]> git.proxmox.com Git - efi-boot-shim.git/blob - debian/changelog
projects / efi-boot-shim.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Add Debian SBAT data to the shim build
[efi-boot-shim.git] / debian / changelog
1 shim (15+1613861442.888f5b5-1) unstable; urgency=medium
2
3 [ Steve McIntyre ]
4 * Switch to much-newer upstream code point with many fixes
5 + Particularly pulling in SBAT changes for better revocation support
6 + Remove all our old patches, no longer needed:
7 - avoid_null_vsprint.patch
8 - check_null_sn_ln.patch
9 - fixup_git.patch
10 - uname.patch
11 - use_compare_mem_gcc9.patch
12 * New patches:
13 + fix-Make.coverity-bashisms.patch
14 (Trivial changes to remove bashisms in Make.coverity)
15 + cast-CHAR8-string-handling.patch
16 (Cast CHAR8 strings to use (const char *) when using string
17 functions)
18 * Switch to using gcc-10 rather than gcc-9. Closes: #978521
19 * Add dbx entries for all our existing grub binaries
20 + They're insecure, let's break the chainloading hole.
21 * Add Debian SBAT data
22 + Add a Debian SBAT template, and rules to use it
23 + Adds a build-dep on dos2unix
24
25 -- Steve McIntyre <93sam@debian.org> Sun, 21 Feb 2021 13:50:16 +0100
26
27 shim (15+1533136590.3beb971-10) unstable; urgency=medium
28
29 [ Debian Janitor ]
30 * Trim trailing whitespace.
31 * Use secure copyright file specification URI.
32 * debian/copyright: use spaces rather than tabs to start continuation
33 lines.
34 * Bump debhelper from old 11 to 12.
35 * Set debhelper-compat version in Build-Depends.
36 * Set upstream metadata fields: Bug-Database, Bug-Submit.
37 * Update standards version to 4.4.1, no changes needed.
38
39 [ Steve McIntyre ]
40 * Trivial changes to generating the inbuilt dbx if we're using it.
41 * Upload to pick up rotated Debian signing keys
42
43 -- Steve McIntyre <93sam@debian.org> Fri, 24 Jul 2020 01:22:46 +0100
44
45 shim (15+1533136590.3beb971-9) unstable; urgency=medium
46
47 [ Steve McIntyre ]
48 * In the -helpers-ARCH-signed packages, change the version
49 dependency on shim-unsigned to be >= and not =. This will allow
50 for installation to still work in the window while we wait for the
51 template package to do its second trip through the
52 archive. Closes: #955356
53
54 -- Steve McIntyre <93sam@debian.org> Mon, 30 Mar 2020 15:19:08 +0100
55
56 shim (15+1533136590.3beb971-8) unstable; urgency=medium
57
58 [ Steve McIntyre ]
59 * Use --padding when calling pesign to generate hashes for the dbx
60 list, as recommended by Peter Jones. No actual changes needed in
61 our list of hashes at this point - they work out the same either
62 way.
63 * Switch to using gcc-9 for builds, tweaking a patch from upstream
64 to fix a FTBFS. Closes: #925816
65 * Update debhelper compat level to 11 for shim and the
66 signing-template
67
68 -- Steve McIntyre <93sam@debian.org> Tue, 24 Mar 2020 16:51:10 +0000
69
70 shim (15+1533136590.3beb971-7) unstable; urgency=medium
71
72 [ Ansgar Burchardt ]
73 * debian/control: Update Vcs-* fields
74
75 [ Steve McIntyre ]
76 * Backport needed crash fixes:
77 + VLogError(): Avoid NULL pointer dereferences in (V)Sprint calls
78 + Fix OBJ_create() to tolerate a NULL sn and ln
79 * Build using gcc-7 to get better control of reproducibility during the
80 lifetime of Buster.
81 * Build in a dbx list to blacklist binaries that we know to not be
82 secure. Build-depend on a new (bug-fixed) version of pesign to
83 generate that list at build time, using a list of known bad hashes.
84 * Initial list of known bad hashes is just my personal test binary.
85
86 -- Steve McIntyre <93sam@debian.org> Wed, 08 May 2019 02:05:01 +0100
87
88 shim (15+1533136590.3beb971-6) unstable; urgency=medium
89
90 [ Steve McIntyre ]
91 * Add Provides: and Breaks: to shim-helpers-$arch-signed to fix
92 clashes with the old shim-signed package for fbx64.efi.signed and
93 mmx64.efi.signed. Closes: #924619
94
95 [ Helmut Grohne ]
96 * Fix FTCBFS: Set CROSS_COMPILE. (Closes: #922152)
97
98 -- Steve McIntyre <93sam@debian.org> Sat, 23 Mar 2019 18:19:13 +0000
99
100 shim (15+1533136590.3beb971-5) unstable; urgency=medium
101
102 [ Ansgar Burchardt ]
103 * Correct maintainer address in signing template
104
105 [ Steve McIntyre ]
106 * Remove Rules-Requires-Root in the signing template. We manually install
107 things owned by root. There might be better ways to do this, but this
108 will do for now.
