debian/changelog

   1 shim (15+1533136590.3beb971-7) unstable; urgency=medium
   2
   3   [ Ansgar Burchardt ]
   4   * debian/control: Update Vcs-* fields
   5
   6   [ Steve McIntyre ]
   7   * Backport needed crash fixes:
   8     + VLogError(): Avoid NULL pointer dereferences in (V)Sprint calls
   9     + Fix OBJ_create() to tolerate a NULL sn and ln
  10   * Build using gcc-7 to get better control of reproducibility during the
  11     lifetime of Buster.
  12   * Build in a dbx list to blacklist binaries that we know to not be
  13     secure. Build-depend on a new (bug-fixed) version of pesign to
  14     generate that list at build time, using a list of known bad hashes.
  15   * Initial list of known bad hashes is just my personal test binary.
  16
  17  -- Steve McIntyre <93sam@debian.org>  Wed, 08 May 2019 02:05:01 +0100
  18
  19 shim (15+1533136590.3beb971-6) unstable; urgency=medium
  20
  21   [ Steve McIntyre ]
  22   * Add Provides: and Breaks: to shim-helpers-$arch-signed to fix
  23     clashes with the old shim-signed package for fbx64.efi.signed and
  24     mmx64.efi.signed. Closes: #924619
  25
  26   [ Helmut Grohne ]
  27   * Fix FTCBFS: Set CROSS_COMPILE. (Closes: #922152)
  28
  29  -- Steve McIntyre <93sam@debian.org>  Sat, 23 Mar 2019 18:19:13 +0000
  30
  31 shim (15+1533136590.3beb971-5) unstable; urgency=medium
  32
  33   [ Ansgar Burchardt ]
  34   * Correct maintainer address in signing template
  35
  36   [ Steve McIntyre ]
  37   * Remove Rules-Requires-Root in the signing template. We manually install
  38     things owned by root. There might be better ways to do this, but this
  39     will do for now.
  40
  41  -- Steve McIntyre <93sam@debian.org>  Tue, 12 Mar 2019 01:38:19 +0000
  42
  43 shim (15+1533136590.3beb971-4) unstable; urgency=medium
  44
  45   [ Steve McIntyre ]
  46   * No-change sourceful upload to get rebuilds (and hence build logs) from
  47     the buildds. Hoping to get this version signed by Microsoft, so let's
  48     make our setup as clean as possible.
  49
  50  -- Steve McIntyre <93sam@debian.org>  Sat, 09 Mar 2019 22:24:23 +0000
  51
  52 shim (15+1533136590.3beb971-3) unstable; urgency=medium
  53
  54   [ Philipp Hahn ]
  55   * debian/rules: fixing permissions no longer required
  56   * debian/rules: Disable ephemeral key on Debian.
  57   * Rename binary package to 'shim-unsigned'
  58   * Add template for signing {mm,fb}$ARCH.efi. (Closes: #922228)
  59
  60   [ Luca Boccassi ]
  61   * Override lintian error about template rules file.
  62   * Include /usr/share/dpkg/architecture.mk instead of shelling out.
  63   * Add uname.patch to avoid embedding the kernel architecture in the
  64     binary and to use a fixed string instead.
  65
  66   [ Steve McIntyre ]
  67   * Change maintenance address to be the EFI team
  68   * Add me and vorlon to the Uploaders list
  69   * Rename the helper binary packages to shim-helpers-$arch.
  70   * Update the signing-template JSON metadata to match new practice:
  71     + Move all the data under a new top-level "packages" key
  72     + Add an empty "trusted_certs" key - the helper binaries do not do any
  73       further verification with an embedded key.
  74
  75  -- Steve McIntyre <93sam@debian.org>  Fri, 08 Mar 2019 21:59:43 +0000
  76
  77 shim (15+1533136590.3beb971-2) unstable; urgency=medium
  78
  79   * Update debian/watch.
  80   * Update VCS to point to salsa.
  81   * Fix debian/rules syntax for arm64 build.
  82   * Enable build for i386.
