debian/changelog

   1 shim (15+1533136590.3beb971-0ubuntu1) cosmic; urgency=medium
   2
   3   [ Steve Langasek ]
   4   * Fix Vcs link.
   5
   6   [ dann frazier ]
   7   * Enable arm64 build.
   8
   9   [ Mathieu Trudel-Lapierre ]
  10   * New upstream snapshot.
  11   * debian/patches/abort_abort_abort.patch: dropped patch, included upstream.
  12   * debian/rules:
  13     - define RELEASE and COMMIT_ID for the snapshot.
  14     - Set ENABLE_HTTPBOOT to enable the HTTP Boot feature.
  15   * debian/patches/fixup_git.patch: don't run git in clean; we're not really
  16     in a git tree.
  17
  18  -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com>  Wed, 22 Aug 2018 10:52:10 -0400
  19
  20 shim (13-0ubuntu2) bionic; urgency=medium
  21
  22   * debian/patches/abort_abort_abort.patch: signtool.exe isn't happy with some
  23     of the structure of our binary, partly because abort() is thought to be an
  24     external symbol, which causes some relocalisations to appear.
  25
  26  -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com>  Tue, 07 Nov 2017 10:19:04 -0500
  27
  28 shim (13-0ubuntu1) artful; urgency=medium
  29
  30   * New upstream release: 13
  31   * debian/control: add a Build-Depends on libelf-dev.
  32   * debian/control: add Breaks: for the previous shim-signed builds given
  33     that shim will now build and ship BOOT.CSV by itself.
  34   * debian/rules:
  35     - Update dh_auto_build/dh_auto_clean/dh_auto_install for new upstream
  36       options: set MAKELEVEL.
  37     - Define an EFI_ARCH variable, and use that for paths to shim. This
  38       makes it possible to build a shim for other architectures than amd64.
  39     - Set EFIDIR=ubuntu for dh_auto_install; that will let files be installed
  40       in the "right" final directories, and makes boot.csv for us.
  41     - Set ENABLE_SHIM_CERT, to keep using ephemeral self-signed certs built
  42       at compile-time for MokManager and fallback.
  43     - Set ENABLE_SBSIGN, to use sbsign instead of pesign for signing fallback
  44       and MokManager.
  45   * debian/patches/second-stage-path: dropped; the default loader path now
  46     includes an arch suffix.
  47   * debian/patches/sbsigntool-no-pesign: dropped; no longer needed..
  48   * debian/patches/0001-shim-fix-the-mirroring-MokSBState-fail.patch: dropped,
  49     included upstream.
  50   * debian/shim.install: update paths in light of using shim's upstream install
  51     target.
  52   * debian/rules, debian/shim.install: make sure the 'make install' step does
  53     what it's meant to do by upstream: we can easily make use of the end result
  54     to have the files we need.
  55
  56  -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com>  Fri, 29 Sep 2017 15:11:28 -0400
  57
  58 shim (0.9+1474479173.6c180c6-1ubuntu1) zesty; urgency=medium
  59
  60   [ Steve Langasek ]
  61   * Merge (not yet NEW cleared) changes from Debian branch.
  62
  63   [ Mathieu Trudel-Lapierre ]
  64   * debian/patches/0001-shim-fix-the-mirroring-MokSBState-fail.patch: guard
  65     against errors in mirroring MokSBState to MokSBStateRT. Thanks to Ivan Hu
  66     for the patch. This will fix issues updating MokSBStateRT if the variable
  67     already exists with different attributes. (LP: #1644806)
  68
  69  -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com>  Thu, 01 Dec 2016 16:55:50 -0500
  70
  71 shim (0.9+1474479173.6c180c6-1) unstable; urgency=medium
  72
  73   [ Steve Langasek ]
  74   * Initial Debian upload.  Closes: #820052.
  75   * Update Standards-Version.
  76   * Embed the newly-minted Debian CA certificate.
  77   * Vendorize debian/rules so that the same package can be used in both
  78     Debian and Ubuntu without modification.
  79   * Fix debian/copyright to match the spec (last match wins, not first)
  80   * Fix shim.efi to not be executable.
  81   * Add watchfile.
  82   * Support parallel builds, because eh why not
  83   * Update Vcs-Bzr.
  84   * Resync with Ubuntu, including patch to fix debian/copyright.
