debian/changelog

   1 shim (15+1533136590.3beb971-1) unstable; urgency=medium
   2
   3   * New upstream release.
   4     - debian/patches/second-stage-path: dropped; the default loader path now
   5       includes an arch suffix.
   6     - debian/patches/sbsigntool-no-pesign: dropped; no longer needed.
   7   * Drop remaining patches that were not being applied.
   8   * Sync packaging from Ubuntu:
   9     - debian/copyright: Update upstream source location.
  10     - debian/control: add a Build-Depends on libelf-dev.
  11     - Enable arm64 build.
  12     - debian/patches/fixup_git.patch: don't run git in clean; we're not
  13       really in a git tree.
  14     - debian/rules, debian/shim.install: use the upstream install target as
  15       intended, and move files to the target directory using dh_install.
  16     - define RELEASE and COMMIT_ID for the snapshot.
  17     - Set ENABLE_HTTPBOOT to enable the HTTP Boot feature.
  18     - Update dh_auto_build/dh_auto_clean/dh_auto_install for new upstream
  19       options: set MAKELEVEL.
  20     - Define an EFI_ARCH variable, and use that for paths to shim. This
  21       makes it possible to build a shim for other architectures than amd64.
  22     - Set EFIDIR=$distro for dh_auto_install; that will let files be installed
  23       in the "right" final directories, and makes boot.csv for us.
  24     - Set ENABLE_SHIM_CERT, to keep using ephemeral self-signed certs built
  25       at compile-time for MokManager and fallback.
  26     - Set ENABLE_SBSIGN, to use sbsign instead of pesign for signing fallback
  27       and MokManager.
  28
  29  -- Steve Langasek <vorlon@debian.org>  Sat, 09 Feb 2019 07:23:19 +0000
  30
  31 shim (0.9+1474479173.6c180c6-1) unstable; urgency=medium
  32
  33   [ Steve Langasek ]
  34   * Initial Debian upload.  Closes: #820052.
  35   * Update Standards-Version.
  36   * Embed the newly-minted Debian CA certificate.
  37   * Vendorize debian/rules so that the same package can be used in both
  38     Debian and Ubuntu without modification.
  39   * Fix debian/copyright to match the spec (last match wins, not first)
  40   * Fix shim.efi to not be executable.
  41   * Add watchfile.
  42   * Support parallel builds, because eh why not
  43   * Update Vcs-Bzr.
  44   * Resync with Ubuntu, including patch to fix debian/copyright.
  45
  46   [ Julien Cristau ]
  47   * Add some missing copyright holders in d/copyright, update
  48     Upstream-Contact.  Thanks to Helen Koike for the help.
  49
  50  -- Julien Cristau <jcristau@debian.org>  Sat, 15 Oct 2016 15:17:34 +0200
  51
  52 shim (0.9+1474479173.6c180c6-0ubuntu1) UNRELEASED; urgency=medium
  53
  54   [ Helen Koike ]
  55   * debian/copyright: add OpenSSL license
  56
  57   [ Mathieu Trudel-Lapierre ]
  58   * New upstream release.
  59   * debian/copyright: patches should be BSD, like the rest of the upstream
  60     code.
  61   * debian/patches/unused-variable: dropped; applied upstream.
  62   * debian/patches/binutils-version-matching: dropped, fixed upstream.
  63   * debian/shim.install: built EFI binaries were renamed; update our install
  64     file to properly pick up shim (shim$arch), MokManager (mm$arch), and
  65     fallback (fb$arch).
  66
  67  -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com>  Wed, 21 Sep 2016 20:29:44 -0400
  68
  69 shim (0.9+1465500757.14a5905-0ubuntu1) yakkety; urgency=medium
  70
  71   * New upstream release.
  72     - Better handle LoadOptions. (LP: #1581299)
  73     - Measure state and second stage in TPM.
  74     - Mirror MokSBState in runtime as MokSBStateRT.
