]>
Commit | Line | Data |
---|---|---|
fac86c74 SL |
1 | shim (13-0ubuntu3) UNRELEASED; urgency=medium |
2 | ||
3 | * Fix Vcs link. | |
4 | ||
5 | -- Steve Langasek <steve.langasek@ubuntu.com> Mon, 23 Apr 2018 18:08:31 -0700 | |
6 | ||
d1d148ea | 7 | shim (13-0ubuntu2) bionic; urgency=medium |
81b34c16 MTL |
8 | |
9 | * debian/patches/abort_abort_abort.patch: signtool.exe isn't happy with some | |
10 | of the structure of our binary, partly because abort() is thought to be an | |
11 | external symbol, which causes some relocalisations to appear. | |
12 | ||
d1d148ea | 13 | -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> Tue, 07 Nov 2017 10:19:04 -0500 |
81b34c16 | 14 | |
4a3efbe4 | 15 | shim (13-0ubuntu1) artful; urgency=medium |
11c5b79d | 16 | |
2f7a1c0b | 17 | * New upstream release: 13 |
b37fef52 | 18 | * debian/control: add a Build-Depends on libelf-dev. |
926d9476 MTL |
19 | * debian/control: add Breaks: for the previous shim-signed builds given |
20 | that shim will now build and ship BOOT.CSV by itself. | |
62a4fa2d | 21 | * debian/rules: |
f841331c MTL |
22 | - Update dh_auto_build/dh_auto_clean/dh_auto_install for new upstream |
23 | options: set MAKELEVEL. | |
5d42729f MTL |
24 | - Define an EFI_ARCH variable, and use that for paths to shim. This |
25 | makes it possible to build a shim for other architectures than amd64. | |
3f5806e4 MTL |
26 | - Set EFIDIR=ubuntu for dh_auto_install; that will let files be installed |
27 | in the "right" final directories, and makes boot.csv for us. | |
661d3ea1 MTL |
28 | - Set ENABLE_SHIM_CERT, to keep using ephemeral self-signed certs built |
29 | at compile-time for MokManager and fallback. | |
402fafb4 MTL |
30 | - Set ENABLE_SBSIGN, to use sbsign instead of pesign for signing fallback |
31 | and MokManager. | |
cff1facf MTL |
32 | * debian/patches/second-stage-path: dropped; the default loader path now |
33 | includes an arch suffix. | |
402fafb4 | 34 | * debian/patches/sbsigntool-no-pesign: dropped; no longer needed.. |
5ca483b9 MTL |
35 | * debian/patches/0001-shim-fix-the-mirroring-MokSBState-fail.patch: dropped, |
36 | included upstream. | |
7d562b49 MTL |
37 | * debian/shim.install: update paths in light of using shim's upstream install |
38 | target. | |
c3fa7299 MTL |
39 | * debian/rules, debian/shim.install: make sure the 'make install' step does |
40 | what it's meant to do by upstream: we can easily make use of the end result | |
41 | to have the files we need. | |
11c5b79d | 42 | |
4a3efbe4 | 43 | -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> Fri, 29 Sep 2017 15:11:28 -0400 |
11c5b79d | 44 | |
bd98c8fd MTL |
45 | shim (0.9+1474479173.6c180c6-1ubuntu1) zesty; urgency=medium |
46 | ||
47 | [ Steve Langasek ] | |
48 | * Merge (not yet NEW cleared) changes from Debian branch. | |
49 | ||
50 | [ Mathieu Trudel-Lapierre ] | |
51 | * debian/patches/0001-shim-fix-the-mirroring-MokSBState-fail.patch: guard | |
52 | against errors in mirroring MokSBState to MokSBStateRT. Thanks to Ivan Hu | |
53 | for the patch. This will fix issues updating MokSBStateRT if the variable | |
54 | already exists with different attributes. (LP: #1644806) | |
55 | ||
56 | -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> Thu, 01 Dec 2016 16:55:50 -0500 | |
57 | ||
2f799ca9 | 58 | shim (0.9+1474479173.6c180c6-1) unstable; urgency=medium |
