mirror of
https://git.proxmox.com/git/efi-boot-shim
synced 2025-08-05 09:42:26 +00:00
264 lines
10 KiB
Plaintext
264 lines
10 KiB
Plaintext
shim (15+1533136590.3beb971-3) unstable; urgency=medium
|
|
|
|
[ Philipp Hahn ]
|
|
* debian/rules: fixing permissions no longer required
|
|
* debian/rules: Disable ephemeral key on Debian.
|
|
* Rename binary package to 'shim-unsigned'
|
|
* Add template for signing {mm,fb}$ARCH.efi. (Closes: #922228)
|
|
|
|
[ Luca Boccassi ]
|
|
* Override lintian error about template rules file.
|
|
* Include /usr/share/dpkg/architecture.mk instead of shelling out.
|
|
* Add uname.patch to avoid embedding the kernel architecture in the
|
|
binary and to use a fixed string instead.
|
|
|
|
[ Steve McIntyre ]
|
|
* Change maintenance address to be the EFI team
|
|
* Add me and vorlon to the Uploaders list
|
|
* Rename the helper binary packages to shim-helpers-$arch.
|
|
* Update the signing-template JSON metadata to match new practice:
|
|
+ Move all the data under a new top-level "packages" key
|
|
+ Add an empty "trusted_certs" key - the helper binaries do not do any
|
|
further verification with an embedded key.
|
|
|
|
-- Steve McIntyre <93sam@debian.org> Fri, 08 Mar 2019 21:59:43 +0000
|
|
|
|
shim (15+1533136590.3beb971-2) unstable; urgency=medium
|
|
|
|
* Update debian/watch.
|
|
* Update VCS to point to salsa.
|
|
* Fix debian/rules syntax for arm64 build.
|
|
* Enable build for i386.
|
|
* Ensure DEB_HOST_ARCH is set even if not present in the environment.
|
|
* Update Standards-Version.
|
|
* Update debian/copyright (drop reference to file no longer in source)
|
|
|
|
-- Steve Langasek <vorlon@debian.org> Mon, 11 Feb 2019 05:18:18 +0000
|
|
|
|
shim (15+1533136590.3beb971-1) unstable; urgency=medium
|
|
|
|
* New upstream release.
|
|
- debian/patches/second-stage-path: dropped; the default loader path now
|
|
includes an arch suffix.
|
|
- debian/patches/sbsigntool-no-pesign: dropped; no longer needed.
|
|
* Drop remaining patches that were not being applied.
|
|
* Sync packaging from Ubuntu:
|
|
- debian/copyright: Update upstream source location.
|
|
- debian/control: add a Build-Depends on libelf-dev.
|
|
- Enable arm64 build.
|
|
- debian/patches/fixup_git.patch: don't run git in clean; we're not
|
|
really in a git tree.
|
|
- debian/rules, debian/shim.install: use the upstream install target as
|
|
intended, and move files to the target directory using dh_install.
|
|
- define RELEASE and COMMIT_ID for the snapshot.
|
|
- Set ENABLE_HTTPBOOT to enable the HTTP Boot feature.
|
|
- Update dh_auto_build/dh_auto_clean/dh_auto_install for new upstream
|
|
options: set MAKELEVEL.
|
|
- Define an EFI_ARCH variable, and use that for paths to shim. This
|
|
makes it possible to build a shim for other architectures than amd64.
|
|
- Set EFIDIR=$distro for dh_auto_install; that will let files be installed
|
|
in the "right" final directories, and makes boot.csv for us.
|
|
- Set ENABLE_SHIM_CERT, to keep using ephemeral self-signed certs built
|
|
at compile-time for MokManager and fallback.
|
|
- Set ENABLE_SBSIGN, to use sbsign instead of pesign for signing fallback
|
|
and MokManager.
|
|
|
|
-- Steve Langasek <vorlon@debian.org> Sat, 09 Feb 2019 07:23:19 +0000
|
|
|
|
shim (0.9+1474479173.6c180c6-1) unstable; urgency=medium
|
|
|
|
[ Steve Langasek ]
|
|
* Initial Debian upload. Closes: #820052.
|
|
* Update Standards-Version.
|
|
* Embed the newly-minted Debian CA certificate.
|
|
* Vendorize debian/rules so that the same package can be used in both
|
|
Debian and Ubuntu without modification.
|
|
* Fix debian/copyright to match the spec (last match wins, not first)
|
|
* Fix shim.efi to not be executable.
|
|
* Add watchfile.
|
|
* Support parallel builds, because eh why not
|
|
* Update Vcs-Bzr.
|
|
* Resync with Ubuntu, including patch to fix debian/copyright.
|
|
|
|
[ Julien Cristau ]
|
|
* Add some missing copyright holders in d/copyright, update
|
|
Upstream-Contact. Thanks to Helen Koike for the help.
