1 shim (15+1533136590.3beb971-7) UNRELEASED; urgency=medium
4 * Backport needed crash fixes:
5 + VLogError(): Avoid NULL pointer dereferences in (V)Sprint calls
6 + Fix OBJ_create() to tolerate a NULL sn and ln
7 * Update VCS-* fields in debian/control
9 -- Steve McIntyre <93sam@debian.org> Fri, 03 May 2019 01:39:34 +0100
11 shim (15+1533136590.3beb971-6) unstable; urgency=medium
14 * Add Provides: and Breaks: to shim-helpers-$arch-signed to fix
15 clashes with the old shim-signed package for fbx64.efi.signed and
16 mmx64.efi.signed. Closes: #924619
19 * Fix FTCBFS: Set CROSS_COMPILE. (Closes: #922152)
21 -- Steve McIntyre <93sam@debian.org> Sat, 23 Mar 2019 18:19:13 +0000
23 shim (15+1533136590.3beb971-5) unstable; urgency=medium
26 * Correct maintainer address in signing template
29 * Remove Rules-Requires-Root in the signing template. We manually install
30 things owned by root. There might be better ways to do this, but this
33 -- Steve McIntyre <93sam@debian.org> Tue, 12 Mar 2019 01:38:19 +0000
35 shim (15+1533136590.3beb971-4) unstable; urgency=medium
38 * No-change sourceful upload to get rebuilds (and hence build logs) from
39 the buildds. Hoping to get this version signed by Microsoft, so let's
40 make our setup as clean as possible.
42 -- Steve McIntyre <93sam@debian.org> Sat, 09 Mar 2019 22:24:23 +0000
44 shim (15+1533136590.3beb971-3) unstable; urgency=medium
47 * debian/rules: fixing permissions no longer required
48 * debian/rules: Disable ephemeral key on Debian.
49 * Rename binary package to 'shim-unsigned'
50 * Add template for signing {mm,fb}$ARCH.efi. (Closes: #922228)
53 * Override lintian error about template rules file.
54 * Include /usr/share/dpkg/architecture.mk instead of shelling out.
55 * Add uname.patch to avoid embedding the kernel architecture in the
56 binary and to use a fixed string instead.
59 * Change maintenance address to be the EFI team
60 * Add me and vorlon to the Uploaders list
61 * Rename the helper binary packages to shim-helpers-$arch.
62 * Update the signing-template JSON metadata to match new practice:
63 + Move all the data under a new top-level "packages" key
64 + Add an empty "trusted_certs" key - the helper binaries do not do any
65 further verification with an embedded key.
67 -- Steve McIntyre <93sam@debian.org> Fri, 08 Mar 2019 21:59:43 +0000
69 shim (15+1533136590.3beb971-2) unstable; urgency=medium
71 * Update debian/watch.
72 * Update VCS to point to salsa.
73 * Fix debian/rules syntax for arm64 build.
74 * Enable build for i386.
75 * Ensure DEB_HOST_ARCH is set even if not present in the environment.
76 * Update Standards-Version.
77 * Update debian/copyright (drop reference to file no longer in source)
79 -- Steve Langasek <vorlon@debian.org> Mon, 11 Feb 2019 05:18:18 +0000
81 shim (15+1533136590.3beb971-1) unstable; urgency=medium
83 * New upstream release.
84 - debian/patches/second-stage-path: dropped; the default loader path now
85 includes an arch suffix.
86 - debian/patches/sbsigntool-no-pesign: dropped; no longer needed.
87 * Drop remaining patches that were not being applied.
88 * Sync packaging from Ubuntu:
89 - debian/copyright: Update upstream source location.
90 - debian/control: add a Build-Depends on libelf-dev.
92 - debian/patches/fixup_git.patch: don't run git in clean; we're not
94 - debian/rules, debian/shim.install: use the upstream install target as
95 intended, and move files to the target directory using dh_install.
96 - define RELEASE and COMMIT_ID for the snapshot.
97 - Set ENABLE_HTTPBOOT to enable the HTTP Boot feature.
98 - Update dh_auto_build/dh_auto_clean/dh_auto_install for new upstream
99 options: set MAKELEVEL.
100 - Define an EFI_ARCH variable, and use that for paths to shim. This
101 makes it possible to build a shim for other architectures than amd64.
102 - Set EFIDIR=$distro for dh_auto_install; that will let files be installed
103 in the "right" final directories, and makes boot.csv for us.
