines, or when
    the firmware loses its marbles^W nvram).

 -- Steve Langasek <steve.langasek@ubuntu.com>  Mon, 04 Aug 2014 12:11:13 +0200

shim (0.4-0ubuntu4) saucy; urgency=low

  * debian/patches/fix-tftp-prototype: pass the right arguments to
    EFI_PXE_BASE_CODE_TFTP_READ_FILE.
  * debian/patches/build-with-Werror: Build with -Werror to catch future
    prototype mismatches.
  * debian/patches/fix-compiler-warnings: Fix remaining compiler
    warnings in netboot.c.
  * debian/patches/tftp-proper-nul-termination: fix nul termination
    errors in filenames passed to tftp.
  * debian/patches/netboot-cleanup: roll-up of miscellaneous fixes to
    the netboot code.

 -- Steve Langasek <steve.langasek@ubuntu.com>  Mon, 23 Sep 2013 00:30:00 -0700

shim (0.4-0ubuntu3) saucy; urgency=low

  [ Steve Langasek ]
  * Install MokManager.efi.signed in the package.
  * debian/patches/no-output-by-default.patch: Don't print any
    informational messages.  Closes LP: #1074302.

  [ Stéphane Graber ]
  * debian/patches/no-print-on-unsigned: Don't print an error message when
    validating an unsigned binary as that tends to hang Lenovo machines.
    (LP: #1087501)

 -- Stéphane Graber <stgraber@ubuntu.com>  Thu, 08 Aug 2013 17:12:12 +0200

shim (0.4-0ubuntu2) saucy; urgency=low

  * Add missing build-dependency on openssl.

 -- Steve Langasek <steve.langasek@ubuntu.com>  Tue, 02 Jul 2013 20:30:43 +0000

shim (0.4-0ubuntu1) saucy; urgency=low

  * New upstream release.
  * Drop debian/patches/shim-before-loadimage; upstream has changed this to
    not call loadimage at all.
  * debian/patches/sbsigntool-not-pesign: Sign MokManager with
    sbsigntool instead of pesign.
  * Add a versioned build-dependency on gnu-efi.

 -- Steve Langasek <steve.langasek@ubuntu.com>  Tue, 02 Jul 2013 12:53:24 -0700

shim (0~20120906.bcd0a4e8-0ubuntu4) quantal-proposed; urgency=low

  * debian/patches/shim-before-loadimage: Use direct verification first
    before LoadImage.  Addresses an issue where Lenovo's SecureBoot
    implementation pops an error message on any verification failure - avoid
    calling LoadImage at all unless we have to.

 -- Steve Langasek <steve.langasek@ubuntu.com>  Wed, 10 Oct 2012 15:28:40 -0700

shim (0~20120906.bcd0a4e8-0ubuntu3) quantal; urgency=low

  * debian/patches/second-stage-path: Chainload grubx64.efi, not
    grub.efi.

 -- Steve Langasek <steve.langasek@ubuntu.com>  Fri, 05 Oct 2012 11:20:58 -0700

shim (0~20120906.bcd0a4e8-0ubuntu2) quantal; urgency=low

  * debian/patches/prototypes: Include missing prototypes, and disable
    use of BIO_new_file.
  * Only build the package for amd64; we're not signing an i386 shim at this
    stage so there's no point in building it.

 -- Steve Langasek <steve.langasek@ubuntu.com>  Thu, 04 Oct 2012 17:47:04 +0000

shim (0~20120906.bcd0a4e8-0ubuntu1) quantal; urgency=low

  * Initial release.
  * Include the Canonical Secure Boot master CA.