109
110 -- Steve McIntyre <93sam@debian.org> Tue, 12 Mar 2019 01:38:19 +0000
111
112 shim (15+1533136590.3beb971-4) unstable; urgency=medium
113
114 [ Steve McIntyre ]
115 * No-change sourceful upload to get rebuilds (and hence build logs) from
116 the buildds. Hoping to get this version signed by Microsoft, so let's
117 make our setup as clean as possible.
118
119 -- Steve McIntyre <93sam@debian.org> Sat, 09 Mar 2019 22:24:23 +0000
120
121 shim (15+1533136590.3beb971-3) unstable; urgency=medium
122
123 [ Philipp Hahn ]
124 * debian/rules: fixing permissions no longer required
125 * debian/rules: Disable ephemeral key on Debian.
126 * Rename binary package to 'shim-unsigned'
127 * Add template for signing {mm,fb}$ARCH.efi. (Closes: #922228)
128
129 [ Luca Boccassi ]
130 * Override lintian error about template rules file.
131 * Include /usr/share/dpkg/architecture.mk instead of shelling out.
132 * Add uname.patch to avoid embedding the kernel architecture in the
133 binary and to use a fixed string instead.
134
135 [ Steve McIntyre ]
136 * Change maintenance address to be the EFI team
137 * Add me and vorlon to the Uploaders list
138 * Rename the helper binary packages to shim-helpers-$arch.
139 * Update the signing-template JSON metadata to match new practice:
140 + Move all the data under a new top-level "packages" key
141 + Add an empty "trusted_certs" key - the helper binaries do not do any
142 further verification with an embedded key.
143
144 -- Steve McIntyre <93sam@debian.org> Fri, 08 Mar 2019 21:59:43 +0000
145
146 shim (15+1533136590.3beb971-2) unstable; urgency=medium
147
148 * Update debian/watch.
149 * Update VCS to point to salsa.
150 * Fix debian/rules syntax for arm64 build.
151 * Enable build for i386.
152 * Ensure DEB_HOST_ARCH is set even if not present in the environment.
153 * Update Standards-Version.
154 * Update debian/copyright (drop reference to file no longer in source)
155
156 -- Steve Langasek <vorlon@debian.org> Mon, 11 Feb 2019 05:18:18 +0000
157
158 shim (15+1533136590.3beb971-1) unstable; urgency=medium
159
160 * New upstream release.
161 - debian/patches/second-stage-path: dropped; the default loader path now
162 includes an arch suffix.
163 - debian/patches/sbsigntool-no-pesign: dropped; no longer needed.
164 * Drop remaining patches that were not being applied.
165 * Sync packaging from Ubuntu:
166 - debian/copyright: Update upstream source location.
167 - debian/control: add a Build-Depends on libelf-dev.
168 - Enable arm64 build.
169 - debian/patches/fixup_git.patch: don't run git in clean; we're not
170 really in a git tree.
171 - debian/rules, debian/shim.install: use the upstream install target as
172 intended, and move files to the target directory using dh_install.
173 - define RELEASE and COMMIT_ID for the snapshot.
174 - Set ENABLE_HTTPBOOT to enable the HTTP Boot feature.
175 - Update dh_auto_build/dh_auto_clean/dh_auto_install for new upstream
176 options: set MAKELEVEL.
177 - Define an EFI_ARCH variable, and use that for paths to shim. This
178 makes it possible to build a shim for other architectures than amd64.
179 - Set EFIDIR=$distro for dh_auto_install; that will let files be installed
180 in the "right" final directories, and makes boot.csv for us.
181 - Set ENABLE_SHIM_CERT, to keep using ephemeral self-signed certs built
182 at compile-time for MokManager and fallback.
183 - Set ENABLE_SBSIGN, to use sbsign instead of pesign for signing fallback
184 and MokManager.
185
186 -- Steve Langasek <vorlon@debian.org> Sat, 09 Feb 2019 07:23:19 +0000
187
188 shim (0.9+1474479173.6c180c6-1) unstable; urgency=medium
189
190 [ Steve Langasek ]
191 * Initial Debian upload. Closes: #820052.
192 * Update Standards-Version.