|
|
|
|
-- Julien Cristau <jcristau@debian.org> Sat, 15 Oct 2016 15:17:34 +0200
|
|
|
|
shim (0.9+1474479173.6c180c6-0ubuntu1) UNRELEASED; urgency=medium
|
|
|
|
[ Helen Koike ]
|
|
* debian/copyright: add OpenSSL license
|
|
|
|
[ Mathieu Trudel-Lapierre ]
|
|
* New upstream release.
|
|
* debian/copyright: patches should be BSD, like the rest of the upstream
|
|
code.
|
|
* debian/patches/unused-variable: dropped; applied upstream.
|
|
* debian/patches/binutils-version-matching: dropped, fixed upstream.
|
|
* debian/shim.install: built EFI binaries were renamed; update our install
|
|
file to properly pick up shim (shim$arch), MokManager (mm$arch), and
|
|
fallback (fb$arch).
|
|
|
|
-- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> Wed, 21 Sep 2016 20:29:44 -0400
|
|
|
|
shim (0.9+1465500757.14a5905-0ubuntu1) yakkety; urgency=medium
|
|
|
|
* New upstream release.
|
|
- Better handle LoadOptions. (LP: #1581299)
|
|
- Measure state and second stage in TPM.
|
|
- Mirror MokSBState in runtime as MokSBStateRT.
|
|
- Fix failure to build with GCC 5. (LP: #1429978)
|
|
- Various bug fixes and other improvements.
|
|
* Refreshed patches.
|
|
- Remaining patches:
|
|
+ second-stage-path
|
|
+ sbsigntool-not-pesign
|
|
* debian/patches/unused-variable: remove unused variable size.
|
|
* debian/patches/binutils-version-matching: revert d9a4c912 to correctly
|
|
match objcopy's version on Ubuntu.
|
|
* debian/copyright: update copyright for patches.
|
|
|
|
-- Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> Tue, 26 Jul 2016 16:48:32 -0400
|
|
|
|
shim (0.8-0ubuntu2) wily; urgency=medium
|
|
|
|
* No-change rebuild against gnu-efi 3.0v-5ubuntu1.
|
|
|
|
-- Steve Langasek <steve.langasek@ubuntu.com> Tue, 12 May 2015 17:48:30 +0000
|
|
|
|
shim (0.8-0ubuntu1) wily; urgency=medium
|
|
|
|
* New upstream release.
|
|
- Clarify meaning of insecure_mode. (LP: #1384973)
|
|
* debian/patches/CVE-2014-3675.patch, debian/patches/CVE-2014-3677.patch,
|
|
debian/patches/0001-Update-openssl-to-0.9.8za.patch: dropped, included
|
|
in the upstream release.
|
|
* debian/patches/sbsigntool-not-pesign,debian/patches/second-stage-path:
|
|
refreshed.
|
|
|
|
-- Mathieu Trudel-Lapierre <mathieu-tl@ubuntu.com> Mon, 11 May 2015 19:50:49 -0400
|
|
|
|
shim (0.7-0ubuntu4) utopic; urgency=medium
|
|
|
|
* SECURITY UPDATE: heap overflow and out-of-bounds read access when
|
|
parsing DHCPv6 information
|
|
- debian/patches/CVE-2014-3675.patch: apply proper bounds checking
|
|
when parsing data provided in DHCPv6 packets.
|
|
- CVE-2014-3675
|
|
- CVE-2014-3676
|
|
* SECURITY UPDATE: memory corruption when processing user-provided key
|
|
lists
|
|
- debian/patches/CVE-2014-3677.patch: detect malformed machine owner
|
|
key (MOK) lists and ignore them, avoiding possible memory corruption.
|
|
- CVE-2014-3677
|
|
|
|
-- Steve Langasek <steve.langasek@ubuntu.com> Wed, 08 Oct 2014 06:40:40 +0000
|
|
|
|
shim (0.7-0ubuntu2) utopic; urgency=medium
|
|
|
|
* Restore debian/patches/prototypes, which still is needed on shim 0.7
|
|
but only detected on the buildds.
|
|
* Update debian/patches/prototypes with some new declarations needed for
|
|
openssl 0.9.8za update.
|
|
|
|
-- Steve Langasek <steve.langasek@ubuntu.com> Tue, 07 Oct 2014 16:20:08 -0700
|
|
|
|
shim (0.7-0ubuntu1) utopic; urgency=medium
|
|
|
|
* New upstream release.
|
|
- fix spurious error message when fallback.efi is not present, as will
|
|
always be the case for removable media. LP: #1297069.
|
|
- drop most patches, included upstream.
|
|
* debian/patches/0001-Update-openssl-to-0.9.8za.patch: cherry-pick
|
|
openssl 0.9.8za in via upstream.