 -- Steve Langasek <steve.langasek@ubuntu.com>  Thu, 04 Oct 2012 00:01:06 -0700
Commit	Line	Data
8e0de2bd	1	shim (15+1533136590.3beb971-8) unstable; urgency=medium
3a1cdbfd SM	2
	3	[ Steve McIntyre ]
	4	* Use --padding when calling pesign to generate hashes for the dbx
	5	list, as recommended by Peter Jones. No actual changes needed in
	6	our list of hashes at this point - they work out the same either
	7	way.
10b051f3 SM	8	* Switch to using gcc-9 for builds, tweaking a patch from upstream
10b051f3 SM	9	to fix a FTBFS. Closes: #925816
f320bcac SM	10	* Update debhelper compat level to 11 for shim and the
f320bcac SM	11	signing-template
3a1cdbfd	12
10b051f3	13	-- Steve McIntyre <93sam@debian.org> Tue, 24 Mar 2020 16:51:10 +0000
3a1cdbfd	14
ee2d7bb9	15	shim (15+1533136590.3beb971-7) unstable; urgency=medium
99879366	16
cd186442	17	[ Ansgar Burchardt ]
99879366 AB	18	* debian/control: Update Vcs-* fields
99879366 AB	19
878d860c SM	20	[ Steve McIntyre ]
	21	* Backport needed crash fixes:
	22	+ VLogError(): Avoid NULL pointer dereferences in (V)Sprint calls
315e8767	23	+ Fix OBJ_create() to tolerate a NULL sn and ln
e17b0af4 SM	24	* Build using gcc-7 to get better control of reproducibility during the
e17b0af4 SM	25	lifetime of Buster.
88a7a650 SM	26	* Build in a dbx list to blacklist binaries that we know to not be
	27	secure. Build-depend on a new (bug-fixed) version of pesign to
	28	generate that list at build time, using a list of known bad hashes.
	29	* Initial list of known bad hashes is just my personal test binary.
878d860c	30
ee2d7bb9	31	-- Steve McIntyre <93sam@debian.org> Wed, 08 May 2019 02:05:01 +0100
99879366	32
cb7c0af0	33	shim (15+1533136590.3beb971-6) unstable; urgency=medium
6bb31652 SM	34
	35	[ Steve McIntyre ]
	36	* Add Provides: and Breaks: to shim-helpers-$arch-signed to fix
	37	clashes with the old shim-signed package for fbx64.efi.signed and
	38	mmx64.efi.signed. Closes: #924619
	39
aa19fc4d HG	40	[ Helmut Grohne ]
	41	* Fix FTCBFS: Set CROSS_COMPILE. (Closes: #922152)
	42
6bb31652 SM	43	-- Steve McIntyre <93sam@debian.org> Sat, 23 Mar 2019 18:19:13 +0000
6bb31652 SM	44
6a35a720	45	shim (15+1533136590.3beb971-5) unstable; urgency=medium
424d859c SM	46
	47	[ Ansgar Burchardt ]
	48	* Correct maintainer address in signing template
	49
14b8b20e SM	50	[ Steve McIntyre ]
	51	* Remove Rules-Requires-Root in the signing template. We manually install
	52	things owned by root. There might be better ways to do this, but this
	53	will do for now.
	54
6a35a720	55	-- Steve McIntyre <93sam@debian.org> Tue, 12 Mar 2019 01:38:19 +0000
424d859c	56
208bd43b SM	57	shim (15+1533136590.3beb971-4) unstable; urgency=medium
	58
	59	[ Steve McIntyre ]
	60	* No-change sourceful upload to get rebuilds (and hence build logs) from
	61	the buildds. Hoping to get this version signed by Microsoft, so let's
	62	make our setup as clean as possible.
	63
	64	-- Steve McIntyre <93sam@debian.org> Sat, 09 Mar 2019 22:24:23 +0000
	65
b197d74e	66	shim (15+1533136590.3beb971-3) unstable; urgency=medium
4bb202a0 PH	67
	68	[ Philipp Hahn ]
	69	* debian/rules: fixing permissions no longer required
e914483c	70	* debian/rules: Disable ephemeral key on Debian.
c2dbb9ef	71	* Rename binary package to 'shim-unsigned'
f7add225	72	* Add template for signing {mm,fb}$ARCH.efi. (Closes: #922228)
4bb202a0	73
8c00485c LB	74	[ Luca Boccassi ]
8c00485c LB	75	* Override lintian error about template rules file.
9bfbee89	76	* Include /usr/share/dpkg/architecture.mk instead of shelling out.
51b45b03 LB	77	* Add uname.patch to avoid embedding the kernel architecture in the
51b45b03 LB	78	binary and to use a fixed string instead.