  83   * Ensure DEB_HOST_ARCH is set even if not present in the environment.
  84   * Update Standards-Version.
  85   * Update debian/copyright (drop reference to file no longer in source)
  86
  87  -- Steve Langasek <vorlon@debian.org>  Mon, 11 Feb 2019 05:18:18 +0000
  88
  89 shim (15+1533136590.3beb971-1) unstable; urgency=medium
  90
  91   * New upstream release.
  92     - debian/patches/second-stage-path: dropped; the default loader path now
  93       includes an arch suffix.
  94     - debian/patches/sbsigntool-no-pesign: dropped; no longer needed.
  95   * Drop remaining patches that were not being applied.
  96   * Sync packaging from Ubuntu:
  97     - debian/copyright: Update upstream source location.
  98     - debian/control: add a Build-Depends on libelf-dev.
  99     - Enable arm64 build.
 100     - debian/patches/fixup_git.patch: don't run git in clean; we're not
 101       really in a git tree.
 102     - debian/rules, debian/shim.install: use the upstream install target as
 103       intended, and move files to the target directory using dh_install.
 104     - define RELEASE and COMMIT_ID for the snapshot.
 105     - Set ENABLE_HTTPBOOT to enable the HTTP Boot feature.
 106     - Update dh_auto_build/dh_auto_clean/dh_auto_install for new upstream
 107       options: set MAKELEVEL.
 108     - Define an EFI_ARCH variable, and use that for paths to shim. This
 109       makes it possible to build a shim for other architectures than amd64.
 110     - Set EFIDIR=$distro for dh_auto_install; that will let files be installed
 111       in the "right" final directories, and makes boot.csv for us.
 112     - Set ENABLE_SHIM_CERT, to keep using ephemeral self-signed certs built
 113       at compile-time for MokManager and fallback.
 114     - Set ENABLE_SBSIGN, to use sbsign instead of pesign for signing fallback
 115       and MokManager.
 116
 117  -- Steve Langasek <vorlon@debian.org>  Sat, 09 Feb 2019 07:23:19 +0000
 118
 119 shim (0.9+1474479173.6c180c6-1) unstable; urgency=medium
 120
 121   [ Steve Langasek ]
 122   * Initial Debian upload.  Closes: #820052.
 123   * Update Standards-Version.
 124   * Embed the newly-minted Debian CA certificate.
 125   * Vendorize debian/rules so that the same package can be used in both
 126     Debian and Ubuntu without modification.
 127   * Fix debian/copyright to match the spec (last match wins, not first)
 128   * Fix shim.efi to not be executable.
 129   * Add watchfile.
 130   * Support parallel builds, because eh why not
 131   * Update Vcs-Bzr.
 132   * Resync with Ubuntu, including patch to fix debian/copyright.
 133
 134   [ Julien Cristau ]
 135   * Add some missing copyright holders in d/copyright, update
 136     Upstream-Contact.  Thanks to Helen Koike for the help.
 137
 138  -- Julien Cristau <jcristau@debian.org>  Sat, 15 Oct 2016 15:17:34 +0200
 139
 140 shim (0.9+1474479173.6c180c6-0ubuntu1) UNRELEASED; urgency=medium
 141
 142   [ Helen Koike ]
 143   * debian/copyright: add OpenSSL license
 144
 145   [ Mathieu Trudel-Lapierre ]
 146   * New upstream release.
 147   * debian/copyright: patches should be BSD, like the rest of the upstream
 148     code.
 149   * debian/patches/unused-variable: dropped; applied upstream.
 150   * debian/patches/binutils-version-matching: dropped, fixed upstream.
 151   * debian/shim.install: built EFI binaries were renamed; update our install
 152     file to properly pick up shim (shim$arch), MokManager (mm$arch), and
 153     fallback (fb$arch).
 154
 155  -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com>  Wed, 21 Sep 2016 20:29:44 -0400
 156
 157 shim (0.9+1465500757.14a5905-0ubuntu1) yakkety; urgency=medium
 158
 159   * New upstream release.
