1 shim (15+1533136590.3beb971-0ubuntu1) cosmic; urgency=medium
9 [ Mathieu Trudel-Lapierre ]
10 * New upstream snapshot.
11 * debian/patches/abort_abort_abort.patch: dropped patch, included upstream.
13 - define RELEASE and COMMIT_ID for the snapshot.
14 - Set ENABLE_HTTPBOOT to enable the HTTP Boot feature.
15 * debian/patches/fixup_git.patch: don't run git in clean; we're not really
18 -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> Wed, 22 Aug 2018 10:52:10 -0400
20 shim (13-0ubuntu2) bionic; urgency=medium
22 * debian/patches/abort_abort_abort.patch: signtool.exe isn't happy with some
23 of the structure of our binary, partly because abort() is thought to be an
24 external symbol, which causes some relocalisations to appear.
26 -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> Tue, 07 Nov 2017 10:19:04 -0500
28 shim (13-0ubuntu1) artful; urgency=medium
30 * New upstream release: 13
31 * debian/control: add a Build-Depends on libelf-dev.
32 * debian/control: add Breaks: for the previous shim-signed builds given
33 that shim will now build and ship BOOT.CSV by itself.
35 - Update dh_auto_build/dh_auto_clean/dh_auto_install for new upstream
36 options: set MAKELEVEL.
37 - Define an EFI_ARCH variable, and use that for paths to shim. This
38 makes it possible to build a shim for other architectures than amd64.
39 - Set EFIDIR=ubuntu for dh_auto_install; that will let files be installed
40 in the "right" final directories, and makes boot.csv for us.
41 - Set ENABLE_SHIM_CERT, to keep using ephemeral self-signed certs built
42 at compile-time for MokManager and fallback.
43 - Set ENABLE_SBSIGN, to use sbsign instead of pesign for signing fallback
45 * debian/patches/second-stage-path: dropped; the default loader path now
46 includes an arch suffix.
47 * debian/patches/sbsigntool-no-pesign: dropped; no longer needed..
48 * debian/patches/0001-shim-fix-the-mirroring-MokSBState-fail.patch: dropped,
50 * debian/shim.install: update paths in light of using shim's upstream install
52 * debian/rules, debian/shim.install: make sure the 'make install' step does
53 what it's meant to do by upstream: we can easily make use of the end result
54 to have the files we need.
56 -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> Fri, 29 Sep 2017 15:11:28 -0400
58 shim (0.9+1474479173.6c180c6-1ubuntu1) zesty; urgency=medium
61 * Merge (not yet NEW cleared) changes from Debian branch.
63 [ Mathieu Trudel-Lapierre ]
64 * debian/patches/0001-shim-fix-the-mirroring-MokSBState-fail.patch: guard
65 against errors in mirroring MokSBState to MokSBStateRT. Thanks to Ivan Hu
66 for the patch. This will fix issues updating MokSBStateRT if the variable
67 already exists with different attributes. (LP: #1644806)
69 -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> Thu, 01 Dec 2016 16:55:50 -0500
71 shim (0.9+1474479173.6c180c6-1) unstable; urgency=medium
74 * Initial Debian upload. Closes: #820052.
75 * Update Standards-Version.
76 * Embed the newly-minted Debian CA certificate.
77 * Vendorize debian/rules so that the same package can be used in both
78 Debian and Ubuntu without modification.
79 * Fix debian/copyright to match the spec (last match wins, not first)
80 * Fix shim.efi to not be executable.
82 * Support parallel builds, because eh why not
84 * Resync with Ubuntu, including patch to fix debian/copyright.
87 * Add some missing copyright holders in d/copyright, update
88 Upstream-Contact. Thanks to Helen Koike for the help.
90 -- Julien Cristau <jcristau@debian.org> Sat, 15 Oct 2016 15:17:34 +0200
92 shim (0.9+1474479173.6c180c6-0ubuntu1) yakkety; urgency=medium
95 * debian/copyright: add OpenSSL license
97 [ Mathieu Trudel-Lapierre ]
98 * New upstream release. (LP: #1624096)
99 * debian/copyright: patches should be BSD, like the rest of the upstream
101 * debian/patches/unused-variable: dropped; applied upstream.
102 * debian/patches/binutils-version-matching: dropped, fixed upstream.
103 * debian/shim.install: built EFI binaries were renamed; update our install
104 file to properly pick up shim (shim$arch), MokManager (mm$arch), and
107 -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> Thu, 22 Sep 2016 15:02:20 -0400
109 shim (0.9+1465500757.14a5905-0ubuntu1) yakkety; urgency=medium
111 * New upstream release.
112 - Better handle LoadOptions. (LP: #1581299)
113 - Measure state and second stage in TPM.
114 - Mirror MokSBState in runtime as MokSBStateRT.
115 - Fix failure to build with GCC 5. (LP: #1429978)
116 - Various bug fixes and other improvements.
120 + sbsigntool-not-pesign
121 * debian/patches/unused-variable: remove unused variable size.
122 * debian/patches/binutils-version-matching: revert d9a4c912 to correctly
123 match objcopy's version on Ubuntu.
124 * debian/copyright: update copyright for patches.
126 -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> Tue, 26 Jul 2016 16:48:32 -0400
128 shim (0.8-0ubuntu2) wily; urgency=medium
130 * No-change rebuild against gnu-efi 3.0v-5ubuntu1.
132 -- Steve Langasek <steve.langasek@ubuntu.com> Tue, 12 May 2015 17:48:30 +0000
134 shim (0.8-0ubuntu1) wily; urgency=medium
136 * New upstream release.
137 - Clarify meaning of insecure_mode. (LP: #1384973)
138 * debian/patches/CVE-2014-3675.patch, debian/patches/CVE-2014-3677.patch,
139 debian/patches/0001-Update-openssl-to-0.9.8za.patch: dropped, included
140 in the upstream release.
