path: root/debian/changelog

shim (16.0-1+vyos1) UNRELEASED; urgency=medium

  * Add VyOS's CA alongside Debian's.

 -- Christian Breunig <christian@breunig.cc>  Wed, 02 Jul 2025 22:34:39 +0200

shim (15.8-1) unstable; urgency=medium

  [ Steve McIntyre ]
  * Cope with changes in pesign packaging. Closes: #1057606
  * New upstream release fixing more bugs. Closes: #1061519, #1064220
    + CVE-2023-40546 mok: fix LogError() invocation (Closes: #1054210)
    + CVE-2023-40547 - avoid incorrectly trusting HTTP headers
    + CVE-2023-40548 Fix integer overflow on SBAT section size on
      32-bit system
    + CVE-2023-40549 Authenticode: verify that the signature header is
      in bounds.
    + CVE-2023-40550 pe: Fix an out-of-bound read in
      verify_buffer_sbat()
    + CVE-2023-40551: pe-relocate: Fix bounds check for MZ binaries
  * Remove all our previous patches, no longer needed:
    + Make-sbat_var.S-parse-right-with-buggy-gcc-binutils.patch (now
      upstream)
    + Enable-NX.patch (we don't want NX just yet until the whole boot
      stack is NX-capable)
    + block-grub-sbat3-debian.patch (not needed now upstream grub SBAT
      is 4)
  * Cherry-pick 2 new patches from upstream for grub revocations:
    + 0001-sbat-Add-grub.peimage-2-to-latest-CVE-2024-2312.patch
    + 0002-sbat-Also-bump-latest-for-grub-4-and-to-todays-date.patch
  * NOTE: Stop building for i386
    + Debian kernels are no longer signed for i386, it's time to stop
      supporting i386 SB.
  * Log if the build is nx-compatible or not
  * Force shim to use the latest revocations by default to block some
    older grub / peimage issues. This is:
    "shim,4\ngrub,4\ngrub.peimage,2\n"
  * Install a copy of the Debian CA certificate into /usr/share/shim.
    Closes: #1069054
  * Clean up better after build. Closes: #1046268

  [ Bastien Roucariès ]
  * Port autopkgtest from ubuntu
  * Import MR-12: "shim-unsigned:amd64 cannot be installed alongside
    shim-unsigned:i386", thanks to adrian15 adrian15 (Closes: #936009).
  * Fix debian/watch and check signature (Closes: #1043485)

 -- Steve McIntyre <93sam@debian.org>  Sat, 04 May 2024 23:29:52 +0100

shim (15.7-1) unstable; urgency=medium

  * New upstream release fixing more bugs
  * Add further patches from upstream:
    + Make sbat_var.S parse right with buggy gcc/binutils
    + Enable NX support at build time, as required by policy for signing
      new shim binaries.
  * Switch to using gcc-12. Closes: #1022180
  * Update to Standards-Version 4.6.2 (no changes needed)
  * Block Debian grub binaries with sbat < 4 (see #1024617)

 -- Steve McIntyre <93sam@debian.org>  Mon, 30 Jan 2023 18:11:23 +0000

shim (15.6-1) unstable; urgency=medium

  * New upstream release fixing more bugs
    + Remove all our old patches, all now upstream:
      - fix-32b-format-strings.patch
      - fix-test-includes.patch

 -- Steve McIntyre <93sam@debian.org>  Thu, 21 Jul 2022 14:04:01 +0200

shim (15.5-1) UNRELEASED; urgency=medium

  * New upstream release fixing more bugs
    + Remove all our old patches, all now upstream:
      - Don-t-call-QueryVariableInfo-on-EFI-1.10-machines.patch
      - MOK-BootServicesData.patch
      -	fix-broken-ia32-reloc.patch
      -	fix-import_one_mok_state.patch
      - fix_arm64_rela_sections.patch
      - relax_check_for_import_mok_state.patch
  * Fix format strings for 32-bit builds
  * Tweak setup for dh_auto_test so the tests work
  * Add new build-dep on libefivar-dev for tests