 160     - Better handle LoadOptions. (LP: #1581299)
 161     - Measure state and second stage in TPM.
 162     - Mirror MokSBState in runtime as MokSBStateRT.
 163     - Fix failure to build with GCC 5. (LP: #1429978)
 164     - Various bug fixes and other improvements.
 165   * Refreshed patches.
 166     - Remaining patches:
 167       + second-stage-path
 168       + sbsigntool-not-pesign
 169   * debian/patches/unused-variable: remove unused variable size.
 170   * debian/patches/binutils-version-matching: revert d9a4c912 to correctly
 171     match objcopy's version on Ubuntu.
 172   * debian/copyright: update copyright for patches.
 173
 174  -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com>  Tue, 26 Jul 2016 16:48:32 -0400
 175
 176 shim (0.8-0ubuntu2) wily; urgency=medium
 177
 178   * No-change rebuild against gnu-efi 3.0v-5ubuntu1.
 179
 180  -- Steve Langasek <steve.langasek@ubuntu.com>  Tue, 12 May 2015 17:48:30 +0000
 181
 182 shim (0.8-0ubuntu1) wily; urgency=medium
 183
 184   * New upstream release.
 185     - Clarify meaning of insecure_mode. (LP: #1384973)
 186   * debian/patches/CVE-2014-3675.patch, debian/patches/CVE-2014-3677.patch,
 187     debian/patches/0001-Update-openssl-to-0.9.8za.patch: dropped, included
 188     in the upstream release.
 189   * debian/patches/sbsigntool-not-pesign,debian/patches/second-stage-path:
 190     refreshed.
 191
 192  -- Mathieu Trudel-Lapierre <mathieu-tl@ubuntu.com>  Mon, 11 May 2015 19:50:49 -0400
 193
 194 shim (0.7-0ubuntu4) utopic; urgency=medium
 195
 196   * SECURITY UPDATE: heap overflow and out-of-bounds read access when
 197     parsing DHCPv6 information
 198     - debian/patches/CVE-2014-3675.patch: apply proper bounds checking
 199       when parsing data provided in DHCPv6 packets.
 200     - CVE-2014-3675
 201     - CVE-2014-3676
 202   * SECURITY UPDATE: memory corruption when processing user-provided key
 203     lists
 204     - debian/patches/CVE-2014-3677.patch: detect malformed machine owner
 205       key (MOK) lists and ignore them, avoiding possible memory corruption.
 206     - CVE-2014-3677
 207
 208  -- Steve Langasek <steve.langasek@ubuntu.com>  Wed, 08 Oct 2014 06:40:40 +0000
 209
 210 shim (0.7-0ubuntu2) utopic; urgency=medium
 211
 212   * Restore debian/patches/prototypes, which still is needed on shim 0.7
 213     but only detected on the buildds.
 214   * Update debian/patches/prototypes with some new declarations needed for
 215     openssl 0.9.8za update.
 216
 217  -- Steve Langasek <steve.langasek@ubuntu.com>  Tue, 07 Oct 2014 16:20:08 -0700
 218
 219 shim (0.7-0ubuntu1) utopic; urgency=medium
 220
 221   * New upstream release.
 222     - fix spurious error message when fallback.efi is not present, as will
 223       always be the case for removable media.  LP: #1297069.
 224     - drop most patches, included upstream.
 225   * debian/patches/0001-Update-openssl-to-0.9.8za.patch: cherry-pick
 226     openssl 0.9.8za in via upstream.
 227
 228  -- Steve Langasek <steve.langasek@ubuntu.com>  Tue, 07 Oct 2014 05:40:41 +0000
 229
 230 shim (0.4-0ubuntu5) utopic; urgency=low
 231
 232   * Install fallback.efi.signed as well, to lay the groundwork for fallback
 233     handling (wanted when we have to move a drive between machines, or when
 234     the firmware loses its marbles^W nvram).