104 - Set ENABLE_SHIM_CERT, to keep using ephemeral self-signed certs built
105 at compile-time for MokManager and fallback.
106 - Set ENABLE_SBSIGN, to use sbsign instead of pesign for signing fallback
109 -- Steve Langasek <vorlon@debian.org> Sat, 09 Feb 2019 07:23:19 +0000
111 shim (0.9+1474479173.6c180c6-1) unstable; urgency=medium
114 * Initial Debian upload. Closes: #820052.
115 * Update Standards-Version.
116 * Embed the newly-minted Debian CA certificate.
117 * Vendorize debian/rules so that the same package can be used in both
118 Debian and Ubuntu without modification.
119 * Fix debian/copyright to match the spec (last match wins, not first)
120 * Fix shim.efi to not be executable.
122 * Support parallel builds, because eh why not
124 * Resync with Ubuntu, including patch to fix debian/copyright.
127 * Add some missing copyright holders in d/copyright, update
128 Upstream-Contact. Thanks to Helen Koike for the help.
130 -- Julien Cristau <jcristau@debian.org> Sat, 15 Oct 2016 15:17:34 +0200
132 shim (0.9+1474479173.6c180c6-0ubuntu1) UNRELEASED; urgency=medium
135 * debian/copyright: add OpenSSL license
137 [ Mathieu Trudel-Lapierre ]
138 * New upstream release.
139 * debian/copyright: patches should be BSD, like the rest of the upstream
141 * debian/patches/unused-variable: dropped; applied upstream.
142 * debian/patches/binutils-version-matching: dropped, fixed upstream.
143 * debian/shim.install: built EFI binaries were renamed; update our install
144 file to properly pick up shim (shim$arch), MokManager (mm$arch), and
147 -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> Wed, 21 Sep 2016 20:29:44 -0400
149 shim (0.9+1465500757.14a5905-0ubuntu1) yakkety; urgency=medium
151 * New upstream release.
152 - Better handle LoadOptions. (LP: #1581299)
153 - Measure state and second stage in TPM.
154 - Mirror MokSBState in runtime as MokSBStateRT.
155 - Fix failure to build with GCC 5. (LP: #1429978)
156 - Various bug fixes and other improvements.
160 + sbsigntool-not-pesign
161 * debian/patches/unused-variable: remove unused variable size.
162 * debian/patches/binutils-version-matching: revert d9a4c912 to correctly
163 match objcopy's version on Ubuntu.
164 * debian/copyright: update copyright for patches.
166 -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> Tue, 26 Jul 2016 16:48:32 -0400
168 shim (0.8-0ubuntu2) wily; urgency=medium
170 * No-change rebuild against gnu-efi 3.0v-5ubuntu1.
172 -- Steve Langasek <steve.langasek@ubuntu.com> Tue, 12 May 2015 17:48:30 +0000
174 shim (0.8-0ubuntu1) wily; urgency=medium
176 * New upstream release.
177 - Clarify meaning of insecure_mode. (LP: #1384973)
178 * debian/patches/CVE-2014-3675.patch, debian/patches/CVE-2014-3677.patch,
179 debian/patches/0001-Update-openssl-to-0.9.8za.patch: dropped, included
180 in the upstream release.
181 * debian/patches/sbsigntool-not-pesign,debian/patches/second-stage-path:
184 -- Mathieu Trudel-Lapierre <mathieu-tl@ubuntu.com> Mon, 11 May 2015 19:50:49 -0400
186 shim (0.7-0ubuntu4) utopic; urgency=medium
188 * SECURITY UPDATE: heap overflow and out-of-bounds read access when
189 parsing DHCPv6 information
190 - debian/patches/CVE-2014-3675.patch: apply proper bounds checking
191 when parsing data provided in DHCPv6 packets.
194 * SECURITY UPDATE: memory corruption when processing user-provided key
196 - debian/patches/CVE-2014-3677.patch: detect malformed machine owner
197 key (MOK) lists and ignore them, avoiding possible memory corruption.
200 -- Steve Langasek <steve.langasek@ubuntu.com> Wed, 08 Oct 2014 06:40:40 +0000
202 shim (0.7-0ubuntu2) utopic; urgency=medium
204 * Restore debian/patches/prototypes, which still is needed on shim 0.7
205 but only detected on the buildds.
206 * Update debian/patches/prototypes with some new declarations needed for
207 openssl 0.9.8za update.