 -- Steve McIntyre <93sam@debian.org>  Wed, 27 Apr 2022 22:50:08 +0100

shim (15.4-7) unstable; urgency=high

  * Tweak how we call grub-install; don't abort on error. Not ideal
    behaviour either, but don't break upgrades. Copy the behaviour
    from the grub packages here. Closes: #990966

 -- Steve McIntyre <93sam@debian.org>  Mon, 12 Jul 2021 08:53:54 +0100

shim (15.4-6) unstable; urgency=high

  * Add arm64 patch to tweak section layout and stop crashing
    problems. Upstream issue #371. Closes: #990082, #990190
  * In insecure mode, don't abort if we can't create the MokListXRT
    variable. Upstream issue #372. Closes: #989962, #990158

 -- Steve McIntyre <93sam@debian.org>  Wed, 23 Jun 2021 19:03:54 +0100

shim (15.4-5) unstable; urgency=medium

  * Add defensive code around calls to db_get. Don't fail if they
    return errors.

 -- Steve McIntyre <93sam@debian.org>  Thu, 06 May 2021 00:37:49 +0100

shim (15.4-4) unstable; urgency=medium

  * Fix up those maintainer scripts - if we're not running on an EFI
    system then exit cleanly.

 -- Steve McIntyre <93sam@debian.org>  Tue, 04 May 2021 17:53:21 +0100

shim (15.4-3) unstable; urgency=medium

  * Add maintainer scripts to the template packages to manage
    installing and removing fbXXX.efi and mmXXX.efi when we
    install/remove the shim-helpers-$arch-signed packages.
    Closes: #966845

 -- Steve McIntyre <93sam@debian.org>  Mon, 03 May 2021 20:48:49 +0100

shim (15.4-2) unstable; urgency=medium

  * Add two further patches from upstream:
    + fix import_one_mok_state() after split
    + Don't call QueryVariableInfo() on EFI 1.10 machines (e.g. older
      Intel Mac machines)

 -- Steve McIntyre <93sam@debian.org>  Wed, 21 Apr 2021 00:23:02 +0100

shim (15.4-1) unstable; urgency=medium

  * New upstream release fixing more bugs: SBAT and arm64 support
  * Print sha256 checksums of the EFI binaries when the build is done
  * Add two patches from upstream:
    + fix i386 binary relocations
    + allocate MOK config table as BootServicesData

 -- Steve McIntyre <93sam@debian.org>  Wed, 31 Mar 2021 18:25:00 +0100

shim (15.3-3) unstable; urgency=medium

  * Update the timestamp for the 15.3-2 upload.
  * Only include the upstream version in the Debian SBAT metadata, so
    we don't break reproducibility on every minor packaging change.

 -- Steve McIntyre <93sam@debian.org>  Wed, 24 Mar 2021 13:21:05 +0000

shim (15.3-2) unstable; urgency=medium

  * Add missing build-dep on xxd for build-time unit tests

 -- Steve McIntyre <93sam@debian.org>  Wed, 24 Mar 2021 02:21:53 +0000

shim (15.3-1) unstable; urgency=medium

  [ Steve McIntyre ]
  * Switch to much-newer release with many fixes
    + Particularly pulling in SBAT changes for better revocation support
    + Remove all our old patches, no longer needed:
      - avoid_null_vsprint.patch
      - check_null_sn_ln.patch
      - fixup_git.patch
      - uname.patch
      - use_compare_mem_gcc9.patch
    + Now includes a vendor copy of gnu-efi with quite a few extra
      fixes needed.
    + Update copyright file to cover these changes
  * Switch to using gcc-10 rather than gcc-9. Closes: #978521
  * Add dbx entries for all our existing grub binaries
    + They're insecure, let's break the chainloading hole.
  * Add Debian SBAT data
    + Add a Debian SBAT template, and rules to use it
    + Adds a build-dep on dos2unix

 -- Steve McIntyre <93sam@debian.org>  Tue, 23 Mar 2021 23:39:48 +0000

shim (15+1533136590.3beb971-10) unstable; urgency=medium

  [ Debian Janitor ]
  * Trim trailing whitespace.
  * Use secure copyright file specification URI.
  * debian/copyright: use spaces rather than tabs to start continuation
    lines.
  * Bump debhelper from old 11 to 12.
  * Set debhelper-compat version in Build-Depends.
  * Set upstream metadata fields: Bug-Database, Bug-Submit.
  * Update standards version to 4.4.1, no changes needed.