b65e78ec | 59 | |
ce5a310e | 60 | [ Steve Langasek ] |
2f799ca9 SL |
61 | * Initial Debian upload. Closes: #820052. |
62 | * Update Standards-Version. | |
63 | * Embed the newly-minted Debian CA certificate. | |
64 | * Vendorize debian/rules so that the same package can be used in both | |
65 | Debian and Ubuntu without modification. | |
66 | * Fix debian/copyright to match the spec (last match wins, not first) | |
67 | * Fix shim.efi to not be executable. | |
68 | * Add watchfile. | |
69 | * Support parallel builds, because eh why not | |
70 | * Update Vcs-Bzr. | |
b65e78ec SL |
71 | * Resync with Ubuntu, including patch to fix debian/copyright. |
72 | ||
ce5a310e JC |
73 | [ Julien Cristau ] |
74 | * Add some missing copyright holders in d/copyright, update | |
19d90b86 | 75 | Upstream-Contact. Thanks to Helen Koike for the help. |
ce5a310e | 76 | |
19d90b86 | 77 | -- Julien Cristau <jcristau@debian.org> Sat, 15 Oct 2016 15:17:34 +0200 |
b65e78ec | 78 | |
3b43f33d | 79 | shim (0.9+1474479173.6c180c6-0ubuntu1) yakkety; urgency=medium |
879d307f | 80 | |
e3ef28ac | 81 | [ Helen Koike ] |
879d307f HK |
82 | * debian/copyright: add OpenSSL license |
83 | ||
e3ef28ac | 84 | [ Mathieu Trudel-Lapierre ] |
3b43f33d | 85 | * New upstream release. (LP: #1624096) |
e3ef28ac HK |
86 | * debian/copyright: patches should be BSD, like the rest of the upstream |
87 | code. | |
c2463d38 MTL |
88 | * debian/patches/unused-variable: dropped; applied upstream. |
89 | * debian/patches/binutils-version-matching: dropped, fixed upstream. | |
86b44a70 MTL |
90 | * debian/shim.install: built EFI binaries were renamed; update our install |
91 | file to properly pick up shim (shim$arch), MokManager (mm$arch), and | |
92 | fallback (fb$arch). | |
e3ef28ac | 93 | |
3b43f33d | 94 | -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> Thu, 22 Sep 2016 15:02:20 -0400 |
879d307f | 95 | |
cffaa507 | 96 | shim (0.9+1465500757.14a5905-0ubuntu1) yakkety; urgency=medium |
1854cb28 MTL |
97 | |
98 | * New upstream release. | |
d191cf2c | 99 | - Better handle LoadOptions. (LP: #1581299) |
110c669f MTL |
100 | - Measure state and second stage in TPM. |
101 | - Mirror MokSBState in runtime as MokSBStateRT. | |
d191cf2c | 102 | - Fix failure to build with GCC 5. (LP: #1429978) |
110c669f MTL |
103 | - Various bug fixes and other improvements. |
104 | * Refreshed patches. | |
105 | - Remaining patches: | |
106 | + second-stage-path | |
107 | + sbsigntool-not-pesign | |
7fbc200d MTL |
108 | * debian/patches/unused-variable: remove unused variable size. |
109 | * debian/patches/binutils-version-matching: revert d9a4c912 to correctly | |
110 | match objcopy's version on Ubuntu. | |
9fa1d28f | 111 | * debian/copyright: update copyright for patches. |
c2f285a9 | 112 | |
cffaa507 | 113 | -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> Tue, 26 Jul 2016 16:48:32 -0400 |
d6f876b8 | 114 | |
8fa98d6d SL |
115 | shim (0.8-0ubuntu2) wily; urgency=medium |
116 | ||
117 | * No-change rebuild against gnu-efi 3.0v-5ubuntu1. | |
118 | ||
119 | -- Steve Langasek <steve.langasek@ubuntu.com> Tue, 12 May 2015 17:48:30 +0000 | |
120 | ||
acd2cc1e | 121 | shim (0.8-0ubuntu1) wily; urgency=medium |
4c03444e MTL |
122 | |
123 | * New upstream release. | |
37358ddb | 124 | - Clarify meaning of insecure_mode. (LP: #1384973) |
e42efbd9 MTL |