209 -- Steve Langasek <steve.langasek@ubuntu.com> Tue, 07 Oct 2014 16:20:08 -0700
211 shim (0.7-0ubuntu1) utopic; urgency=medium
213 * New upstream release.
214 - fix spurious error message when fallback.efi is not present, as will
215 always be the case for removable media. LP: #1297069.
216 - drop most patches, included upstream.
217 * debian/patches/0001-Update-openssl-to-0.9.8za.patch: cherry-pick
218 openssl 0.9.8za in via upstream.
220 -- Steve Langasek <steve.langasek@ubuntu.com> Tue, 07 Oct 2014 05:40:41 +0000
222 shim (0.4-0ubuntu5) utopic; urgency=low
224 * Install fallback.efi.signed as well, to lay the groundwork for fallback
225 handling (wanted when we have to move a drive between machines, or when
226 the firmware loses its marbles^W nvram).
228 -- Steve Langasek <steve.langasek@ubuntu.com> Mon, 04 Aug 2014 12:11:13 +0200
230 shim (0.4-0ubuntu4) saucy; urgency=low
232 * debian/patches/fix-tftp-prototype: pass the right arguments to
233 EFI_PXE_BASE_CODE_TFTP_READ_FILE.
234 * debian/patches/build-with-Werror: Build with -Werror to catch future
235 prototype mismatches.
236 * debian/patches/fix-compiler-warnings: Fix remaining compiler
237 warnings in netboot.c.
238 * debian/patches/tftp-proper-nul-termination: fix nul termination
239 errors in filenames passed to tftp.
240 * debian/patches/netboot-cleanup: roll-up of miscellaneous fixes to
243 -- Steve Langasek <steve.langasek@ubuntu.com> Mon, 23 Sep 2013 00:30:00 -0700
245 shim (0.4-0ubuntu3) saucy; urgency=low
248 * Install MokManager.efi.signed in the package.
249 * debian/patches/no-output-by-default.patch: Don't print any
250 informational messages. Closes LP: #1074302.
253 * debian/patches/no-print-on-unsigned: Don't print an error message when
254 validating an unsigned binary as that tends to hang Lenovo machines.
257 -- Stéphane Graber <stgraber@ubuntu.com> Thu, 08 Aug 2013 17:12:12 +0200
259 shim (0.4-0ubuntu2) saucy; urgency=low
261 * Add missing build-dependency on openssl.
263 -- Steve Langasek <steve.langasek@ubuntu.com> Tue, 02 Jul 2013 20:30:43 +0000
265 shim (0.4-0ubuntu1) saucy; urgency=low
267 * New upstream release.
268 * Drop debian/patches/shim-before-loadimage; upstream has changed this to
269 not call loadimage at all.
270 * debian/patches/sbsigntool-not-pesign: Sign MokManager with
271 sbsigntool instead of pesign.
272 * Add a versioned build-dependency on gnu-efi.
274 -- Steve Langasek <steve.langasek@ubuntu.com> Tue, 02 Jul 2013 12:53:24 -0700
276 shim (0~20120906.bcd0a4e8-0ubuntu4) quantal-proposed; urgency=low
278 * debian/patches/shim-before-loadimage: Use direct verification first
279 before LoadImage. Addresses an issue where Lenovo's SecureBoot
280 implementation pops an error message on any verification failure - avoid
281 calling LoadImage at all unless we have to.
283 -- Steve Langasek <steve.langasek@ubuntu.com> Wed, 10 Oct 2012 15:28:40 -0700
285 shim (0~20120906.bcd0a4e8-0ubuntu3) quantal; urgency=low
287 * debian/patches/second-stage-path: Chainload grubx64.efi, not
290 -- Steve Langasek <steve.langasek@ubuntu.com> Fri, 05 Oct 2012 11:20:58 -0700
292 shim (0~20120906.bcd0a4e8-0ubuntu2) quantal; urgency=low
294 * debian/patches/prototypes: Include missing prototypes, and disable
296 * Only build the package for amd64; we're not signing an i386 shim at this
297 stage so there's no point in building it.
299 -- Steve Langasek <steve.langasek@ubuntu.com> Thu, 04 Oct 2012 17:47:04 +0000
301 shim (0~20120906.bcd0a4e8-0ubuntu1) quantal; urgency=low
304 * Include the Canonical Secure Boot master CA.
306 -- Steve Langasek <steve.langasek@ubuntu.com> Thu, 04 Oct 2012 00:01:06 -0700