  [ Steve McIntyre ]
  * Trivial changes to generating the inbuilt dbx if we're using it.
  * Upload to pick up rotated Debian signing keys

 -- Steve McIntyre <93sam@debian.org>  Fri, 24 Jul 2020 01:22:46 +0100

shim (15+1533136590.3beb971-9) unstable; urgency=medium

  [ Steve McIntyre ]
  * In the -helpers-ARCH-signed packages, change the version
    dependency on shim-unsigned to be >= and not =. This will allow
    for installation to still work in the window while we wait for the
    template package to do its second trip through the
    archive. Closes: #955356

 -- Steve McIntyre <93sam@debian.org>  Mon, 30 Mar 2020 15:19:08 +0100

shim (15+1533136590.3beb971-8) unstable; urgency=medium

  [ Steve McIntyre ]
  * Use --padding when calling pesign to generate hashes for the dbx
    list, as recommended by Peter Jones. No actual changes needed in
    our list of hashes at this point - they work out the same either
    way.
  * Switch to using gcc-9 for builds, tweaking a patch from upstream
    to fix a FTBFS. Closes: #925816
  * Update debhelper compat level to 11 for shim and the
    signing-template

 -- Steve McIntyre <93sam@debian.org>  Tue, 24 Mar 2020 16:51:10 +0000

shim (15+1533136590.3beb971-7) unstable; urgency=medium

  [ Ansgar Burchardt ]
  * debian/control: Update Vcs-* fields

  [ Steve McIntyre ]
  * Backport needed crash fixes:
    + VLogError(): Avoid NULL pointer dereferences in (V)Sprint calls
    + Fix OBJ_create() to tolerate a NULL sn and ln
  * Build using gcc-7 to get better control of reproducibility during the
    lifetime of Buster.
  * Build in a dbx list to blacklist binaries that we know to not be
    secure. Build-depend on a new (bug-fixed) version of pesign to
    generate that list at build time, using a list of known bad hashes.
  * Initial list of known bad hashes is just my personal test binary.

 -- Steve McIntyre <93sam@debian.org>  Wed, 08 May 2019 02:05:01 +0100

shim (15+1533136590.3beb971-6) unstable; urgency=medium

  [ Steve McIntyre ]
  * Add Provides: and Breaks: to shim-helpers-$arch-signed to fix
    clashes with the old shim-signed package for fbx64.efi.signed and
    mmx64.efi.signed. Closes: #924619

  [ Helmut Grohne ]
  * Fix FTCBFS: Set CROSS_COMPILE. (Closes: #922152)

 -- Steve McIntyre <93sam@debian.org>  Sat, 23 Mar 2019 18:19:13 +0000

shim (15+1533136590.3beb971-5) unstable; urgency=medium

  [ Ansgar Burchardt ]
  * Correct maintainer address in signing template

  [ Steve McIntyre ]
  * Remove Rules-Requires-Root in the signing template. We manually install
    things owned by root. There might be better ways to do this, but this
    will do for now.

 -- Steve McIntyre <93sam@debian.org>  Tue, 12 Mar 2019 01:38:19 +0000

shim (15+1533136590.3beb971-4) unstable; urgency=medium

  [ Steve McIntyre ]
  * No-change sourceful upload to get rebuilds (and hence build logs) from
    the buildds. Hoping to get this version signed by Microsoft, so let's
    make our setup as clean as possible.

