1 shim (13-0ubuntu3) UNRELEASED; urgency=medium
9 -- Steve Langasek <steve.langasek@ubuntu.com> Mon, 23 Apr 2018 18:08:31 -0700
11 shim (13-0ubuntu2) bionic; urgency=medium
13 * debian/patches/abort_abort_abort.patch: signtool.exe isn't happy with some
14 of the structure of our binary, partly because abort() is thought to be an
15 external symbol, which causes some relocalisations to appear.
17 -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> Tue, 07 Nov 2017 10:19:04 -0500
19 shim (13-0ubuntu1) artful; urgency=medium
21 * New upstream release: 13
22 * debian/control: add a Build-Depends on libelf-dev.
23 * debian/control: add Breaks: for the previous shim-signed builds given
24 that shim will now build and ship BOOT.CSV by itself.
26 - Update dh_auto_build/dh_auto_clean/dh_auto_install for new upstream
27 options: set MAKELEVEL.
28 - Define an EFI_ARCH variable, and use that for paths to shim. This
29 makes it possible to build a shim for other architectures than amd64.
30 - Set EFIDIR=ubuntu for dh_auto_install; that will let files be installed
31 in the "right" final directories, and makes boot.csv for us.
32 - Set ENABLE_SHIM_CERT, to keep using ephemeral self-signed certs built
33 at compile-time for MokManager and fallback.
34 - Set ENABLE_SBSIGN, to use sbsign instead of pesign for signing fallback
36 * debian/patches/second-stage-path: dropped; the default loader path now
37 includes an arch suffix.
38 * debian/patches/sbsigntool-no-pesign: dropped; no longer needed..
39 * debian/patches/0001-shim-fix-the-mirroring-MokSBState-fail.patch: dropped,
41 * debian/shim.install: update paths in light of using shim's upstream install
43 * debian/rules, debian/shim.install: make sure the 'make install' step does
44 what it's meant to do by upstream: we can easily make use of the end result
45 to have the files we need.
47 -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> Fri, 29 Sep 2017 15:11:28 -0400
49 shim (0.9+1474479173.6c180c6-1ubuntu1) zesty; urgency=medium
52 * Merge (not yet NEW cleared) changes from Debian branch.
54 [ Mathieu Trudel-Lapierre ]
55 * debian/patches/0001-shim-fix-the-mirroring-MokSBState-fail.patch: guard
56 against errors in mirroring MokSBState to MokSBStateRT. Thanks to Ivan Hu
57 for the patch. This will fix issues updating MokSBStateRT if the variable
58 already exists with different attributes. (LP: #1644806)
60 -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> Thu, 01 Dec 2016 16:55:50 -0500
62 shim (0.9+1474479173.6c180c6-1) unstable; urgency=medium
65 * Initial Debian upload. Closes: #820052.
66 * Update Standards-Version.
67 * Embed the newly-minted Debian CA certificate.
68 * Vendorize debian/rules so that the same package can be used in both
69 Debian and Ubuntu without modification.
70 * Fix debian/copyright to match the spec (last match wins, not first)
71 * Fix shim.efi to not be executable.
73 * Support parallel builds, because eh why not
75 * Resync with Ubuntu, including patch to fix debian/copyright.
78 * Add some missing copyright holders in d/copyright, update
79 Upstream-Contact. Thanks to Helen Koike for the help.
81 -- Julien Cristau <jcristau@debian.org> Sat, 15 Oct 2016 15:17:34 +0200
83 shim (0.9+1474479173.6c180c6-0ubuntu1) yakkety; urgency=medium
86 * debian/copyright: add OpenSSL license
88 [ Mathieu Trudel-Lapierre ]
89 * New upstream release. (LP: #1624096)
90 * debian/copyright: patches should be BSD, like the rest of the upstream
92 * debian/patches/unused-variable: dropped; applied upstream.
93 * debian/patches/binutils-version-matching: dropped, fixed upstream.
94 * debian/shim.install: built EFI binaries were renamed; update our install
95 file to properly pick up shim (shim$arch), MokManager (mm$arch), and
98 -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> Thu, 22 Sep 2016 15:02:20 -0400
100 shim (0.9+1465500757.14a5905-0ubuntu1) yakkety; urgency=medium
102 * New upstream release.
103 - Better handle LoadOptions. (LP: #1581299)
104 - Measure state and second stage in TPM.
105 - Mirror MokSBState in runtime as MokSBStateRT.
106 - Fix failure to build with GCC 5. (LP: #1429978)
107 - Various bug fixes and other improvements.
111 + sbsigntool-not-pesign
112 * debian/patches/unused-variable: remove unused variable size.
113 * debian/patches/binutils-version-matching: revert d9a4c912 to correctly
114 match objcopy's version on Ubuntu.
115 * debian/copyright: update copyright for patches.
117 -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> Tue, 26 Jul 2016 16:48:32 -0400
119 shim (0.8-0ubuntu2) wily; urgency=medium
121 * No-change rebuild against gnu-efi 3.0v-5ubuntu1.
123 -- Steve Langasek <steve.langasek@ubuntu.com> Tue, 12 May 2015 17:48:30 +0000
125 shim (0.8-0ubuntu1) wily; urgency=medium
127 * New upstream release.
128 - Clarify meaning of insecure_mode. (LP: #1384973)
129 * debian/patches/CVE-2014-3675.patch, debian/patches/CVE-2014-3677.patch,
130 debian/patches/0001-Update-openssl-to-0.9.8za.patch: dropped, included
131 in the upstream release.
