1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
|
shim (0.9+1474479173.6c180c6-1) unstable; urgency=medium
[ Steve Langasek ]
* Initial Debian upload. Closes: #820052.
* Update Standards-Version.
* Embed the newly-minted Debian CA certificate.
* Vendorize debian/rules so that the same package can be used in both
Debian and Ubuntu without modification.
* Fix debian/copyright to match the spec (last match wins, not first)
* Fix shim.efi to not be executable.
* Add watchfile.
* Support parallel builds, because eh why not
* Update Vcs-Bzr.
* Resync with Ubuntu, including patch to fix debian/copyright.
[ Julien Cristau ]
* Add some missing copyright holders in d/copyright, update
Upstream-Contact. Thanks to Helen Koike for the help.
-- Julien Cristau <jcristau@debian.org> Sat, 15 Oct 2016 15:17:34 +0200
shim (0.9+1474479173.6c180c6-0ubuntu1) UNRELEASED; urgency=medium
[ Helen Koike ]
* debian/copyright: add OpenSSL license
[ Mathieu Trudel-Lapierre ]
* New upstream release.
* debian/copyright: patches should be BSD, like the rest of the upstream
code.
* debian/patches/unused-variable: dropped; applied upstream.
* debian/patches/binutils-version-matching: dropped, fixed upstream.
* debian/shim.install: built EFI binaries were renamed; update our install
file to properly pick up shim (shim$arch), MokManager (mm$arch), and
fallback (fb$arch).
-- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> Wed, 21 Sep 2016 20:29:44 -0400
shim (0.9+1465500757.14a5905-0ubuntu1) yakkety; urgency=medium
* New upstream release.
- Better handle LoadOptions. (LP: #1581299)
- Measure state and second stage in TPM.
- Mirror MokSBState in runtime as MokSBStateRT.
- Fix failure to build with GCC 5. (LP: #1429978)
- Various bug fixes and other improvements.
* Refreshed patches.
- Remaining patches:
+ second-stage-path
+ sbsigntool-not-pesign
* debian/patches/unused-variable: remove unused variable size.
* debian/patches/binutils-version-matching: revert d9a4c912 to correctly
match objcopy's version on Ubuntu.
* debian/copyright: update copyright for patches.
-- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> Tue, 26 Jul 2016 16:48:32 -0400
shim (0.8-0ubuntu2) wily; urgency=medium
* No-change rebuild against gnu-efi 3.0v-5ubuntu1.
-- Steve Langasek <steve.langasek@ubuntu.com> Tue, 12 May 2015 17:48:30 +0000
shim (0.8-0ubuntu1) wily; urgency=medium
* New upstream release.
- Clarify meaning of insecure_mode. (LP: #1384973)
* debian/patches/CVE-2014-3675.patch, debian/patches/CVE-2014-3677.patch,
debian/patches/0001-Update-openssl-to-0.9.8za.patch: dropped, included
in the upstream release.
* debian/patches/sbsigntool-not-pesign,debian/patches/second-stage-path:
refreshed.
-- Mathieu Trudel-Lapierre <mathieu-tl@ubuntu.com> Mon, 11 May 2015 19:50:49 -0400
shim (0.7-0ubuntu4) utopic; urgency=medium
* SECURITY UPDATE: heap overflow and out-of-bounds read access when
parsing DHCPv6 information
- debian/patches/CVE-2014-3675.patch: apply proper bounds checking
when parsing data provided in DHCPv6 packets.
- CVE-2014-3675
- CVE-2014-3676
* SECURITY UPDATE: memory corruption when processing user-provided key
lists
- debian/patches/CVE-2014-3677.patch: detect malformed machine owner
key (MOK) lists and ignore them, avoiding possible memory corruption.
- CVE-2014-3677
-- Steve Langasek <steve.langasek@ubuntu.com> Wed, 08 Oct 2014 06:40:40 +0000
shim (0.7-0ubuntu2) utopic; urgency=medium
* Restore debian/patches/prototypes, which still is needed on shim 0.7
but only detected on the buildds.
* Update debian/patches/prototypes with some new declarations needed for
openssl 0.9.8za update.
-- Steve Langasek <steve.langasek@ubuntu.com> Tue, 07 Oct 2014 16:20:08 -0700
shim (0.7-0ubuntu1) utopic; urgency=medium
* New upstream release.