  75     - Fix failure to build with GCC 5. (LP: #1429978)
  76     - Various bug fixes and other improvements.
  77   * Refreshed patches.
  78     - Remaining patches:
  79       + second-stage-path
  80       + sbsigntool-not-pesign
  81   * debian/patches/unused-variable: remove unused variable size.
  82   * debian/patches/binutils-version-matching: revert d9a4c912 to correctly
  83     match objcopy's version on Ubuntu.
  84   * debian/copyright: update copyright for patches.
  85
  86  -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com>  Tue, 26 Jul 2016 16:48:32 -0400
  87
  88 shim (0.8-0ubuntu2) wily; urgency=medium
  89
  90   * No-change rebuild against gnu-efi 3.0v-5ubuntu1.
  91
  92  -- Steve Langasek <steve.langasek@ubuntu.com>  Tue, 12 May 2015 17:48:30 +0000
  93
  94 shim (0.8-0ubuntu1) wily; urgency=medium
  95
  96   * New upstream release.
  97     - Clarify meaning of insecure_mode. (LP: #1384973)
  98   * debian/patches/CVE-2014-3675.patch, debian/patches/CVE-2014-3677.patch,
  99     debian/patches/0001-Update-openssl-to-0.9.8za.patch: dropped, included
 100     in the upstream release.
 101   * debian/patches/sbsigntool-not-pesign,debian/patches/second-stage-path:
 102     refreshed.
 103
 104  -- Mathieu Trudel-Lapierre <mathieu-tl@ubuntu.com>  Mon, 11 May 2015 19:50:49 -0400
 105
 106 shim (0.7-0ubuntu4) utopic; urgency=medium
 107
 108   * SECURITY UPDATE: heap overflow and out-of-bounds read access when
 109     parsing DHCPv6 information
 110     - debian/patches/CVE-2014-3675.patch: apply proper bounds checking
 111       when parsing data provided in DHCPv6 packets.
 112     - CVE-2014-3675
 113     - CVE-2014-3676
 114   * SECURITY UPDATE: memory corruption when processing user-provided key
 115     lists
 116     - debian/patches/CVE-2014-3677.patch: detect malformed machine owner
 117       key (MOK) lists and ignore them, avoiding possible memory corruption.
 118     - CVE-2014-3677
 119
 120  -- Steve Langasek <steve.langasek@ubuntu.com>  Wed, 08 Oct 2014 06:40:40 +0000
 121
 122 shim (0.7-0ubuntu2) utopic; urgency=medium
 123
 124   * Restore debian/patches/prototypes, which still is needed on shim 0.7
 125     but only detected on the buildds.
 126   * Update debian/patches/prototypes with some new declarations needed for
 127     openssl 0.9.8za update.
 128
 129  -- Steve Langasek <steve.langasek@ubuntu.com>  Tue, 07 Oct 2014 16:20:08 -0700
 130
 131 shim (0.7-0ubuntu1) utopic; urgency=medium
 132
 133   * New upstream release.
 134     - fix spurious error message when fallback.efi is not present, as will
 135       always be the case for removable media.  LP: #1297069.
 136     - drop most patches, included upstream.
 137   * debian/patches/0001-Update-openssl-to-0.9.8za.patch: cherry-pick
 138     openssl 0.9.8za in via upstream.
 139
 140  -- Steve Langasek <steve.langasek@ubuntu.com>  Tue, 07 Oct 2014 05:40:41 +0000
 141
 142 shim (0.4-0ubuntu5) utopic; urgency=low
 143
 144   * Install fallback.efi.signed as well, to lay the groundwork for fallback
 145     handling (wanted when we have to move a drive between machines, or when
 146     the firmware loses its marbles^W nvram).
