debian/changelog

   1 shim (15+1533136590.3beb971-7) UNRELEASED; urgency=medium
   2
   3   [ Steve McIntyre ]
   4   * Backport needed crash fixes:
   5     + VLogError(): Avoid NULL pointer dereferences in (V)Sprint calls
   6     + Fix OBJ_create() to tolerate a NULL sn and ln
   7   * Update VCS-* fields in debian/control
   8   * Build using gcc-7 to get better control of reproducibility during the
   9     lifetime of Buster.
  10   * Build in a dbx list to blacklist binaries that we know to not be
  11     secure. Build-depend on a new (bug-fixed) version of pesign to
  12     generate that list at build time, using a list of known bad hashes.
  13   * Initial list of known bad hashes is just my personal test binary.
  14
  15  -- Steve McIntyre <93sam@debian.org>  Fri, 03 May 2019 01:39:34 +0100
  16
  17 shim (15+1533136590.3beb971-6) unstable; urgency=medium
  18
  19   [ Steve McIntyre ]
  20   * Add Provides: and Breaks: to shim-helpers-$arch-signed to fix
  21     clashes with the old shim-signed package for fbx64.efi.signed and
  22     mmx64.efi.signed. Closes: #924619
  23
  24   [ Helmut Grohne ]
  25   * Fix FTCBFS: Set CROSS_COMPILE. (Closes: #922152)
  26
  27  -- Steve McIntyre <93sam@debian.org>  Sat, 23 Mar 2019 18:19:13 +0000
  28
  29 shim (15+1533136590.3beb971-5) unstable; urgency=medium
  30
  31   [ Ansgar Burchardt ]
  32   * Correct maintainer address in signing template
  33
  34   [ Steve McIntyre ]
  35   * Remove Rules-Requires-Root in the signing template. We manually install
  36     things owned by root. There might be better ways to do this, but this
  37     will do for now.
  38
  39  -- Steve McIntyre <93sam@debian.org>  Tue, 12 Mar 2019 01:38:19 +0000
  40
  41 shim (15+1533136590.3beb971-4) unstable; urgency=medium
  42
  43   [ Steve McIntyre ]
  44   * No-change sourceful upload to get rebuilds (and hence build logs) from
  45     the buildds. Hoping to get this version signed by Microsoft, so let's
  46     make our setup as clean as possible.
  47
  48  -- Steve McIntyre <93sam@debian.org>  Sat, 09 Mar 2019 22:24:23 +0000
  49
  50 shim (15+1533136590.3beb971-3) unstable; urgency=medium
  51
  52   [ Philipp Hahn ]
  53   * debian/rules: fixing permissions no longer required
  54   * debian/rules: Disable ephemeral key on Debian.
  55   * Rename binary package to 'shim-unsigned'
  56   * Add template for signing {mm,fb}$ARCH.efi. (Closes: #922228)
  57
  58   [ Luca Boccassi ]
  59   * Override lintian error about template rules file.
  60   * Include /usr/share/dpkg/architecture.mk instead of shelling out.
  61   * Add uname.patch to avoid embedding the kernel architecture in the
  62     binary and to use a fixed string instead.
  63
  64   [ Steve McIntyre ]
  65   * Change maintenance address to be the EFI team
  66   * Add me and vorlon to the Uploaders list
  67   * Rename the helper binary packages to shim-helpers-$arch.
  68   * Update the signing-template JSON metadata to match new practice:
  69     + Move all the data under a new top-level "packages" key
  70     + Add an empty "trusted_certs" key - the helper binaries do not do any
  71       further verification with an embedded key.
  72
  73  -- Steve McIntyre <93sam@debian.org>  Fri, 08 Mar 2019 21:59:43 +0000
  74
  75 shim (15+1533136590.3beb971-2) unstable; urgency=medium
  76
  77   * Update debian/watch.
  78   * Update VCS to point to salsa.
  79   * Fix debian/rules syntax for arm64 build.
  80   * Enable build for i386.