- fix spurious error message when fallback.efi is not present, as will
always be the case for removable media. LP: #1297069.
- drop most patches, included upstream.
* debian/patches/0001-Update-openssl-to-0.9.8za.patch: cherry-pick
openssl 0.9.8za in via upstream.
-- Steve Langasek <steve.langasek@ubuntu.com> Tue, 07 Oct 2014 05:40:41 +0000
shim (0.4-0ubuntu5) utopic; urgency=low
* Install fallback.efi.signed as well, to lay the groundwork for fallback
handling (wanted when we have to move a drive between machines, or when
the firmware loses its marbles^W nvram).
-- Steve Langasek <steve.langasek@ubuntu.com> Mon, 04 Aug 2014 12:11:13 +0200
shim (0.4-0ubuntu4) saucy; urgency=low
* debian/patches/fix-tftp-prototype: pass the right arguments to
EFI_PXE_BASE_CODE_TFTP_READ_FILE.
* debian/patches/build-with-Werror: Build with -Werror to catch future
prototype mismatches.
* debian/patches/fix-compiler-warnings: Fix remaining compiler
warnings in netboot.c.
* debian/patches/tftp-proper-nul-termination: fix nul termination
errors in filenames passed to tftp.
* debian/patches/netboot-cleanup: roll-up of miscellaneous fixes to
the netboot code.
-- Steve Langasek <steve.langasek@ubuntu.com> Mon, 23 Sep 2013 00:30:00 -0700
shim (0.4-0ubuntu3) saucy; urgency=low
[ Steve Langasek ]
* Install MokManager.efi.signed in the package.
* debian/patches/no-output-by-default.patch: Don't print any
informational messages. Closes LP: #1074302.
[ Stéphane Graber ]
* debian/patches/no-print-on-unsigned: Don't print an error message when
validating an unsigned binary as that tends to hang Lenovo machines.
(LP: #1087501)
-- Stéphane Graber <stgraber@ubuntu.com> Thu, 08 Aug 2013 17:12:12 +0200
shim (0.4-0ubuntu2) saucy; urgency=low
* Add missing build-dependency on openssl.
-- Steve Langasek <steve.langasek@ubuntu.com> Tue, 02 Jul 2013 20:30:43 +0000
shim (0.4-0ubuntu1) saucy; urgency=low
* New upstream release.
* Drop debian/patches/shim-before-loadimage; upstream has changed this to
not call loadimage at all.
* debian/patches/sbsigntool-not-pesign: Sign MokManager with
sbsigntool instead of pesign.
* Add a versioned build-dependency on gnu-efi.
-- Steve Langasek <steve.langasek@ubuntu.com> Tue, 02 Jul 2013 12:53:24 -0700
shim (0~20120906.bcd0a4e8-0ubuntu4) quantal-proposed; urgency=low
* debian/patches/shim-before-loadimage: Use direct verification first
before LoadImage. Addresses an issue where Lenovo's SecureBoot
implementation pops an error message on any verification failure - avoid
calling LoadImage at all unless we have to.
-- Steve Langasek <steve.langasek@ubuntu.com> Wed, 10 Oct 2012 15:28:40 -0700
shim (0~20120906.bcd0a4e8-0ubuntu3) quantal; urgency=low
* debian/patches/second-stage-path: Chainload grubx64.efi, not
grub.efi.
-- Steve Langasek <steve.langasek@ubuntu.com> Fri, 05 Oct 2012 11:20:58 -0700
shim (0~20120906.bcd0a4e8-0ubuntu2) quantal; urgency=low
* debian/patches/prototypes: Include missing prototypes, and disable
use of BIO_new_file.
* Only build the package for amd64; we're not signing an i386 shim at this
stage so there's no point in building it.
-- Steve Langasek <steve.langasek@ubuntu.com> Thu, 04 Oct 2012 17:47:04 +0000
shim (0~20120906.bcd0a4e8-0ubuntu1) quantal; urgency=low
* Initial release.
* Include the Canonical Secure Boot master CA.
-- Steve Langasek <steve.langasek@ubuntu.com> Thu, 04 Oct 2012 00:01:06 -0700
|