8c00485c	79
d71a71f4 SM	80	[ Steve McIntyre ]
	81	* Change maintenance address to be the EFI team
	82	* Add me and vorlon to the Uploaders list
ba30131d	83	* Rename the helper binary packages to shim-helpers-$arch.
90609be3 SM	84	* Update the signing-template JSON metadata to match new practice:
	85	+ Move all the data under a new top-level "packages" key
	86	+ Add an empty "trusted_certs" key - the helper binaries do not do any
	87	further verification with an embedded key.
d71a71f4	88
90609be3	89	-- Steve McIntyre <93sam@debian.org> Fri, 08 Mar 2019 21:59:43 +0000
4bb202a0	90
88190087	91	shim (15+1533136590.3beb971-2) unstable; urgency=medium
100e3b0c SL	92
100e3b0c SL	93	* Update debian/watch.
2fab563a	94	* Update VCS to point to salsa.
cebae05a	95	* Fix debian/rules syntax for arm64 build.
21efb35c	96	* Enable build for i386.
1d945f76	97	* Ensure DEB_HOST_ARCH is set even if not present in the environment.
2b9acc73	98	* Update Standards-Version.
47660e67	99	* Update debian/copyright (drop reference to file no longer in source)
100e3b0c	100
88190087	101	-- Steve Langasek <vorlon@debian.org> Mon, 11 Feb 2019 05:18:18 +0000
100e3b0c	102
ab4c731c	103	shim (15+1533136590.3beb971-1) unstable; urgency=medium
fac86c74	104
ab4c731c SL	105	* New upstream release.
	106	- debian/patches/second-stage-path: dropped; the default loader path now
	107	includes an arch suffix.
	108	- debian/patches/sbsigntool-no-pesign: dropped; no longer needed.
	109	* Drop remaining patches that were not being applied.
	110	* Sync packaging from Ubuntu:
	111	- debian/copyright: Update upstream source location.
	112	- debian/control: add a Build-Depends on libelf-dev.
	113	- Enable arm64 build.
	114	- debian/patches/fixup_git.patch: don't run git in clean; we're not
	115	really in a git tree.
	116	- debian/rules, debian/shim.install: use the upstream install target as
	117	intended, and move files to the target directory using dh_install.
f42b58fc MTL	118	- define RELEASE and COMMIT_ID for the snapshot.
f42b58fc MTL	119	- Set ENABLE_HTTPBOOT to enable the HTTP Boot feature.
f841331c MTL	120	- Update dh_auto_build/dh_auto_clean/dh_auto_install for new upstream
f841331c MTL	121	options: set MAKELEVEL.
5d42729f MTL	122	- Define an EFI_ARCH variable, and use that for paths to shim. This
5d42729f MTL	123	makes it possible to build a shim for other architectures than amd64.
ab4c731c	124	- Set EFIDIR=$distro for dh_auto_install; that will let files be installed
3f5806e4	125	in the "right" final directories, and makes boot.csv for us.
661d3ea1 MTL	126	- Set ENABLE_SHIM_CERT, to keep using ephemeral self-signed certs built
661d3ea1 MTL	127	at compile-time for MokManager and fallback.
402fafb4 MTL	128	- Set ENABLE_SBSIGN, to use sbsign instead of pesign for signing fallback
402fafb4 MTL	129	and MokManager.
11c5b79d	130
ab4c731c	131	-- Steve Langasek <vorlon@debian.org> Sat, 09 Feb 2019 07:23:19 +0000
bd98c8fd	132
c117735c JC	133	shim (0.9+1474479173.6c180c6-1) unstable; urgency=medium
	134
	135	[ Steve Langasek ]
	136	* Initial Debian upload. Closes: #820052.
	137	* Update Standards-Version.
	138	* Embed the newly-minted Debian CA certificate.
	139	* Vendorize debian/rules so that the same package can be used in both
	140	Debian and Ubuntu without modification.
	141	* Fix debian/copyright to match the spec (last match wins, not first)
	142	* Fix shim.efi to not be executable.
	143	* Add watchfile.
	144	* Support parallel builds, because eh why not
	145	* Update Vcs-Bzr.
	146	* Resync with Ubuntu, including patch to fix debian/copyright.
	147
	148	[ Julien Cristau ]
