]> git.proxmox.com Git - efi-boot-shim.git/blob - debian/changelog
projects / efi-boot-shim.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Update copyright file
[efi-boot-shim.git] / debian / changelog
1 shim (15+1613861442.888f5b5-1) unstable; urgency=medium
2
3 [ Steve McIntyre ]
4 * Switch to much-newer upstream code point with many fixes
5 + Particularly pulling in SBAT changes for better revocation support
6 + Remove all our old patches, no longer needed:
7 - avoid_null_vsprint.patch
8 - check_null_sn_ln.patch
9 - fixup_git.patch
10 - uname.patch
11 - use_compare_mem_gcc9.patch
12 + Includes a vendor copy of gnu-efi for now, packaged as an extra
13 tarball.
14 - Added an extra rule to generate the extra tarball. Thanks to
15 Dmitri John Ledkov for help.
16 * Switch to using gcc-10 rather than gcc-9. Closes: #978521
17 * Add dbx entries for all our existing grub binaries
18 + They're insecure, let's break the chainloading hole.
19 * Add Debian SBAT data
20 + Add a Debian SBAT template, and rules to use it
21 + Adds a build-dep on dos2unix
22
23 -- Steve McIntyre <93sam@debian.org> Sun, 21 Feb 2021 13:50:16 +0100
24
25 shim (15+1533136590.3beb971-10) unstable; urgency=medium
26
27 [ Debian Janitor ]
28 * Trim trailing whitespace.
29 * Use secure copyright file specification URI.
30 * debian/copyright: use spaces rather than tabs to start continuation
31 lines.
32 * Bump debhelper from old 11 to 12.
33 * Set debhelper-compat version in Build-Depends.
34 * Set upstream metadata fields: Bug-Database, Bug-Submit.
35 * Update standards version to 4.4.1, no changes needed.
36
37 [ Steve McIntyre ]
38 * Trivial changes to generating the inbuilt dbx if we're using it.
39 * Upload to pick up rotated Debian signing keys
40
41 -- Steve McIntyre <93sam@debian.org> Fri, 24 Jul 2020 01:22:46 +0100
42
43 shim (15+1533136590.3beb971-9) unstable; urgency=medium
44
45 [ Steve McIntyre ]
46 * In the -helpers-ARCH-signed packages, change the version
47 dependency on shim-unsigned to be >= and not =. This will allow
48 for installation to still work in the window while we wait for the
49 template package to do its second trip through the
50 archive. Closes: #955356
51
52 -- Steve McIntyre <93sam@debian.org> Mon, 30 Mar 2020 15:19:08 +0100
53
54 shim (15+1533136590.3beb971-8) unstable; urgency=medium
55
56 [ Steve McIntyre ]
57 * Use --padding when calling pesign to generate hashes for the dbx
58 list, as recommended by Peter Jones. No actual changes needed in
59 our list of hashes at this point - they work out the same either
60 way.
61 * Switch to using gcc-9 for builds, tweaking a patch from upstream
62 to fix a FTBFS. Closes: #925816
63 * Update debhelper compat level to 11 for shim and the
64 signing-template
65
66 -- Steve McIntyre <93sam@debian.org> Tue, 24 Mar 2020 16:51:10 +0000
67
68 shim (15+1533136590.3beb971-7) unstable; urgency=medium
69
70 [ Ansgar Burchardt ]
71 * debian/control: Update Vcs-* fields
72
73 [ Steve McIntyre ]
74 * Backport needed crash fixes:
75 + VLogError(): Avoid NULL pointer dereferences in (V)Sprint calls
76 + Fix OBJ_create() to tolerate a NULL sn and ln
77 * Build using gcc-7 to get better control of reproducibility during the
78 lifetime of Buster.
79 * Build in a dbx list to blacklist binaries that we know to not be
80 secure. Build-depend on a new (bug-fixed) version of pesign to
81 generate that list at build time, using a list of known bad hashes.
82 * Initial list of known bad hashes is just my personal test binary.
83
84 -- Steve McIntyre <93sam@debian.org> Wed, 08 May 2019 02:05:01 +0100
85
86 shim (15+1533136590.3beb971-6) unstable; urgency=medium
87
88 [ Steve McIntyre ]
89 * Add Provides: and Breaks: to shim-helpers-$arch-signed to fix
90 clashes with the old shim-signed package for fbx64.efi.signed and
91 mmx64.efi.signed. Closes: #924619
92
93 [ Helmut Grohne ]
94 * Fix FTCBFS: Set CROSS_COMPILE. (Closes: #922152)
95
96 -- Steve McIntyre <93sam@debian.org> Sat, 23 Mar 2019 18:19:13 +0000
97
98 shim (15+1533136590.3beb971-5) unstable; urgency=medium
99
100 [ Ansgar Burchardt ]
101 * Correct maintainer address in signing template
102
103 [ Steve McIntyre ]
104 * Remove Rules-Requires-Root in the signing template. We manually install
105 things owned by root. There might be better ways to do this, but this
106 will do for now.