  81   * Ensure DEB_HOST_ARCH is set even if not present in the environment.
  82   * Update Standards-Version.
  83   * Update debian/copyright (drop reference to file no longer in source)
  84
  85  -- Steve Langasek <vorlon@debian.org>  Mon, 11 Feb 2019 05:18:18 +0000
  86
  87 shim (15+1533136590.3beb971-1) unstable; urgency=medium
  88
  89   * New upstream release.
  90     - debian/patches/second-stage-path: dropped; the default loader path now
  91       includes an arch suffix.
  92     - debian/patches/sbsigntool-no-pesign: dropped; no longer needed.
  93   * Drop remaining patches that were not being applied.
  94   * Sync packaging from Ubuntu:
  95     - debian/copyright: Update upstream source location.
  96     - debian/control: add a Build-Depends on libelf-dev.
  97     - Enable arm64 build.
  98     - debian/patches/fixup_git.patch: don't run git in clean; we're not
  99       really in a git tree.
 100     - debian/rules, debian/shim.install: use the upstream install target as
 101       intended, and move files to the target directory using dh_install.
 102     - define RELEASE and COMMIT_ID for the snapshot.
 103     - Set ENABLE_HTTPBOOT to enable the HTTP Boot feature.
 104     - Update dh_auto_build/dh_auto_clean/dh_auto_install for new upstream
 105       options: set MAKELEVEL.
 106     - Define an EFI_ARCH variable, and use that for paths to shim. This
 107       makes it possible to build a shim for other architectures than amd64.
 108     - Set EFIDIR=$distro for dh_auto_install; that will let files be installed
 109       in the "right" final directories, and makes boot.csv for us.
 110     - Set ENABLE_SHIM_CERT, to keep using ephemeral self-signed certs built
 111       at compile-time for MokManager and fallback.
 112     - Set ENABLE_SBSIGN, to use sbsign instead of pesign for signing fallback
 113       and MokManager.
 114
 115  -- Steve Langasek <vorlon@debian.org>  Sat, 09 Feb 2019 07:23:19 +0000
 116
 117 shim (0.9+1474479173.6c180c6-1) unstable; urgency=medium
 118
 119   [ Steve Langasek ]
 120   * Initial Debian upload.  Closes: #820052.
 121   * Update Standards-Version.
 122   * Embed the newly-minted Debian CA certificate.
 123   * Vendorize debian/rules so that the same package can be used in both
 124     Debian and Ubuntu without modification.
 125   * Fix debian/copyright to match the spec (last match wins, not first)
 126   * Fix shim.efi to not be executable.
 127   * Add watchfile.
 128   * Support parallel builds, because eh why not
 129   * Update Vcs-Bzr.
 130   * Resync with Ubuntu, including patch to fix debian/copyright.
 131
 132   [ Julien Cristau ]
 133   * Add some missing copyright holders in d/copyright, update
 134     Upstream-Contact.  Thanks to Helen Koike for the help.
 135
 136  -- Julien Cristau <jcristau@debian.org>  Sat, 15 Oct 2016 15:17:34 +0200
 137
 138 shim (0.9+1474479173.6c180c6-0ubuntu1) UNRELEASED; urgency=medium
 139
 140   [ Helen Koike ]
 141   * debian/copyright: add OpenSSL license
 142
 143   [ Mathieu Trudel-Lapierre ]
 144   * New upstream release.
 145   * debian/copyright: patches should be BSD, like the rest of the upstream
 146     code.
 147   * debian/patches/unused-variable: dropped; applied upstream.
 148   * debian/patches/binutils-version-matching: dropped, fixed upstream.
 149   * debian/shim.install: built EFI binaries were renamed; update our install
 150     file to properly pick up shim (shim$arch), MokManager (mm$arch), and
 151     fallback (fb$arch).
 152
 153  -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com>  Wed, 21 Sep 2016 20:29:44 -0400
 154
 155 shim (0.9+1465500757.14a5905-0ubuntu1) yakkety; urgency=medium
 156
 157   * New upstream release.