125 | * debian/patches/CVE-2014-3675.patch, debian/patches/CVE-2014-3677.patch, |
126 | debian/patches/0001-Update-openssl-to-0.9.8za.patch: dropped, included | |
127 | in the upstream release. | |
28da53af MTL |
128 | * debian/patches/sbsigntool-not-pesign,debian/patches/second-stage-path: |
129 | refreshed. | |
4c03444e | 130 | |
acd2cc1e | 131 | -- Mathieu Trudel-Lapierre <mathieu-tl@ubuntu.com> Mon, 11 May 2015 19:50:49 -0400 |
4c03444e | 132 | |
8b0389dd | 133 | shim (0.7-0ubuntu4) utopic; urgency=medium |
3586772f SL |
134 | |
135 | * SECURITY UPDATE: heap overflow and out-of-bounds read access when | |
136 | parsing DHCPv6 information | |
137 | - debian/patches/CVE-2014-3675.patch: apply proper bounds checking | |
138 | when parsing data provided in DHCPv6 packets. | |
139 | - CVE-2014-3675 | |
140 | - CVE-2014-3676 | |
141 | * SECURITY UPDATE: memory corruption when processing user-provided key | |
142 | lists | |
143 | - debian/patches/CVE-2014-3677.patch: detect malformed machine owner | |
144 | key (MOK) lists and ignore them, avoiding possible memory corruption. | |
145 | - CVE-2014-3677 | |
146 | ||
e82e7706 | 147 | -- Steve Langasek <steve.langasek@ubuntu.com> Wed, 08 Oct 2014 06:40:40 +0000 |
3586772f | 148 | |
bc9b5d63 | 149 | shim (0.7-0ubuntu2) utopic; urgency=medium |
172647da SL |
150 | |
151 | * Restore debian/patches/prototypes, which still is needed on shim 0.7 | |
4960f358 SL |
152 | but only detected on the buildds. |
153 | * Update debian/patches/prototypes with some new declarations needed for | |
154 | openssl 0.9.8za update. | |
172647da | 155 | |
bc9b5d63 | 156 | -- Steve Langasek <steve.langasek@ubuntu.com> Tue, 07 Oct 2014 16:20:08 -0700 |
172647da | 157 | |
db8383ad | 158 | shim (0.7-0ubuntu1) utopic; urgency=medium |
59945b25 SL |
159 | |
160 | * New upstream release. | |
161 | - fix spurious error message when fallback.efi is not present, as will | |
162 | always be the case for removable media. LP: #1297069. | |
c61b06bc | 163 | - drop most patches, included upstream. |
1e963007 SL |
164 | * debian/patches/0001-Update-openssl-to-0.9.8za.patch: cherry-pick |
165 | openssl 0.9.8za in via upstream. | |
59945b25 | 166 | |
db8383ad | 167 | -- Steve Langasek <steve.langasek@ubuntu.com> Tue, 07 Oct 2014 05:40:41 +0000 |
59945b25 | 168 | |
5fc0e7f6 | 169 | shim (0.4-0ubuntu5) utopic; urgency=low |
d53fb652 SL |
170 | |
171 | * Install fallback.efi.signed as well, to lay the groundwork for fallback | |
172 | handling (wanted when we have to move a drive between machines, or when | |
173 | the firmware loses its marbles^W nvram). | |
174 | ||
5fc0e7f6 | 175 | -- Steve Langasek <steve.langasek@ubuntu.com> Mon, 04 Aug 2014 12:11:13 +0200 |
d53fb652 | 176 | |
eb32f5ba | 177 | shim (0.4-0ubuntu4) saucy; urgency=low |
50ab550a SL |
178 | |
179 | * debian/patches/fix-tftp-prototype: pass the right arguments to | |
180 | EFI_PXE_BASE_CODE_TFTP_READ_FILE. | |
c43e3c7c SL |
181 | * debian/patches/build-with-Werror: Build with -Werror to catch future |
182 | prototype mismatches. | |
183 | * debian/patches/fix-compiler-warnings: Fix remaining compiler | |
184 | warnings in netboot.c. | |
0c74470d SL |
185 | * debian/patches/tftp-proper-nul-termination: fix nul termination |
186 | errors in filenames passed to tftp. | |
84a3bbdf SL |
187 | * debian/patches/netboot-cleanup: roll-up of miscellaneous fixes to |