|
|
|
|
-- Steve Langasek <steve.langasek@ubuntu.com> Tue, 07 Oct 2014 05:40:41 +0000
|
|
|
|
shim (0.4-0ubuntu5) utopic; urgency=low
|
|
|
|
* Install fallback.efi.signed as well, to lay the groundwork for fallback
|
|
handling (wanted when we have to move a drive between machines, or when
|
|
the firmware loses its marbles^W nvram).
|
|
|
|
-- Steve Langasek <steve.langasek@ubuntu.com> Mon, 04 Aug 2014 12:11:13 +0200
|
|
|
|
shim (0.4-0ubuntu4) saucy; urgency=low
|
|
|
|
* debian/patches/fix-tftp-prototype: pass the right arguments to
|
|
EFI_PXE_BASE_CODE_TFTP_READ_FILE.
|
|
* debian/patches/build-with-Werror: Build with -Werror to catch future
|
|
prototype mismatches.
|
|
* debian/patches/fix-compiler-warnings: Fix remaining compiler
|
|
warnings in netboot.c.
|
|
* debian/patches/tftp-proper-nul-termination: fix nul termination
|
|
errors in filenames passed to tftp.
|
|
* debian/patches/netboot-cleanup: roll-up of miscellaneous fixes to
|
|
the netboot code.
|
|
|
|
-- Steve Langasek <steve.langasek@ubuntu.com> Mon, 23 Sep 2013 00:30:00 -0700
|
|
|
|
shim (0.4-0ubuntu3) saucy; urgency=low
|
|
|
|
[ Steve Langasek ]
|
|
* Install MokManager.efi.signed in the package.
|
|
* debian/patches/no-output-by-default.patch: Don't print any
|
|
informational messages. Closes LP: #1074302.
|
|
|
|
[ Stéphane Graber ]
|
|
* debian/patches/no-print-on-unsigned: Don't print an error message when
|
|
validating an unsigned binary as that tends to hang Lenovo machines.
|
|
(LP: #1087501)
|
|
|
|
-- Stéphane Graber <stgraber@ubuntu.com> Thu, 08 Aug 2013 17:12:12 +0200
|
|
|
|
shim (0.4-0ubuntu2) saucy; urgency=low
|
|
|
|
* Add missing build-dependency on openssl.
|
|
|
|
-- Steve Langasek <steve.langasek@ubuntu.com> Tue, 02 Jul 2013 20:30:43 +0000
|
|
|
|
shim (0.4-0ubuntu1) saucy; urgency=low
|
|
|
|
* New upstream release.
|
|
* Drop debian/patches/shim-before-loadimage; upstream has changed this to
|
|
not call loadimage at all.
|
|
* debian/patches/sbsigntool-not-pesign: Sign MokManager with
|
|
sbsigntool instead of pesign.
|
|
* Add a versioned build-dependency on gnu-efi.
|
|
|
|
-- Steve Langasek <steve.langasek@ubuntu.com> Tue, 02 Jul 2013 12:53:24 -0700
|
|
|
|
shim (0~20120906.bcd0a4e8-0ubuntu4) quantal-proposed; urgency=low
|
|
|
|
* debian/patches/shim-before-loadimage: Use direct verification first
|
|
before LoadImage. Addresses an issue where Lenovo's SecureBoot
|
|
implementation pops an error message on any verification failure - avoid
|
|
calling LoadImage at all unless we have to.
|
|
|
|
-- Steve Langasek <steve.langasek@ubuntu.com> Wed, 10 Oct 2012 15:28:40 -0700
|
|
|
|
shim (0~20120906.bcd0a4e8-0ubuntu3) quantal; urgency=low
|
|
|
|
* debian/patches/second-stage-path: Chainload grubx64.efi, not
|
|
grub.efi.
|
|
|
|
-- Steve Langasek <steve.langasek@ubuntu.com> Fri, 05 Oct 2012 11:20:58 -0700
|
|
|
|
shim (0~20120906.bcd0a4e8-0ubuntu2) quantal; urgency=low
|
|
|
|
* debian/patches/prototypes: Include missing prototypes, and disable
|
|
use of BIO_new_file.
|
|
* Only build the package for amd64; we're not signing an i386 shim at this
|
|
stage so there's no point in building it.
|
|
|
|
-- Steve Langasek <steve.langasek@ubuntu.com> Thu, 04 Oct 2012 17:47:04 +0000
|
|
|
|
shim (0~20120906.bcd0a4e8-0ubuntu1) quantal; urgency=low
|
|
|
|
* Initial release.
|
|
* Include the Canonical Secure Boot master CA.
|
|
|
|
-- Steve Langasek <steve.langasek@ubuntu.com> Thu, 04 Oct 2012 00:01:06 -0700
|