 158     - Better handle LoadOptions. (LP: #1581299)
 159     - Measure state and second stage in TPM.
 160     - Mirror MokSBState in runtime as MokSBStateRT.
 161     - Fix failure to build with GCC 5. (LP: #1429978)
 162     - Various bug fixes and other improvements.
 163   * Refreshed patches.
 164     - Remaining patches:
 165       + second-stage-path
 166       + sbsigntool-not-pesign
 167   * debian/patches/unused-variable: remove unused variable size.
 168   * debian/patches/binutils-version-matching: revert d9a4c912 to correctly
 169     match objcopy's version on Ubuntu.
 170   * debian/copyright: update copyright for patches.
 171
 172  -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com>  Tue, 26 Jul 2016 16:48:32 -0400
 173
 174 shim (0.8-0ubuntu2) wily; urgency=medium
 175
 176   * No-change rebuild against gnu-efi 3.0v-5ubuntu1.
 177
 178  -- Steve Langasek <steve.langasek@ubuntu.com>  Tue, 12 May 2015 17:48:30 +0000
 179
 180 shim (0.8-0ubuntu1) wily; urgency=medium
 181
 182   * New upstream release.
 183     - Clarify meaning of insecure_mode. (LP: #1384973)
 184   * debian/patches/CVE-2014-3675.patch, debian/patches/CVE-2014-3677.patch,
 185     debian/patches/0001-Update-openssl-to-0.9.8za.patch: dropped, included
 186     in the upstream release.
 187   * debian/patches/sbsigntool-not-pesign,debian/patches/second-stage-path:
 188     refreshed.
 189
 190  -- Mathieu Trudel-Lapierre <mathieu-tl@ubuntu.com>  Mon, 11 May 2015 19:50:49 -0400
 191
 192 shim (0.7-0ubuntu4) utopic; urgency=medium
 193
 194   * SECURITY UPDATE: heap overflow and out-of-bounds read access when
 195     parsing DHCPv6 information
 196     - debian/patches/CVE-2014-3675.patch: apply proper bounds checking
 197       when parsing data provided in DHCPv6 packets.
 198     - CVE-2014-3675
 199     - CVE-2014-3676
 200   * SECURITY UPDATE: memory corruption when processing user-provided key
 201     lists
 202     - debian/patches/CVE-2014-3677.patch: detect malformed machine owner
 203       key (MOK) lists and ignore them, avoiding possible memory corruption.
 204     - CVE-2014-3677
 205
 206  -- Steve Langasek <steve.langasek@ubuntu.com>  Wed, 08 Oct 2014 06:40:40 +0000
 207
 208 shim (0.7-0ubuntu2) utopic; urgency=medium
 209
 210   * Restore debian/patches/prototypes, which still is needed on shim 0.7
 211     but only detected on the buildds.
 212   * Update debian/patches/prototypes with some new declarations needed for
 213     openssl 0.9.8za update.
 214
 215  -- Steve Langasek <steve.langasek@ubuntu.com>  Tue, 07 Oct 2014 16:20:08 -0700
 216
 217 shim (0.7-0ubuntu1) utopic; urgency=medium
 218
 219   * New upstream release.
 220     - fix spurious error message when fallback.efi is not present, as will
 221       always be the case for removable media.  LP: #1297069.
 222     - drop most patches, included upstream.
 223   * debian/patches/0001-Update-openssl-to-0.9.8za.patch: cherry-pick
 224     openssl 0.9.8za in via upstream.
 225
 226  -- Steve Langasek <steve.langasek@ubuntu.com>  Tue, 07 Oct 2014 05:40:41 +0000
 227
 228 shim (0.4-0ubuntu5) utopic; urgency=low
 229
 230   * Install fallback.efi.signed as well, to lay the groundwork for fallback
 231     handling (wanted when we have to move a drive between machines, or when
 232     the firmware loses its marbles^W nvram).