193 * Embed the newly-minted Debian CA certificate.
194 * Vendorize debian/rules so that the same package can be used in both
195 Debian and Ubuntu without modification.
196 * Fix debian/copyright to match the spec (last match wins, not first)
197 * Fix shim.efi to not be executable.
198 * Add watchfile.
199 * Support parallel builds, because eh why not
200 * Update Vcs-Bzr.
201 * Resync with Ubuntu, including patch to fix debian/copyright.
202
203 [ Julien Cristau ]
204 * Add some missing copyright holders in d/copyright, update
205 Upstream-Contact. Thanks to Helen Koike for the help.
206
207 -- Julien Cristau <jcristau@debian.org> Sat, 15 Oct 2016 15:17:34 +0200
208
209 shim (0.9+1474479173.6c180c6-0ubuntu1) UNRELEASED; urgency=medium
210
211 [ Helen Koike ]
212 * debian/copyright: add OpenSSL license
213
214 [ Mathieu Trudel-Lapierre ]
215 * New upstream release.
216 * debian/copyright: patches should be BSD, like the rest of the upstream
217 code.
218 * debian/patches/unused-variable: dropped; applied upstream.
219 * debian/patches/binutils-version-matching: dropped, fixed upstream.
220 * debian/shim.install: built EFI binaries were renamed; update our install
221 file to properly pick up shim (shim$arch), MokManager (mm$arch), and
222 fallback (fb$arch).
223
224 -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> Wed, 21 Sep 2016 20:29:44 -0400
225
226 shim (0.9+1465500757.14a5905-0ubuntu1) yakkety; urgency=medium
227
228 * New upstream release.
229 - Better handle LoadOptions. (LP: #1581299)
230 - Measure state and second stage in TPM.
231 - Mirror MokSBState in runtime as MokSBStateRT.
232 - Fix failure to build with GCC 5. (LP: #1429978)
233 - Various bug fixes and other improvements.
234 * Refreshed patches.
235 - Remaining patches:
236 + second-stage-path
237 + sbsigntool-not-pesign
238 * debian/patches/unused-variable: remove unused variable size.
239 * debian/patches/binutils-version-matching: revert d9a4c912 to correctly
240 match objcopy's version on Ubuntu.
241 * debian/copyright: update copyright for patches.
242
243 -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> Tue, 26 Jul 2016 16:48:32 -0400
244
245 shim (0.8-0ubuntu2) wily; urgency=medium
246
247 * No-change rebuild against gnu-efi 3.0v-5ubuntu1.
248
249 -- Steve Langasek <steve.langasek@ubuntu.com> Tue, 12 May 2015 17:48:30 +0000
250
251 shim (0.8-0ubuntu1) wily; urgency=medium
252
253 * New upstream release.
254 - Clarify meaning of insecure_mode. (LP: #1384973)
255 * debian/patches/CVE-2014-3675.patch, debian/patches/CVE-2014-3677.patch,
256 debian/patches/0001-Update-openssl-to-0.9.8za.patch: dropped, included
257 in the upstream release.
258 * debian/patches/sbsigntool-not-pesign,debian/patches/second-stage-path:
259 refreshed.
260
261 -- Mathieu Trudel-Lapierre <mathieu-tl@ubuntu.com> Mon, 11 May 2015 19:50:49 -0400
262
263 shim (0.7-0ubuntu4) utopic; urgency=medium
264
265 * SECURITY UPDATE: heap overflow and out-of-bounds read access when
266 parsing DHCPv6 information
267 - debian/patches/CVE-2014-3675.patch: apply proper bounds checking
268 when parsing data provided in DHCPv6 packets.
269 - CVE-2014-3675
270 - CVE-2014-3676
271 * SECURITY UPDATE: memory corruption when processing user-provided key
272 lists
273 - debian/patches/CVE-2014-3677.patch: detect malformed machine owner
274 key (MOK) lists and ignore them, avoiding possible memory corruption.
275 - CVE-2014-3677
276
277 -- Steve Langasek <steve.langasek@ubuntu.com> Wed, 08 Oct 2014 06:40:40 +0000
278
279 shim (0.7-0ubuntu2) utopic; urgency=medium
280
281 * Restore debian/patches/prototypes, which still is needed on shim 0.7
282 but only detected on the buildds.
283 * Update debian/patches/prototypes with some new declarations needed for
284 openssl 0.9.8za update.
285
286 -- Steve Langasek <steve.langasek@ubuntu.com> Tue, 07 Oct 2014 16:20:08 -0700
287
288 shim (0.7-0ubuntu1) utopic; urgency=medium
289
290 * New upstream release.