 -- Steve McIntyre <93sam@debian.org>  Sat, 09 Mar 2019 22:24:23 +0000

shim (15+1533136590.3beb971-3) unstable; urgency=medium

  [ Philipp Hahn ]
  * debian/rules: fixing permissions no longer required
  * debian/rules: Disable ephemeral key on Debian.
  * Rename binary package to 'shim-unsigned'
  * Add template for signing {mm,fb}$ARCH.efi. (Closes: #922228)

  [ Luca Boccassi ]
  * Override lintian error about template rules file.
  * Include /usr/share/dpkg/architecture.mk instead of shelling out.
  * Add uname.patch to avoid embedding the kernel architecture in the
    binary and to use a fixed string instead.

  [ Steve McIntyre ]
  * Change maintenance address to be the EFI team
  * Add me and vorlon to the Uploaders list
  * Rename the helper binary packages to shim-helpers-$arch.
  * Update the signing-template JSON metadata to match new practice:
    + Move all the data under a new top-level "packages" key
    + Add an empty "trusted_certs" key - the helper binaries do not do any
      further verification with an embedded key.

 -- Steve McIntyre <93sam@debian.org>  Fri, 08 Mar 2019 21:59:43 +0000

shim (15+1533136590.3beb971-2) unstable; urgency=medium

  * Update debian/watch.
  * Update VCS to point to salsa.
  * Fix debian/rules syntax for arm64 build.
  * Enable build for i386.
  * Ensure DEB_HOST_ARCH is set even if not present in the environment.
  * Update Standards-Version.
  * Update debian/copyright (drop reference to file no longer in source)

 -- Steve Langasek <vorlon@debian.org>  Mon, 11 Feb 2019 05:18:18 +0000

shim (15+1533136590.3beb971-1) unstable; urgency=medium

  * New upstream release.
    - debian/patches/second-stage-path: dropped; the default loader path now
      includes an arch suffix.
    - debian/patches/sbsigntool-no-pesign: dropped; no longer needed.
  * Drop remaining patches that were not being applied.
  * Sync packaging from Ubuntu:
    - debian/copyright: Update upstream source location.
    - debian/control: add a Build-Depends on libelf-dev.
    - Enable arm64 build.
    - debian/patches/fixup_git.patch: don't run git in clean; we're not
      really in a git tree.
    - debian/rules, debian/shim.install: use the upstream install target as
      intended, and move files to the target directory using dh_install.
    - define RELEASE and COMMIT_ID for the snapshot.
    - Set ENABLE_HTTPBOOT to enable the HTTP Boot feature.
    - Update dh_auto_build/dh_auto_clean/dh_auto_install for new upstream
      options: set MAKELEVEL.
    - Define an EFI_ARCH variable, and use that for paths to shim. This
      makes it possible to build a shim for other architectures than amd64.
    - Set EFIDIR=$distro for dh_auto_install; that will let files be installed
      in the "right" final directories, and makes boot.csv for us.
    - Set ENABLE_SHIM_CERT, to keep using ephemeral self-signed certs built
      at compile-time for MokManager and fallback.
    - Set ENABLE_SBSIGN, to use sbsign instead of pesign for signing fallback
      and MokManager.

 -- Steve Langasek <vorlon@debian.org>  Sat, 09 Feb 2019 07:23:19 +0000

shim (0.9+1474479173.6c180c6-1) unstable; urgency=medium

  [ Steve Langasek ]
  * Initial Debian upload.  Closes: #820052.
  * Update Standards-Version.
  * Embed the newly-minted Debian CA certificate.
  * Vendorize debian/rules so that the same package can be used in both
    Debian and Ubuntu without modification.
  * Fix debian/copyright to match the spec (last match wins, not first)
  * Fix shim.efi to not be executable.
  * Add watchfile.
  * Support parallel builds, because eh why not
  * Update Vcs-Bzr.
  * Resync with Ubuntu, including patch to fix debian/copyright.

  [ Julien Cristau ]
  * Add some missing copyright holders in d/copyright, update
    Upstream-Contact.  Thanks to Helen Koike for the help.