188 | the netboot code. | |
50ab550a | 189 | |
eb32f5ba | 190 | -- Steve Langasek <steve.langasek@ubuntu.com> Mon, 23 Sep 2013 00:30:00 -0700 |
50ab550a | 191 | |
4c13d15a | 192 | shim (0.4-0ubuntu3) saucy; urgency=low |
0c50644a | 193 | |
0929c5e5 | 194 | [ Steve Langasek ] |
0c50644a | 195 | * Install MokManager.efi.signed in the package. |
44ecc6a3 SL |
196 | * debian/patches/no-output-by-default.patch: Don't print any |
197 | informational messages. Closes LP: #1074302. | |
0c50644a | 198 | |
0929c5e5 SG |
199 | [ Stéphane Graber ] |
200 | * debian/patches/no-print-on-unsigned: Don't print an error message when | |
201 | validating an unsigned binary as that tends to hang Lenovo machines. | |
202 | (LP: #1087501) | |
203 | ||
4c13d15a | 204 | -- Stéphane Graber <stgraber@ubuntu.com> Thu, 08 Aug 2013 17:12:12 +0200 |
0c50644a | 205 | |
6657ac38 | 206 | shim (0.4-0ubuntu2) saucy; urgency=low |
15d7c608 SL |
207 | |
208 | * Add missing build-dependency on openssl. | |
209 | ||
6657ac38 | 210 | -- Steve Langasek <steve.langasek@ubuntu.com> Tue, 02 Jul 2013 20:30:43 +0000 |
15d7c608 | 211 | |
63eea134 | 212 | shim (0.4-0ubuntu1) saucy; urgency=low |
0565508e | 213 | |
1b5fb6c0 | 214 | * New upstream release. |
0565508e SL |
215 | * Drop debian/patches/shim-before-loadimage; upstream has changed this to |
216 | not call loadimage at all. | |
c37196e7 SL |
217 | * debian/patches/sbsigntool-not-pesign: Sign MokManager with |
218 | sbsigntool instead of pesign. | |
e77adb28 | 219 | * Add a versioned build-dependency on gnu-efi. |
0565508e | 220 | |
63eea134 | 221 | -- Steve Langasek <steve.langasek@ubuntu.com> Tue, 02 Jul 2013 12:53:24 -0700 |
0565508e | 222 | |
3cd870ac | 223 | shim (0~20120906.bcd0a4e8-0ubuntu4) quantal-proposed; urgency=low |
3180a8dd SL |
224 | |
225 | * debian/patches/shim-before-loadimage: Use direct verification first | |
226 | before LoadImage. Addresses an issue where Lenovo's SecureBoot | |
227 | implementation pops an error message on any verification failure - avoid | |
228 | calling LoadImage at all unless we have to. | |
229 | ||
3cd870ac | 230 | -- Steve Langasek <steve.langasek@ubuntu.com> Wed, 10 Oct 2012 15:28:40 -0700 |
3180a8dd | 231 | |
1d8992c5 | 232 | shim (0~20120906.bcd0a4e8-0ubuntu3) quantal; urgency=low |
5ea013bd SL |
233 | |
234 | * debian/patches/second-stage-path: Chainload grubx64.efi, not | |
235 | grub.efi. | |
236 | ||
1d8992c5 | 237 | -- Steve Langasek <steve.langasek@ubuntu.com> Fri, 05 Oct 2012 11:20:58 -0700 |
5ea013bd | 238 | |
be30a850 | 239 | shim (0~20120906.bcd0a4e8-0ubuntu2) quantal; urgency=low |
76e675cb SL |
240 | |
241 | * debian/patches/prototypes: Include missing prototypes, and disable | |
242 | use of BIO_new_file. | |
63e313d7 SL |
243 | * Only build the package for amd64; we're not signing an i386 shim at this |
244 | stage so there's no point in building it. | |
76e675cb | 245 | |
be30a850 | 246 | -- Steve Langasek <steve.langasek@ubuntu.com> Thu, 04 Oct 2012 17:47:04 +0000 |
76e675cb | 247 | |
b54fc10a | 248 | shim (0~20120906.bcd0a4e8-0ubuntu1) quantal; urgency=low |
c86d9dac SL |
249 | |
250 | * Initial release. | |
10d096d4 | 251 | * Include the Canonical Secure Boot master CA. |
c86d9dac | 252 | |
b54fc10a | 253 | -- Steve Langasek <steve.langasek@ubuntu.com> Thu, 04 Oct 2012 00:01:06 -0700 |