141 * debian/patches/sbsigntool-not-pesign,debian/patches/second-stage-path:
144 -- Mathieu Trudel-Lapierre <mathieu-tl@ubuntu.com> Mon, 11 May 2015 19:50:49 -0400
146 shim (0.7-0ubuntu4) utopic; urgency=medium
148 * SECURITY UPDATE: heap overflow and out-of-bounds read access when
149 parsing DHCPv6 information
150 - debian/patches/CVE-2014-3675.patch: apply proper bounds checking
151 when parsing data provided in DHCPv6 packets.
154 * SECURITY UPDATE: memory corruption when processing user-provided key
156 - debian/patches/CVE-2014-3677.patch: detect malformed machine owner
157 key (MOK) lists and ignore them, avoiding possible memory corruption.
160 -- Steve Langasek <steve.langasek@ubuntu.com> Wed, 08 Oct 2014 06:40:40 +0000
162 shim (0.7-0ubuntu2) utopic; urgency=medium
164 * Restore debian/patches/prototypes, which still is needed on shim 0.7
165 but only detected on the buildds.
166 * Update debian/patches/prototypes with some new declarations needed for
167 openssl 0.9.8za update.
169 -- Steve Langasek <steve.langasek@ubuntu.com> Tue, 07 Oct 2014 16:20:08 -0700
171 shim (0.7-0ubuntu1) utopic; urgency=medium
173 * New upstream release.
174 - fix spurious error message when fallback.efi is not present, as will
175 always be the case for removable media. LP: #1297069.
176 - drop most patches, included upstream.
177 * debian/patches/0001-Update-openssl-to-0.9.8za.patch: cherry-pick
178 openssl 0.9.8za in via upstream.
180 -- Steve Langasek <steve.langasek@ubuntu.com> Tue, 07 Oct 2014 05:40:41 +0000
182 shim (0.4-0ubuntu5) utopic; urgency=low
184 * Install fallback.efi.signed as well, to lay the groundwork for fallback
185 handling (wanted when we have to move a drive between machines, or when
186 the firmware loses its marbles^W nvram).
188 -- Steve Langasek <steve.langasek@ubuntu.com> Mon, 04 Aug 2014 12:11:13 +0200
190 shim (0.4-0ubuntu4) saucy; urgency=low
192 * debian/patches/fix-tftp-prototype: pass the right arguments to
193 EFI_PXE_BASE_CODE_TFTP_READ_FILE.
194 * debian/patches/build-with-Werror: Build with -Werror to catch future
195 prototype mismatches.
196 * debian/patches/fix-compiler-warnings: Fix remaining compiler
197 warnings in netboot.c.
198 * debian/patches/tftp-proper-nul-termination: fix nul termination
199 errors in filenames passed to tftp.
200 * debian/patches/netboot-cleanup: roll-up of miscellaneous fixes to
203 -- Steve Langasek <steve.langasek@ubuntu.com> Mon, 23 Sep 2013 00:30:00 -0700
205 shim (0.4-0ubuntu3) saucy; urgency=low
208 * Install MokManager.efi.signed in the package.
209 * debian/patches/no-output-by-default.patch: Don't print any
210 informational messages. Closes LP: #1074302.
213 * debian/patches/no-print-on-unsigned: Don't print an error message when
214 validating an unsigned binary as that tends to hang Lenovo machines.
217 -- Stéphane Graber <stgraber@ubuntu.com> Thu, 08 Aug 2013 17:12:12 +0200
219 shim (0.4-0ubuntu2) saucy; urgency=low
221 * Add missing build-dependency on openssl.
223 -- Steve Langasek <steve.langasek@ubuntu.com> Tue, 02 Jul 2013 20:30:43 +0000
225 shim (0.4-0ubuntu1) saucy; urgency=low
227 * New upstream release.
228 * Drop debian/patches/shim-before-loadimage; upstream has changed this to
229 not call loadimage at all.
230 * debian/patches/sbsigntool-not-pesign: Sign MokManager with
231 sbsigntool instead of pesign.
232 * Add a versioned build-dependency on gnu-efi.
234 -- Steve Langasek <steve.langasek@ubuntu.com> Tue, 02 Jul 2013 12:53:24 -0700
236 shim (0~20120906.bcd0a4e8-0ubuntu4) quantal-proposed; urgency=low
238 * debian/patches/shim-before-loadimage: Use direct verification first
239 before LoadImage. Addresses an issue where Lenovo's SecureBoot
240 implementation pops an error message on any verification failure - avoid
241 calling LoadImage at all unless we have to.
243 -- Steve Langasek <steve.langasek@ubuntu.com> Wed, 10 Oct 2012 15:28:40 -0700
245 shim (0~20120906.bcd0a4e8-0ubuntu3) quantal; urgency=low
247 * debian/patches/second-stage-path: Chainload grubx64.efi, not
250 -- Steve Langasek <steve.langasek@ubuntu.com> Fri, 05 Oct 2012 11:20:58 -0700
252 shim (0~20120906.bcd0a4e8-0ubuntu2) quantal; urgency=low
254 * debian/patches/prototypes: Include missing prototypes, and disable
256 * Only build the package for amd64; we're not signing an i386 shim at this
257 stage so there's no point in building it.
259 -- Steve Langasek <steve.langasek@ubuntu.com> Thu, 04 Oct 2012 17:47:04 +0000
261 shim (0~20120906.bcd0a4e8-0ubuntu1) quantal; urgency=low
264 * Include the Canonical Secure Boot master CA.
266 -- Steve Langasek <steve.langasek@ubuntu.com> Thu, 04 Oct 2012 00:01:06 -0700