 147
 148  -- Steve Langasek <steve.langasek@ubuntu.com>  Mon, 04 Aug 2014 12:11:13 +0200
 149
 150 shim (0.4-0ubuntu4) saucy; urgency=low
 151
 152   * debian/patches/fix-tftp-prototype: pass the right arguments to
 153     EFI_PXE_BASE_CODE_TFTP_READ_FILE.
 154   * debian/patches/build-with-Werror: Build with -Werror to catch future
 155     prototype mismatches.
 156   * debian/patches/fix-compiler-warnings: Fix remaining compiler
 157     warnings in netboot.c.
 158   * debian/patches/tftp-proper-nul-termination: fix nul termination
 159     errors in filenames passed to tftp.
 160   * debian/patches/netboot-cleanup: roll-up of miscellaneous fixes to
 161     the netboot code.
 162
 163  -- Steve Langasek <steve.langasek@ubuntu.com>  Mon, 23 Sep 2013 00:30:00 -0700
 164
 165 shim (0.4-0ubuntu3) saucy; urgency=low
 166
 167   [ Steve Langasek ]
 168   * Install MokManager.efi.signed in the package.
 169   * debian/patches/no-output-by-default.patch: Don't print any
 170     informational messages.  Closes LP: #1074302.
 171
 172   [ Stéphane Graber ]
 173   * debian/patches/no-print-on-unsigned: Don't print an error message when
 174     validating an unsigned binary as that tends to hang Lenovo machines.
 175     (LP: #1087501)
 176
 177  -- Stéphane Graber <stgraber@ubuntu.com>  Thu, 08 Aug 2013 17:12:12 +0200
 178
 179 shim (0.4-0ubuntu2) saucy; urgency=low
 180
 181   * Add missing build-dependency on openssl.
 182
 183  -- Steve Langasek <steve.langasek@ubuntu.com>  Tue, 02 Jul 2013 20:30:43 +0000
 184
 185 shim (0.4-0ubuntu1) saucy; urgency=low
 186
 187   * New upstream release.
 188   * Drop debian/patches/shim-before-loadimage; upstream has changed this to
 189     not call loadimage at all.
 190   * debian/patches/sbsigntool-not-pesign: Sign MokManager with
 191     sbsigntool instead of pesign.
 192   * Add a versioned build-dependency on gnu-efi.
 193
 194  -- Steve Langasek <steve.langasek@ubuntu.com>  Tue, 02 Jul 2013 12:53:24 -0700
 195
 196 shim (0~20120906.bcd0a4e8-0ubuntu4) quantal-proposed; urgency=low
 197
 198   * debian/patches/shim-before-loadimage: Use direct verification first
 199     before LoadImage.  Addresses an issue where Lenovo's SecureBoot
 200     implementation pops an error message on any verification failure - avoid
 201     calling LoadImage at all unless we have to.
 202
 203  -- Steve Langasek <steve.langasek@ubuntu.com>  Wed, 10 Oct 2012 15:28:40 -0700
 204
 205 shim (0~20120906.bcd0a4e8-0ubuntu3) quantal; urgency=low
 206
 207   * debian/patches/second-stage-path: Chainload grubx64.efi, not
 208     grub.efi.
 209
 210  -- Steve Langasek <steve.langasek@ubuntu.com>  Fri, 05 Oct 2012 11:20:58 -0700
 211
 212 shim (0~20120906.bcd0a4e8-0ubuntu2) quantal; urgency=low
 213
 214   * debian/patches/prototypes: Include missing prototypes, and disable
 215     use of BIO_new_file.
 216   * Only build the package for amd64; we're not signing an i386 shim at this
 217     stage so there's no point in building it.
 218
 219  -- Steve Langasek <steve.langasek@ubuntu.com>  Thu, 04 Oct 2012 17:47:04 +0000
 220
 221 shim (0~20120906.bcd0a4e8-0ubuntu1) quantal; urgency=low
 222
 223   * Initial release.
 224   * Include the Canonical Secure Boot master CA.
 225
 226  -- Steve Langasek <steve.langasek@ubuntu.com>  Thu, 04 Oct 2012 00:01:06 -0700