 235
 236  -- Steve Langasek <steve.langasek@ubuntu.com>  Mon, 04 Aug 2014 12:11:13 +0200
 237
 238 shim (0.4-0ubuntu4) saucy; urgency=low
 239
 240   * debian/patches/fix-tftp-prototype: pass the right arguments to
 241     EFI_PXE_BASE_CODE_TFTP_READ_FILE.
 242   * debian/patches/build-with-Werror: Build with -Werror to catch future
 243     prototype mismatches.
 244   * debian/patches/fix-compiler-warnings: Fix remaining compiler
 245     warnings in netboot.c.
 246   * debian/patches/tftp-proper-nul-termination: fix nul termination
 247     errors in filenames passed to tftp.
 248   * debian/patches/netboot-cleanup: roll-up of miscellaneous fixes to
 249     the netboot code.
 250
 251  -- Steve Langasek <steve.langasek@ubuntu.com>  Mon, 23 Sep 2013 00:30:00 -0700
 252
 253 shim (0.4-0ubuntu3) saucy; urgency=low
 254
 255   [ Steve Langasek ]
 256   * Install MokManager.efi.signed in the package.
 257   * debian/patches/no-output-by-default.patch: Don't print any
 258     informational messages.  Closes LP: #1074302.
 259
 260   [ Stéphane Graber ]
 261   * debian/patches/no-print-on-unsigned: Don't print an error message when
 262     validating an unsigned binary as that tends to hang Lenovo machines.
 263     (LP: #1087501)
 264
 265  -- Stéphane Graber <stgraber@ubuntu.com>  Thu, 08 Aug 2013 17:12:12 +0200
 266
 267 shim (0.4-0ubuntu2) saucy; urgency=low
 268
 269   * Add missing build-dependency on openssl.
 270
 271  -- Steve Langasek <steve.langasek@ubuntu.com>  Tue, 02 Jul 2013 20:30:43 +0000
 272
 273 shim (0.4-0ubuntu1) saucy; urgency=low
 274
 275   * New upstream release.
 276   * Drop debian/patches/shim-before-loadimage; upstream has changed this to
 277     not call loadimage at all.
 278   * debian/patches/sbsigntool-not-pesign: Sign MokManager with
 279     sbsigntool instead of pesign.
 280   * Add a versioned build-dependency on gnu-efi.
 281
 282  -- Steve Langasek <steve.langasek@ubuntu.com>  Tue, 02 Jul 2013 12:53:24 -0700
 283
 284 shim (0~20120906.bcd0a4e8-0ubuntu4) quantal-proposed; urgency=low
 285
 286   * debian/patches/shim-before-loadimage: Use direct verification first
 287     before LoadImage.  Addresses an issue where Lenovo's SecureBoot
 288     implementation pops an error message on any verification failure - avoid
 289     calling LoadImage at all unless we have to.
 290
 291  -- Steve Langasek <steve.langasek@ubuntu.com>  Wed, 10 Oct 2012 15:28:40 -0700
 292
 293 shim (0~20120906.bcd0a4e8-0ubuntu3) quantal; urgency=low
 294
 295   * debian/patches/second-stage-path: Chainload grubx64.efi, not
 296     grub.efi.
 297
 298  -- Steve Langasek <steve.langasek@ubuntu.com>  Fri, 05 Oct 2012 11:20:58 -0700
 299
 300 shim (0~20120906.bcd0a4e8-0ubuntu2) quantal; urgency=low
 301
 302   * debian/patches/prototypes: Include missing prototypes, and disable
 303     use of BIO_new_file.
 304   * Only build the package for amd64; we're not signing an i386 shim at this
 305     stage so there's no point in building it.
 306
 307  -- Steve Langasek <steve.langasek@ubuntu.com>  Thu, 04 Oct 2012 17:47:04 +0000
 308
 309 shim (0~20120906.bcd0a4e8-0ubuntu1) quantal; urgency=low
 310
 311   * Initial release.
 312   * Include the Canonical Secure Boot master CA.
 313
 314  -- Steve Langasek <steve.langasek@ubuntu.com>  Thu, 04 Oct 2012 00:01:06 -0700