107
108 -- Steve McIntyre <93sam@debian.org> Tue, 12 Mar 2019 01:38:19 +0000
109
110 shim (15+1533136590.3beb971-4) unstable; urgency=medium
111
112 [ Steve McIntyre ]
113 * No-change sourceful upload to get rebuilds (and hence build logs) from
114 the buildds. Hoping to get this version signed by Microsoft, so let's
115 make our setup as clean as possible.
116
117 -- Steve McIntyre <93sam@debian.org> Sat, 09 Mar 2019 22:24:23 +0000
118
119 shim (15+1533136590.3beb971-3) unstable; urgency=medium
120
121 [ Philipp Hahn ]
122 * debian/rules: fixing permissions no longer required
123 * debian/rules: Disable ephemeral key on Debian.
124 * Rename binary package to 'shim-unsigned'
125 * Add template for signing {mm,fb}$ARCH.efi. (Closes: #922228)
126
127 [ Luca Boccassi ]
128 * Override lintian error about template rules file.
129 * Include /usr/share/dpkg/architecture.mk instead of shelling out.
130 * Add uname.patch to avoid embedding the kernel architecture in the
131 binary and to use a fixed string instead.
132
133 [ Steve McIntyre ]
134 * Change maintenance address to be the EFI team
135 * Add me and vorlon to the Uploaders list
136 * Rename the helper binary packages to shim-helpers-$arch.
137 * Update the signing-template JSON metadata to match new practice:
138 + Move all the data under a new top-level "packages" key
139 + Add an empty "trusted_certs" key - the helper binaries do not do any
140 further verification with an embedded key.
141
142 -- Steve McIntyre <93sam@debian.org> Fri, 08 Mar 2019 21:59:43 +0000
143
144 shim (15+1533136590.3beb971-2) unstable; urgency=medium
145
146 * Update debian/watch.
147 * Update VCS to point to salsa.
148 * Fix debian/rules syntax for arm64 build.
149 * Enable build for i386.
150 * Ensure DEB_HOST_ARCH is set even if not present in the environment.
151 * Update Standards-Version.
152 * Update debian/copyright (drop reference to file no longer in source)
153
154 -- Steve Langasek <vorlon@debian.org> Mon, 11 Feb 2019 05:18:18 +0000
155
156 shim (15+1533136590.3beb971-1) unstable; urgency=medium
157
158 * New upstream release.
159 - debian/patches/second-stage-path: dropped; the default loader path now
160 includes an arch suffix.
161 - debian/patches/sbsigntool-no-pesign: dropped; no longer needed.
162 * Drop remaining patches that were not being applied.
163 * Sync packaging from Ubuntu:
164 - debian/copyright: Update upstream source location.
165 - debian/control: add a Build-Depends on libelf-dev.
166 - Enable arm64 build.
167 - debian/patches/fixup_git.patch: don't run git in clean; we're not
168 really in a git tree.
169 - debian/rules, debian/shim.install: use the upstream install target as
170 intended, and move files to the target directory using dh_install.
171 - define RELEASE and COMMIT_ID for the snapshot.
172 - Set ENABLE_HTTPBOOT to enable the HTTP Boot feature.
173 - Update dh_auto_build/dh_auto_clean/dh_auto_install for new upstream
174 options: set MAKELEVEL.
175 - Define an EFI_ARCH variable, and use that for paths to shim. This
176 makes it possible to build a shim for other architectures than amd64.
177 - Set EFIDIR=$distro for dh_auto_install; that will let files be installed
178 in the "right" final directories, and makes boot.csv for us.
179 - Set ENABLE_SHIM_CERT, to keep using ephemeral self-signed certs built
180 at compile-time for MokManager and fallback.
181 - Set ENABLE_SBSIGN, to use sbsign instead of pesign for signing fallback
182 and MokManager.
183
184 -- Steve Langasek <vorlon@debian.org> Sat, 09 Feb 2019 07:23:19 +0000
185
186 shim (0.9+1474479173.6c180c6-1) unstable; urgency=medium
187
188 [ Steve Langasek ]
189 * Initial Debian upload. Closes: #820052.
190 * Update Standards-Version.
191 * Embed the newly-minted Debian CA certificate.