291 - fix spurious error message when fallback.efi is not present, as will
292 always be the case for removable media. LP: #1297069.
293 - drop most patches, included upstream.
294 * debian/patches/0001-Update-openssl-to-0.9.8za.patch: cherry-pick
295 openssl 0.9.8za in via upstream.
296
297 -- Steve Langasek <steve.langasek@ubuntu.com> Tue, 07 Oct 2014 05:40:41 +0000
298
299 shim (0.4-0ubuntu5) utopic; urgency=low
300
301 * Install fallback.efi.signed as well, to lay the groundwork for fallback
302 handling (wanted when we have to move a drive between machines, or when
303 the firmware loses its marbles^W nvram).
304
305 -- Steve Langasek <steve.langasek@ubuntu.com> Mon, 04 Aug 2014 12:11:13 +0200
306
307 shim (0.4-0ubuntu4) saucy; urgency=low
308
309 * debian/patches/fix-tftp-prototype: pass the right arguments to
310 EFI_PXE_BASE_CODE_TFTP_READ_FILE.
311 * debian/patches/build-with-Werror: Build with -Werror to catch future
312 prototype mismatches.
313 * debian/patches/fix-compiler-warnings: Fix remaining compiler
314 warnings in netboot.c.
315 * debian/patches/tftp-proper-nul-termination: fix nul termination
316 errors in filenames passed to tftp.
317 * debian/patches/netboot-cleanup: roll-up of miscellaneous fixes to
318 the netboot code.
319
320 -- Steve Langasek <steve.langasek@ubuntu.com> Mon, 23 Sep 2013 00:30:00 -0700
321
322 shim (0.4-0ubuntu3) saucy; urgency=low
323
324 [ Steve Langasek ]
325 * Install MokManager.efi.signed in the package.
326 * debian/patches/no-output-by-default.patch: Don't print any
327 informational messages. Closes LP: #1074302.
328
329 [ Stéphane Graber ]
330 * debian/patches/no-print-on-unsigned: Don't print an error message when
331 validating an unsigned binary as that tends to hang Lenovo machines.
332 (LP: #1087501)
333
334 -- Stéphane Graber <stgraber@ubuntu.com> Thu, 08 Aug 2013 17:12:12 +0200
335
336 shim (0.4-0ubuntu2) saucy; urgency=low
337
338 * Add missing build-dependency on openssl.
339
340 -- Steve Langasek <steve.langasek@ubuntu.com> Tue, 02 Jul 2013 20:30:43 +0000
341
342 shim (0.4-0ubuntu1) saucy; urgency=low
343
344 * New upstream release.
345 * Drop debian/patches/shim-before-loadimage; upstream has changed this to
346 not call loadimage at all.
347 * debian/patches/sbsigntool-not-pesign: Sign MokManager with
348 sbsigntool instead of pesign.
349 * Add a versioned build-dependency on gnu-efi.
350
351 -- Steve Langasek <steve.langasek@ubuntu.com> Tue, 02 Jul 2013 12:53:24 -0700
352
353 shim (0~20120906.bcd0a4e8-0ubuntu4) quantal-proposed; urgency=low
354
355 * debian/patches/shim-before-loadimage: Use direct verification first
356 before LoadImage. Addresses an issue where Lenovo's SecureBoot
357 implementation pops an error message on any verification failure - avoid
358 calling LoadImage at all unless we have to.
359
360 -- Steve Langasek <steve.langasek@ubuntu.com> Wed, 10 Oct 2012 15:28:40 -0700
361
362 shim (0~20120906.bcd0a4e8-0ubuntu3) quantal; urgency=low
363
364 * debian/patches/second-stage-path: Chainload grubx64.efi, not
365 grub.efi.
366
367 -- Steve Langasek <steve.langasek@ubuntu.com> Fri, 05 Oct 2012 11:20:58 -0700
368
369 shim (0~20120906.bcd0a4e8-0ubuntu2) quantal; urgency=low
370
371 * debian/patches/prototypes: Include missing prototypes, and disable
372 use of BIO_new_file.
373 * Only build the package for amd64; we're not signing an i386 shim at this
374 stage so there's no point in building it.
375
376 -- Steve Langasek <steve.langasek@ubuntu.com> Thu, 04 Oct 2012 17:47:04 +0000
377
378 shim (0~20120906.bcd0a4e8-0ubuntu1) quantal; urgency=low
379
380 * Initial release.
381 * Include the Canonical Secure Boot master CA.
382
383 -- Steve Langasek <steve.langasek@ubuntu.com> Thu, 04 Oct 2012 00:01:06 -0700
shim, a first-stage UEFI bootloader adapted for Proxmox projects