 233
 234  -- Steve Langasek <steve.langasek@ubuntu.com>  Mon, 04 Aug 2014 12:11:13 +0200
 235
 236 shim (0.4-0ubuntu4) saucy; urgency=low
 237
 238   * debian/patches/fix-tftp-prototype: pass the right arguments to
 239     EFI_PXE_BASE_CODE_TFTP_READ_FILE.
 240   * debian/patches/build-with-Werror: Build with -Werror to catch future
 241     prototype mismatches.
 242   * debian/patches/fix-compiler-warnings: Fix remaining compiler
 243     warnings in netboot.c.
 244   * debian/patches/tftp-proper-nul-termination: fix nul termination
 245     errors in filenames passed to tftp.
 246   * debian/patches/netboot-cleanup: roll-up of miscellaneous fixes to
 247     the netboot code.
 248
 249  -- Steve Langasek <steve.langasek@ubuntu.com>  Mon, 23 Sep 2013 00:30:00 -0700
 250
 251 shim (0.4-0ubuntu3) saucy; urgency=low
 252
 253   [ Steve Langasek ]
 254   * Install MokManager.efi.signed in the package.
 255   * debian/patches/no-output-by-default.patch: Don't print any
 256     informational messages.  Closes LP: #1074302.
 257
 258   [ Stéphane Graber ]
 259   * debian/patches/no-print-on-unsigned: Don't print an error message when
 260     validating an unsigned binary as that tends to hang Lenovo machines.
 261     (LP: #1087501)
 262
 263  -- Stéphane Graber <stgraber@ubuntu.com>  Thu, 08 Aug 2013 17:12:12 +0200
 264
 265 shim (0.4-0ubuntu2) saucy; urgency=low
 266
 267   * Add missing build-dependency on openssl.
 268
 269  -- Steve Langasek <steve.langasek@ubuntu.com>  Tue, 02 Jul 2013 20:30:43 +0000
 270
 271 shim (0.4-0ubuntu1) saucy; urgency=low
 272
 273   * New upstream release.
 274   * Drop debian/patches/shim-before-loadimage; upstream has changed this to
 275     not call loadimage at all.
 276   * debian/patches/sbsigntool-not-pesign: Sign MokManager with
 277     sbsigntool instead of pesign.
 278   * Add a versioned build-dependency on gnu-efi.
 279
 280  -- Steve Langasek <steve.langasek@ubuntu.com>  Tue, 02 Jul 2013 12:53:24 -0700
 281
 282 shim (0~20120906.bcd0a4e8-0ubuntu4) quantal-proposed; urgency=low
 283
 284   * debian/patches/shim-before-loadimage: Use direct verification first
 285     before LoadImage.  Addresses an issue where Lenovo's SecureBoot
 286     implementation pops an error message on any verification failure - avoid
 287     calling LoadImage at all unless we have to.
 288
 289  -- Steve Langasek <steve.langasek@ubuntu.com>  Wed, 10 Oct 2012 15:28:40 -0700
 290
 291 shim (0~20120906.bcd0a4e8-0ubuntu3) quantal; urgency=low
 292
 293   * debian/patches/second-stage-path: Chainload grubx64.efi, not
 294     grub.efi.
 295
 296  -- Steve Langasek <steve.langasek@ubuntu.com>  Fri, 05 Oct 2012 11:20:58 -0700
 297
 298 shim (0~20120906.bcd0a4e8-0ubuntu2) quantal; urgency=low
 299
 300   * debian/patches/prototypes: Include missing prototypes, and disable
 301     use of BIO_new_file.
 302   * Only build the package for amd64; we're not signing an i386 shim at this
 303     stage so there's no point in building it.
 304
 305  -- Steve Langasek <steve.langasek@ubuntu.com>  Thu, 04 Oct 2012 17:47:04 +0000
 306
 307 shim (0~20120906.bcd0a4e8-0ubuntu1) quantal; urgency=low
 308
 309   * Initial release.
 310   * Include the Canonical Secure Boot master CA.
 311
 312  -- Steve Langasek <steve.langasek@ubuntu.com>  Thu, 04 Oct 2012 00:01:06 -0700