192 * Vendorize debian/rules so that the same package can be used in both
193 Debian and Ubuntu without modification.
194 * Fix debian/copyright to match the spec (last match wins, not first)
195 * Fix shim.efi to not be executable.
196 * Add watchfile.
197 * Support parallel builds, because eh why not
198 * Update Vcs-Bzr.
199 * Resync with Ubuntu, including patch to fix debian/copyright.
200
201 [ Julien Cristau ]
202 * Add some missing copyright holders in d/copyright, update
203 Upstream-Contact. Thanks to Helen Koike for the help.
204
205 -- Julien Cristau <jcristau@debian.org> Sat, 15 Oct 2016 15:17:34 +0200
206
207 shim (0.9+1474479173.6c180c6-0ubuntu1) UNRELEASED; urgency=medium
208
209 [ Helen Koike ]
210 * debian/copyright: add OpenSSL license
211
212 [ Mathieu Trudel-Lapierre ]
213 * New upstream release.
214 * debian/copyright: patches should be BSD, like the rest of the upstream
215 code.
216 * debian/patches/unused-variable: dropped; applied upstream.
217 * debian/patches/binutils-version-matching: dropped, fixed upstream.
218 * debian/shim.install: built EFI binaries were renamed; update our install
219 file to properly pick up shim (shim$arch), MokManager (mm$arch), and
220 fallback (fb$arch).
221
222 -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> Wed, 21 Sep 2016 20:29:44 -0400
223
224 shim (0.9+1465500757.14a5905-0ubuntu1) yakkety; urgency=medium
225
226 * New upstream release.
227 - Better handle LoadOptions. (LP: #1581299)
228 - Measure state and second stage in TPM.
229 - Mirror MokSBState in runtime as MokSBStateRT.
230 - Fix failure to build with GCC 5. (LP: #1429978)
231 - Various bug fixes and other improvements.
232 * Refreshed patches.
233 - Remaining patches:
234 + second-stage-path
235 + sbsigntool-not-pesign
236 * debian/patches/unused-variable: remove unused variable size.
237 * debian/patches/binutils-version-matching: revert d9a4c912 to correctly
238 match objcopy's version on Ubuntu.
239 * debian/copyright: update copyright for patches.
240
241 -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> Tue, 26 Jul 2016 16:48:32 -0400
242
243 shim (0.8-0ubuntu2) wily; urgency=medium
244
245 * No-change rebuild against gnu-efi 3.0v-5ubuntu1.
246
247 -- Steve Langasek <steve.langasek@ubuntu.com> Tue, 12 May 2015 17:48:30 +0000
248
249 shim (0.8-0ubuntu1) wily; urgency=medium
250
251 * New upstream release.
252 - Clarify meaning of insecure_mode. (LP: #1384973)
253 * debian/patches/CVE-2014-3675.patch, debian/patches/CVE-2014-3677.patch,
254 debian/patches/0001-Update-openssl-to-0.9.8za.patch: dropped, included
255 in the upstream release.
256 * debian/patches/sbsigntool-not-pesign,debian/patches/second-stage-path:
257 refreshed.
258
259 -- Mathieu Trudel-Lapierre <mathieu-tl@ubuntu.com> Mon, 11 May 2015 19:50:49 -0400
260
261 shim (0.7-0ubuntu4) utopic; urgency=medium
262
263 * SECURITY UPDATE: heap overflow and out-of-bounds read access when
264 parsing DHCPv6 information
265 - debian/patches/CVE-2014-3675.patch: apply proper bounds checking
266 when parsing data provided in DHCPv6 packets.
267 - CVE-2014-3675
268 - CVE-2014-3676
269 * SECURITY UPDATE: memory corruption when processing user-provided key
270 lists
271 - debian/patches/CVE-2014-3677.patch: detect malformed machine owner
272 key (MOK) lists and ignore them, avoiding possible memory corruption.
273 - CVE-2014-3677
274
275 -- Steve Langasek <steve.langasek@ubuntu.com> Wed, 08 Oct 2014 06:40:40 +0000
276
277 shim (0.7-0ubuntu2) utopic; urgency=medium
278
279 * Restore debian/patches/prototypes, which still is needed on shim 0.7
280 but only detected on the buildds.
281 * Update debian/patches/prototypes with some new declarations needed for
282 openssl 0.9.8za update.
283
284 -- Steve Langasek <steve.langasek@ubuntu.com> Tue, 07 Oct 2014 16:20:08 -0700
285
286 shim (0.7-0ubuntu1) utopic; urgency=medium
287
288 * New upstream release.