 -- Julien Cristau <jcristau@debian.org>  Sat, 15 Oct 2016 15:17:34 +0200

shim (0.9+1474479173.6c180c6-0ubuntu1) UNRELEASED; urgency=medium

  [ Helen Koike ]
  * debian/copyright: add OpenSSL license

  [ Mathieu Trudel-Lapierre ]
  * New upstream release.
  * debian/copyright: patches should be BSD, like the rest of the upstream
    code.
  * debian/patches/unused-variable: dropped; applied upstream.
  * debian/patches/binutils-version-matching: dropped, fixed upstream.
  * debian/shim.install: built EFI binaries were renamed; update our install
    file to properly pick up shim (shim$arch), MokManager (mm$arch), and
    fallback (fb$arch).

 -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com>  Wed, 21 Sep 2016 20:29:44 -0400

shim (0.9+1465500757.14a5905-0ubuntu1) yakkety; urgency=medium

  * New upstream release.
    - Better handle LoadOptions. (LP: #1581299)
    - Measure state and second stage in TPM.
    - Mirror MokSBState in runtime as MokSBStateRT.
    - Fix failure to build with GCC 5. (LP: #1429978)
    - Various bug fixes and other improvements.
  * Refreshed patches.
    - Remaining patches:
      + second-stage-path
      + sbsigntool-not-pesign
  * debian/patches/unused-variable: remove unused variable size.
  * debian/patches/binutils-version-matching: revert d9a4c912 to correctly
    match objcopy's version on Ubuntu.
  * debian/copyright: update copyright for patches.

 -- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com>  Tue, 26 Jul 2016 16:48:32 -0400

shim (0.8-0ubuntu2) wily; urgency=medium

  * No-change rebuild against gnu-efi 3.0v-5ubuntu1.

 -- Steve Langasek <steve.langasek@ubuntu.com>  Tue, 12 May 2015 17:48:30 +0000

shim (0.8-0ubuntu1) wily; urgency=medium

  * New upstream release.
    - Clarify meaning of insecure_mode. (LP: #1384973)
  * debian/patches/CVE-2014-3675.patch, debian/patches/CVE-2014-3677.patch,
    debian/patches/0001-Update-openssl-to-0.9.8za.patch: dropped, included
    in the upstream release.
  * debian/patches/sbsigntool-not-pesign,debian/patches/second-stage-path:
    refreshed.

 -- Mathieu Trudel-Lapierre <mathieu-tl@ubuntu.com>  Mon, 11 May 2015 19:50:49 -0400

shim (0.7-0ubuntu4) utopic; urgency=medium

  * SECURITY UPDATE: heap overflow and out-of-bounds read access when
    parsing DHCPv6 information
    - debian/patches/CVE-2014-3675.patch: apply proper bounds checking
      when parsing data provided in DHCPv6 packets.
    - CVE-2014-3675
    - CVE-2014-3676
  * SECURITY UPDATE: memory corruption when processing user-provided key
    lists
    - debian/patches/CVE-2014-3677.patch: detect malformed machine owner
      key (MOK) lists and ignore them, avoiding possible memory corruption.
    - CVE-2014-3677

 -- Steve Langasek <steve.langasek@ubuntu.com>  Wed, 08 Oct 2014 06:40:40 +0000

shim (0.7-0ubuntu2) utopic; urgency=medium

  * Restore debian/patches/prototypes, which still is needed on shim 0.7
    but only detected on the buildds.
  * Update debian/patches/prototypes with some new declarations needed for
    openssl 0.9.8za update.

 -- Steve Langasek <steve.langasek@ubuntu.com>  Tue, 07 Oct 2014 16:20:08 -0700

shim (0.7-0ubuntu1) utopic; urgency=medium

  * New upstream release.
    - fix spurious error message when fallback.efi is not present, as will
      always be the case for removable media.  LP: #1297069.
    - drop most patches, included upstream.
  * debian/patches/0001-Update-openssl-to-0.9.8za.patch: cherry-pick
    openssl 0.9.8za in via upstream.