	149	* Add some missing copyright holders in d/copyright, update
	150	Upstream-Contact. Thanks to Helen Koike for the help.
	151
	152	-- Julien Cristau <jcristau@debian.org> Sat, 15 Oct 2016 15:17:34 +0200
	153
	154	shim (0.9+1474479173.6c180c6-0ubuntu1) UNRELEASED; urgency=medium
	155
	156	[ Helen Koike ]
	157	* debian/copyright: add OpenSSL license
	158
	159	[ Mathieu Trudel-Lapierre ]
	160	* New upstream release.
	161	* debian/copyright: patches should be BSD, like the rest of the upstream
	162	code.
	163	* debian/patches/unused-variable: dropped; applied upstream.
	164	* debian/patches/binutils-version-matching: dropped, fixed upstream.
	165	* debian/shim.install: built EFI binaries were renamed; update our install
	166	file to properly pick up shim (shim$arch), MokManager (mm$arch), and
	167	fallback (fb$arch).
	168
	169	-- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> Wed, 21 Sep 2016 20:29:44 -0400
	170
	171	shim (0.9+1465500757.14a5905-0ubuntu1) yakkety; urgency=medium
	172
	173	* New upstream release.
	174	- Better handle LoadOptions. (LP: #1581299)
	175	- Measure state and second stage in TPM.
	176	- Mirror MokSBState in runtime as MokSBStateRT.
	177	- Fix failure to build with GCC 5. (LP: #1429978)
	178	- Various bug fixes and other improvements.
	179	* Refreshed patches.
	180	- Remaining patches:
	181	+ second-stage-path
	182	+ sbsigntool-not-pesign
	183	* debian/patches/unused-variable: remove unused variable size.
	184	* debian/patches/binutils-version-matching: revert d9a4c912 to correctly
	185	match objcopy's version on Ubuntu.
	186	* debian/copyright: update copyright for patches.
	187
	188	-- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> Tue, 26 Jul 2016 16:48:32 -0400
	189
	190	shim (0.8-0ubuntu2) wily; urgency=medium
	191
	192	* No-change rebuild against gnu-efi 3.0v-5ubuntu1.
	193
	194	-- Steve Langasek <steve.langasek@ubuntu.com> Tue, 12 May 2015 17:48:30 +0000
	195
	196	shim (0.8-0ubuntu1) wily; urgency=medium
197
198	* New upstream release.
199	- Clarify meaning of insecure_mode. (LP: #1384973)
200	* debian/patches/CVE-2014-3675.patch, debian/patches/CVE-2014-3677.patch,
201	debian/patches/0001-Update-openssl-to-0.9.8za.patch: dropped, included
202	in the upstream release.
203	* debian/patches/sbsigntool-not-pesign,debian/patches/second-stage-path:
204	refreshed.
205
206	-- Mathieu Trudel-Lapierre <mathieu-tl@ubuntu.com> Mon, 11 May 2015 19:50:49 -0400
207
208	shim (0.7-0ubuntu4) utopic; urgency=medium
209
210	* SECURITY UPDATE: heap overflow and out-of-bounds read access when
211	parsing DHCPv6 information
212	- debian/patches/CVE-2014-3675.patch: apply proper bounds checking
213	when parsing data provided in DHCPv6 packets.
214	- CVE-2014-3675
215	- CVE-2014-3676
216	* SECURITY UPDATE: memory corruption when processing user-provided key
217	lists
218	- debian/patches/CVE-2014-3677.patch: detect malformed machine owner
219	key (MOK) lists and ignore them, avoiding possible memory corruption.
220	- CVE-2014-3677
221
222	-- Steve Langasek <steve.langasek@ubuntu.com> Wed, 08 Oct 2014 06:40:40 +0000
223
224	shim (0.7-0ubuntu2) utopic; urgency=medium
225
226	* Restore debian/patches/prototypes, which still is needed on shim 0.7
227	but only detected on the buildds.
228	* Update debian/patches/prototypes with some new declarations needed for
229	openssl 0.9.8za update.
230
231	-- Steve Langasek <steve.langasek@ubuntu.com> Tue, 07 Oct 2014 16:20:08 -0700
232
233	shim (0.7-0ubuntu1) utopic; urgency=medium
234
235	* New upstream release.
236	- fix spurious error message when fallback.efi is not present, as will
237	always be the case for removable media. LP: #1297069.