289 - fix spurious error message when fallback.efi is not present, as will
290 always be the case for removable media. LP: #1297069.
291 - drop most patches, included upstream.
292 * debian/patches/0001-Update-openssl-to-0.9.8za.patch: cherry-pick
293 openssl 0.9.8za in via upstream.
294
295 -- Steve Langasek <steve.langasek@ubuntu.com> Tue, 07 Oct 2014 05:40:41 +0000
296
297 shim (0.4-0ubuntu5) utopic; urgency=low
298
299 * Install fallback.efi.signed as well, to lay the groundwork for fallback
300 handling (wanted when we have to move a drive between machines, or when
301 the firmware loses its marbles^W nvram).
302
303 -- Steve Langasek <steve.langasek@ubuntu.com> Mon, 04 Aug 2014 12:11:13 +0200
304
305 shim (0.4-0ubuntu4) saucy; urgency=low
306
307 * debian/patches/fix-tftp-prototype: pass the right arguments to
308 EFI_PXE_BASE_CODE_TFTP_READ_FILE.
309 * debian/patches/build-with-Werror: Build with -Werror to catch future
310 prototype mismatches.
311 * debian/patches/fix-compiler-warnings: Fix remaining compiler
312 warnings in netboot.c.
313 * debian/patches/tftp-proper-nul-termination: fix nul termination
314 errors in filenames passed to tftp.
315 * debian/patches/netboot-cleanup: roll-up of miscellaneous fixes to
316 the netboot code.
317
318 -- Steve Langasek <steve.langasek@ubuntu.com> Mon, 23 Sep 2013 00:30:00 -0700
319
320 shim (0.4-0ubuntu3) saucy; urgency=low
321
322 [ Steve Langasek ]
323 * Install MokManager.efi.signed in the package.
324 * debian/patches/no-output-by-default.patch: Don't print any
325 informational messages. Closes LP: #1074302.
326
327 [ Stéphane Graber ]
328 * debian/patches/no-print-on-unsigned: Don't print an error message when
329 validating an unsigned binary as that tends to hang Lenovo machines.
330 (LP: #1087501)
331
332 -- Stéphane Graber <stgraber@ubuntu.com> Thu, 08 Aug 2013 17:12:12 +0200
333
334 shim (0.4-0ubuntu2) saucy; urgency=low
335
336 * Add missing build-dependency on openssl.
337
338 -- Steve Langasek <steve.langasek@ubuntu.com> Tue, 02 Jul 2013 20:30:43 +0000
339
340 shim (0.4-0ubuntu1) saucy; urgency=low
341
342 * New upstream release.
343 * Drop debian/patches/shim-before-loadimage; upstream has changed this to
344 not call loadimage at all.
345 * debian/patches/sbsigntool-not-pesign: Sign MokManager with
346 sbsigntool instead of pesign.
347 * Add a versioned build-dependency on gnu-efi.
348
349 -- Steve Langasek <steve.langasek@ubuntu.com> Tue, 02 Jul 2013 12:53:24 -0700
350
351 shim (0~20120906.bcd0a4e8-0ubuntu4) quantal-proposed; urgency=low
352
353 * debian/patches/shim-before-loadimage: Use direct verification first
354 before LoadImage. Addresses an issue where Lenovo's SecureBoot
355 implementation pops an error message on any verification failure - avoid
356 calling LoadImage at all unless we have to.
357
358 -- Steve Langasek <steve.langasek@ubuntu.com> Wed, 10 Oct 2012 15:28:40 -0700
359
360 shim (0~20120906.bcd0a4e8-0ubuntu3) quantal; urgency=low
361
362 * debian/patches/second-stage-path: Chainload grubx64.efi, not
363 grub.efi.
364
365 -- Steve Langasek <steve.langasek@ubuntu.com> Fri, 05 Oct 2012 11:20:58 -0700
366
367 shim (0~20120906.bcd0a4e8-0ubuntu2) quantal; urgency=low
368
369 * debian/patches/prototypes: Include missing prototypes, and disable
370 use of BIO_new_file.
371 * Only build the package for amd64; we're not signing an i386 shim at this
372 stage so there's no point in building it.
373
374 -- Steve Langasek <steve.langasek@ubuntu.com> Thu, 04 Oct 2012 17:47:04 +0000
375
376 shim (0~20120906.bcd0a4e8-0ubuntu1) quantal; urgency=low
377
378 * Initial release.
379 * Include the Canonical Secure Boot master CA.
380
381 -- Steve Langasek <steve.langasek@ubuntu.com> Thu, 04 Oct 2012 00:01:06 -0700
shim, a first-stage UEFI bootloader adapted for Proxmox projects