 -- Steve Langasek <steve.langasek@ubuntu.com>  Tue, 07 Oct 2014 05:40:41 +0000

shim (0.4-0ubuntu5) utopic; urgency=low

  * Install fallback.efi.signed as well, to lay the groundwork for fallback
    handling (wanted when we have to move a drive between machines, or when
    the firmware loses its marbles^W nvram).

 -- Steve Langasek <steve.langasek@ubuntu.com>  Mon, 04 Aug 2014 12:11:13 +0200

shim (0.4-0ubuntu4) saucy; urgency=low

  * debian/patches/fix-tftp-prototype: pass the right arguments to
    EFI_PXE_BASE_CODE_TFTP_READ_FILE.
  * debian/patches/build-with-Werror: Build with -Werror to catch future
    prototype mismatches.
  * debian/patches/fix-compiler-warnings: Fix remaining compiler
    warnings in netboot.c.
  * debian/patches/tftp-proper-nul-termination: fix nul termination
    errors in filenames passed to tftp.
  * debian/patches/netboot-cleanup: roll-up of miscellaneous fixes to
    the netboot code.

 -- Steve Langasek <steve.langasek@ubuntu.com>  Mon, 23 Sep 2013 00:30:00 -0700

shim (0.4-0ubuntu3) saucy; urgency=low

  [ Steve Langasek ]
  * Install MokManager.efi.signed in the package.
  * debian/patches/no-output-by-default.patch: Don't print any
    informational messages.  Closes LP: #1074302.

  [ Stéphane Graber ]
  * debian/patches/no-print-on-unsigned: Don't print an error message when
    validating an unsigned binary as that tends to hang Lenovo machines.
    (LP: #1087501)

 -- Stéphane Graber <stgraber@ubuntu.com>  Thu, 08 Aug 2013 17:12:12 +0200

shim (0.4-0ubuntu2) saucy; urgency=low

  * Add missing build-dependency on openssl.

 -- Steve Langasek <steve.langasek@ubuntu.com>  Tue, 02 Jul 2013 20:30:43 +0000

shim (0.4-0ubuntu1) saucy; urgency=low

  * New upstream release.
  * Drop debian/patches/shim-before-loadimage; upstream has changed this to
    not call loadimage at all.
  * debian/patches/sbsigntool-not-pesign: Sign MokManager with
    sbsigntool instead of pesign.
  * Add a versioned build-dependency on gnu-efi.

 -- Steve Langasek <steve.langasek@ubuntu.com>  Tue, 02 Jul 2013 12:53:24 -0700

shim (0~20120906.bcd0a4e8-0ubuntu4) quantal-proposed; urgency=low

  * debian/patches/shim-before-loadimage: Use direct verification first
    before LoadImage.  Addresses an issue where Lenovo's SecureBoot
    implementation pops an error message on any verification failure - avoid
    calling LoadImage at all unless we have to.

 -- Steve Langasek <steve.langasek@ubuntu.com>  Wed, 10 Oct 2012 15:28:40 -0700

shim (0~20120906.bcd0a4e8-0ubuntu3) quantal; urgency=low

  * debian/patches/second-stage-path: Chainload grubx64.efi, not
    grub.efi.

 -- Steve Langasek <steve.langasek@ubuntu.com>  Fri, 05 Oct 2012 11:20:58 -0700

shim (0~20120906.bcd0a4e8-0ubuntu2) quantal; urgency=low

  * debian/patches/prototypes: Include missing prototypes, and disable
    use of BIO_new_file.
  * Only build the package for amd64; we're not signing an i386 shim at this
    stage so there's no point in building it.

 -- Steve Langasek <steve.langasek@ubuntu.com>  Thu, 04 Oct 2012 17:47:04 +0000

shim (0~20120906.bcd0a4e8-0ubuntu1) quantal; urgency=low

  * Initial release.
  * Include the Canonical Secure Boot master CA.

 -- Steve Langasek <steve.langasek@ubuntu.com>  Thu, 04 Oct 2012 00:01:06 -0700