238	- drop most patches, included upstream.
239	* debian/patches/0001-Update-openssl-to-0.9.8za.patch: cherry-pick
240	openssl 0.9.8za in via upstream.
241
242	-- Steve Langasek <steve.langasek@ubuntu.com> Tue, 07 Oct 2014 05:40:41 +0000
243
244	shim (0.4-0ubuntu5) utopic; urgency=low
245
246	* Install fallback.efi.signed as well, to lay the groundwork for fallback
247	handling (wanted when we have to move a drive between machines, or when
248	the firmware loses its marbles^W nvram).
249
250	-- Steve Langasek <steve.langasek@ubuntu.com> Mon, 04 Aug 2014 12:11:13 +0200
251
252	shim (0.4-0ubuntu4) saucy; urgency=low
253
254	* debian/patches/fix-tftp-prototype: pass the right arguments to
255	EFI_PXE_BASE_CODE_TFTP_READ_FILE.
256	* debian/patches/build-with-Werror: Build with -Werror to catch future
257	prototype mismatches.
258	* debian/patches/fix-compiler-warnings: Fix remaining compiler
259	warnings in netboot.c.
260	* debian/patches/tftp-proper-nul-termination: fix nul termination
261	errors in filenames passed to tftp.
262	* debian/patches/netboot-cleanup: roll-up of miscellaneous fixes to
263	the netboot code.
264
265	-- Steve Langasek <steve.langasek@ubuntu.com> Mon, 23 Sep 2013 00:30:00 -0700
266
267	shim (0.4-0ubuntu3) saucy; urgency=low
268
269	[ Steve Langasek ]
270	* Install MokManager.efi.signed in the package.
271	* debian/patches/no-output-by-default.patch: Don't print any
272	informational messages. Closes LP: #1074302.
273
274	[ Stéphane Graber ]
275	* debian/patches/no-print-on-unsigned: Don't print an error message when
276	validating an unsigned binary as that tends to hang Lenovo machines.
277	(LP: #1087501)
278
279	-- Stéphane Graber <stgraber@ubuntu.com> Thu, 08 Aug 2013 17:12:12 +0200
280
281	shim (0.4-0ubuntu2) saucy; urgency=low
282
283	* Add missing build-dependency on openssl.
284
285	-- Steve Langasek <steve.langasek@ubuntu.com> Tue, 02 Jul 2013 20:30:43 +0000
286
287	shim (0.4-0ubuntu1) saucy; urgency=low
288
289	* New upstream release.
290	* Drop debian/patches/shim-before-loadimage; upstream has changed this to
291	not call loadimage at all.
292	* debian/patches/sbsigntool-not-pesign: Sign MokManager with
293	sbsigntool instead of pesign.
294	* Add a versioned build-dependency on gnu-efi.
295
296	-- Steve Langasek <steve.langasek@ubuntu.com> Tue, 02 Jul 2013 12:53:24 -0700
297
298	shim (0~20120906.bcd0a4e8-0ubuntu4) quantal-proposed; urgency=low
299
300	* debian/patches/shim-before-loadimage: Use direct verification first
301	before LoadImage. Addresses an issue where Lenovo's SecureBoot
302	implementation pops an error message on any verification failure - avoid
303	calling LoadImage at all unless we have to.
304
305	-- Steve Langasek <steve.langasek@ubuntu.com> Wed, 10 Oct 2012 15:28:40 -0700
306
307	shim (0~20120906.bcd0a4e8-0ubuntu3) quantal; urgency=low
308
309	* debian/patches/second-stage-path: Chainload grubx64.efi, not
310	grub.efi.
311
312	-- Steve Langasek <steve.langasek@ubuntu.com> Fri, 05 Oct 2012 11:20:58 -0700
313
314	shim (0~20120906.bcd0a4e8-0ubuntu2) quantal; urgency=low
315
316	* debian/patches/prototypes: Include missing prototypes, and disable
317	use of BIO_new_file.
318	* Only build the package for amd64; we're not signing an i386 shim at this
319	stage so there's no point in building it.
320
321	-- Steve Langasek <steve.langasek@ubuntu.com> Thu, 04 Oct 2012 17:47:04 +0000
322
323	shim (0~20120906.bcd0a4e8-0ubuntu1) quantal; urgency=low
324
325	* Initial release.
326	* Include the Canonical Secure Boot master CA.
327
328	-- Steve Langasek <steve.langasek@ubuntu.com> Thu, 04 Oct 2012 00:01:06 -0700