  85
  86   [ Julien Cristau ]
  87   * Add some missing copyright holders in d/copyright, update
  88     Upstream-Contact.  Thanks to Helen Koike for the help.
  89
  90  -- Julien Cristau <jcristau@debian.org>  Sat, 15 Oct 2016 15:17:34 +0200
  91
  92 shim (0.9+1474479173.6c180c6-0ubuntu1) yakkety; urgency=medium
  93
  94   [ Helen Koike ]
  95   * debian/copyright: add OpenSSL license
  96
  97   [ Mathieu Trudel-Lapierre ]
  98   * New upstream release. (LP: #1624096)
  99   * debian/copyright: patches should be BSD, like the rest of the upstream
 100     code.
 101   * debian/patches/unused-variable: dropped; applied upstream.
 102   * debian/patches/binutils-version-matching: dropped, fixed upstream.
 103   * debian/shim.install: built EFI binaries were renamed; update our install
 104     file to properly pick up shim (shim$arch), MokManager (mm$arch), and
 105     fallback (fb$arch).
 106
 107  -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com>  Thu, 22 Sep 2016 15:02:20 -0400
 108
 109 shim (0.9+1465500757.14a5905-0ubuntu1) yakkety; urgency=medium
 110
 111   * New upstream release.
 112     - Better handle LoadOptions. (LP: #1581299)
 113     - Measure state and second stage in TPM.
 114     - Mirror MokSBState in runtime as MokSBStateRT.
 115     - Fix failure to build with GCC 5. (LP: #1429978)
 116     - Various bug fixes and other improvements.
 117   * Refreshed patches.
 118     - Remaining patches:
 119       + second-stage-path
 120       + sbsigntool-not-pesign
 121   * debian/patches/unused-variable: remove unused variable size.
 122   * debian/patches/binutils-version-matching: revert d9a4c912 to correctly
 123     match objcopy's version on Ubuntu.
 124   * debian/copyright: update copyright for patches.
 125
 126  -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com>  Tue, 26 Jul 2016 16:48:32 -0400
 127
 128 shim (0.8-0ubuntu2) wily; urgency=medium
 129
 130   * No-change rebuild against gnu-efi 3.0v-5ubuntu1.
 131
 132  -- Steve Langasek <steve.langasek@ubuntu.com>  Tue, 12 May 2015 17:48:30 +0000
 133
 134 shim (0.8-0ubuntu1) wily; urgency=medium
 135
 136   * New upstream release.
 137     - Clarify meaning of insecure_mode. (LP: #1384973)
 138   * debian/patches/CVE-2014-3675.patch, debian/patches/CVE-2014-3677.patch,
 139     debian/patches/0001-Update-openssl-to-0.9.8za.patch: dropped, included
 140     in the upstream release.
 141   * debian/patches/sbsigntool-not-pesign,debian/patches/second-stage-path:
 142     refreshed.
 143
 144  -- Mathieu Trudel-Lapierre <mathieu-tl@ubuntu.com>  Mon, 11 May 2015 19:50:49 -0400
 145
 146 shim (0.7-0ubuntu4) utopic; urgency=medium
 147
 148   * SECURITY UPDATE: heap overflow and out-of-bounds read access when
 149     parsing DHCPv6 information
 150     - debian/patches/CVE-2014-3675.patch: apply proper bounds checking
 151       when parsing data provided in DHCPv6 packets.
 152     - CVE-2014-3675
 153     - CVE-2014-3676
 154   * SECURITY UPDATE: memory corruption when processing user-provided key
 155     lists
 156     - debian/patches/CVE-2014-3677.patch: detect malformed machine owner
 157       key (MOK) lists and ignore them, avoiding possible memory corruption.
 158     - CVE-2014-3677
 159
 160  -- Steve Langasek <steve.langasek@ubuntu.com>  Wed, 08 Oct 2014 06:40:40 +0000
 161
 162 shim (0.7-0ubuntu2) utopic; urgency=medium
 163
 164   * Restore debian/patches/prototypes, which still is needed on shim 0.7
 165     but only detected on the buildds.
 166   * Update debian/patches/prototypes with some new declarations needed for
 167     openssl 0.9.8za update.
 168
 169  -- Steve Langasek <steve.langasek@ubuntu.com>  Tue, 07 Oct 2014 16:20:08 -0700
 170
 171 shim (0.7-0ubuntu1) utopic; urgency=medium
 172
 173   * New upstream release.
 174     - fix spurious error message when fallback.efi is not present, as will
 175       always be the case for removable media.  LP: #1297069.
 176     - drop most patches, included upstream.
 177   * debian/patches/0001-Update-openssl-to-0.9.8za.patch: cherry-pick
 178     openssl 0.9.8za in via upstream.