132 * debian/patches/sbsigntool-not-pesign,debian/patches/second-stage-path:
135 -- Mathieu Trudel-Lapierre <mathieu-tl@ubuntu.com> Mon, 11 May 2015 19:50:49 -0400
137 shim (0.7-0ubuntu4) utopic; urgency=medium
139 * SECURITY UPDATE: heap overflow and out-of-bounds read access when
140 parsing DHCPv6 information
141 - debian/patches/CVE-2014-3675.patch: apply proper bounds checking
142 when parsing data provided in DHCPv6 packets.
145 * SECURITY UPDATE: memory corruption when processing user-provided key
147 - debian/patches/CVE-2014-3677.patch: detect malformed machine owner
148 key (MOK) lists and ignore them, avoiding possible memory corruption.
151 -- Steve Langasek <steve.langasek@ubuntu.com> Wed, 08 Oct 2014 06:40:40 +0000
153 shim (0.7-0ubuntu2) utopic; urgency=medium
155 * Restore debian/patches/prototypes, which still is needed on shim 0.7
156 but only detected on the buildds.
157 * Update debian/patches/prototypes with some new declarations needed for
158 openssl 0.9.8za update.
160 -- Steve Langasek <steve.langasek@ubuntu.com> Tue, 07 Oct 2014 16:20:08 -0700
162 shim (0.7-0ubuntu1) utopic; urgency=medium
164 * New upstream release.
165 - fix spurious error message when fallback.efi is not present, as will
166 always be the case for removable media. LP: #1297069.
167 - drop most patches, included upstream.
168 * debian/patches/0001-Update-openssl-to-0.9.8za.patch: cherry-pick
169 openssl 0.9.8za in via upstream.
171 -- Steve Langasek <steve.langasek@ubuntu.com> Tue, 07 Oct 2014 05:40:41 +0000
173 shim (0.4-0ubuntu5) utopic; urgency=low
175 * Install fallback.efi.signed as well, to lay the groundwork for fallback
176 handling (wanted when we have to move a drive between machines, or when
177 the firmware loses its marbles^W nvram).
179 -- Steve Langasek <steve.langasek@ubuntu.com> Mon, 04 Aug 2014 12:11:13 +0200
181 shim (0.4-0ubuntu4) saucy; urgency=low
183 * debian/patches/fix-tftp-prototype: pass the right arguments to
184 EFI_PXE_BASE_CODE_TFTP_READ_FILE.
185 * debian/patches/build-with-Werror: Build with -Werror to catch future
186 prototype mismatches.
187 * debian/patches/fix-compiler-warnings: Fix remaining compiler
188 warnings in netboot.c.
189 * debian/patches/tftp-proper-nul-termination: fix nul termination
190 errors in filenames passed to tftp.
191 * debian/patches/netboot-cleanup: roll-up of miscellaneous fixes to
194 -- Steve Langasek <steve.langasek@ubuntu.com> Mon, 23 Sep 2013 00:30:00 -0700
196 shim (0.4-0ubuntu3) saucy; urgency=low
199 * Install MokManager.efi.signed in the package.
200 * debian/patches/no-output-by-default.patch: Don't print any
201 informational messages. Closes LP: #1074302.
204 * debian/patches/no-print-on-unsigned: Don't print an error message when
205 validating an unsigned binary as that tends to hang Lenovo machines.
208 -- Stéphane Graber <stgraber@ubuntu.com> Thu, 08 Aug 2013 17:12:12 +0200
210 shim (0.4-0ubuntu2) saucy; urgency=low
212 * Add missing build-dependency on openssl.
214 -- Steve Langasek <steve.langasek@ubuntu.com> Tue, 02 Jul 2013 20:30:43 +0000
216 shim (0.4-0ubuntu1) saucy; urgency=low
218 * New upstream release.
219 * Drop debian/patches/shim-before-loadimage; upstream has changed this to
220 not call loadimage at all.
221 * debian/patches/sbsigntool-not-pesign: Sign MokManager with
222 sbsigntool instead of pesign.
223 * Add a versioned build-dependency on gnu-efi.
225 -- Steve Langasek <steve.langasek@ubuntu.com> Tue, 02 Jul 2013 12:53:24 -0700
227 shim (0~20120906.bcd0a4e8-0ubuntu4) quantal-proposed; urgency=low
229 * debian/patches/shim-before-loadimage: Use direct verification first
230 before LoadImage. Addresses an issue where Lenovo's SecureBoot
231 implementation pops an error message on any verification failure - avoid
232 calling LoadImage at all unless we have to.
234 -- Steve Langasek <steve.langasek@ubuntu.com> Wed, 10 Oct 2012 15:28:40 -0700
236 shim (0~20120906.bcd0a4e8-0ubuntu3) quantal; urgency=low
238 * debian/patches/second-stage-path: Chainload grubx64.efi, not
241 -- Steve Langasek <steve.langasek@ubuntu.com> Fri, 05 Oct 2012 11:20:58 -0700
243 shim (0~20120906.bcd0a4e8-0ubuntu2) quantal; urgency=low
245 * debian/patches/prototypes: Include missing prototypes, and disable
247 * Only build the package for amd64; we're not signing an i386 shim at this
248 stage so there's no point in building it.
250 -- Steve Langasek <steve.langasek@ubuntu.com> Thu, 04 Oct 2012 17:47:04 +0000
252 shim (0~20120906.bcd0a4e8-0ubuntu1) quantal; urgency=low
255 * Include the Canonical Secure Boot master CA.
257 -- Steve Langasek <steve.langasek@ubuntu.com> Thu, 04 Oct 2012 00:01:06 -0700