 179
 180  -- Steve Langasek <steve.langasek@ubuntu.com>  Tue, 07 Oct 2014 05:40:41 +0000
 181
 182 shim (0.4-0ubuntu5) utopic; urgency=low
 183
 184   * Install fallback.efi.signed as well, to lay the groundwork for fallback
 185     handling (wanted when we have to move a drive between machines, or when
 186     the firmware loses its marbles^W nvram).
 187
 188  -- Steve Langasek <steve.langasek@ubuntu.com>  Mon, 04 Aug 2014 12:11:13 +0200
 189
 190 shim (0.4-0ubuntu4) saucy; urgency=low
 191
 192   * debian/patches/fix-tftp-prototype: pass the right arguments to
 193     EFI_PXE_BASE_CODE_TFTP_READ_FILE.
 194   * debian/patches/build-with-Werror: Build with -Werror to catch future
 195     prototype mismatches.
 196   * debian/patches/fix-compiler-warnings: Fix remaining compiler
 197     warnings in netboot.c.
 198   * debian/patches/tftp-proper-nul-termination: fix nul termination
 199     errors in filenames passed to tftp.
 200   * debian/patches/netboot-cleanup: roll-up of miscellaneous fixes to
 201     the netboot code.
 202
 203  -- Steve Langasek <steve.langasek@ubuntu.com>  Mon, 23 Sep 2013 00:30:00 -0700
 204
 205 shim (0.4-0ubuntu3) saucy; urgency=low
 206
 207   [ Steve Langasek ]
 208   * Install MokManager.efi.signed in the package.
 209   * debian/patches/no-output-by-default.patch: Don't print any
 210     informational messages.  Closes LP: #1074302.
 211
 212   [ Stéphane Graber ]
 213   * debian/patches/no-print-on-unsigned: Don't print an error message when
 214     validating an unsigned binary as that tends to hang Lenovo machines.
 215     (LP: #1087501)
 216
 217  -- Stéphane Graber <stgraber@ubuntu.com>  Thu, 08 Aug 2013 17:12:12 +0200
 218
 219 shim (0.4-0ubuntu2) saucy; urgency=low
 220
 221   * Add missing build-dependency on openssl.
 222
 223  -- Steve Langasek <steve.langasek@ubuntu.com>  Tue, 02 Jul 2013 20:30:43 +0000
 224
 225 shim (0.4-0ubuntu1) saucy; urgency=low
 226
 227   * New upstream release.
 228   * Drop debian/patches/shim-before-loadimage; upstream has changed this to
 229     not call loadimage at all.
 230   * debian/patches/sbsigntool-not-pesign: Sign MokManager with
 231     sbsigntool instead of pesign.
 232   * Add a versioned build-dependency on gnu-efi.
 233
 234  -- Steve Langasek <steve.langasek@ubuntu.com>  Tue, 02 Jul 2013 12:53:24 -0700
 235
 236 shim (0~20120906.bcd0a4e8-0ubuntu4) quantal-proposed; urgency=low
 237
 238   * debian/patches/shim-before-loadimage: Use direct verification first
 239     before LoadImage.  Addresses an issue where Lenovo's SecureBoot
 240     implementation pops an error message on any verification failure - avoid
 241     calling LoadImage at all unless we have to.
 242
 243  -- Steve Langasek <steve.langasek@ubuntu.com>  Wed, 10 Oct 2012 15:28:40 -0700
 244
 245 shim (0~20120906.bcd0a4e8-0ubuntu3) quantal; urgency=low
 246
 247   * debian/patches/second-stage-path: Chainload grubx64.efi, not
 248     grub.efi.
 249
 250  -- Steve Langasek <steve.langasek@ubuntu.com>  Fri, 05 Oct 2012 11:20:58 -0700
 251
 252 shim (0~20120906.bcd0a4e8-0ubuntu2) quantal; urgency=low
 253
 254   * debian/patches/prototypes: Include missing prototypes, and disable
 255     use of BIO_new_file.
 256   * Only build the package for amd64; we're not signing an i386 shim at this
 257     stage so there's no point in building it.
 258
 259  -- Steve Langasek <steve.langasek@ubuntu.com>  Thu, 04 Oct 2012 17:47:04 +0000
 260
 261 shim (0~20120906.bcd0a4e8-0ubuntu1) quantal; urgency=low
 262
 263   * Initial release.
 264   * Include the Canonical Secure Boot master CA.
 265
 266  -- Steve Langasek <steve.langasek@ubuntu.com>  Thu, 04 Oct 2012 00:01:06 -0700