shim (15+1533136590.3beb971-0ubuntu1) cosmic; urgency=medium [ Steve Langasek ] * Fix Vcs link. [ dann frazier ] * Enable arm64 build. [ Mathieu Trudel-Lapierre ] * New upstream snapshot. * debian/patches/abort_abort_abort.patch: dropped patch, included upstream. * debian/rules: - define RELEASE and COMMIT_ID for the snapshot. - Set ENABLE_HTTPBOOT to enable the HTTP Boot feature. * debian/patches/fixup_git.patch: don't run git in clean; we're not really in a git tree. -- Mathieu Trudel-Lapierre Wed, 22 Aug 2018 10:52:10 -0400 shim (13-0ubuntu2) bionic; urgency=medium * debian/patches/abort_abort_abort.patch: signtool.exe isn't happy with some of the structure of our binary, partly because abort() is thought to be an external symbol, which causes some relocalisations to appear. -- Mathieu Trudel-Lapierre Tue, 07 Nov 2017 10:19:04 -0500 shim (13-0ubuntu1) artful; urgency=medium * New upstream release: 13 * debian/control: add a Build-Depends on libelf-dev. * debian/control: add Breaks: for the previous shim-signed builds given that shim will now build and ship BOOT.CSV by itself. * debian/rules: - Update dh_auto_build/dh_auto_clean/dh_auto_install for new upstream options: set MAKELEVEL. - Define an EFI_ARCH variable, and use that for paths to shim. This makes it possible to build a shim for other architectures than amd64. - Set EFIDIR=ubuntu for dh_auto_install; that will let files be installed in the "right" final directories, and makes boot.csv for us. - Set ENABLE_SHIM_CERT, to keep using ephemeral self-signed certs built at compile-time for MokManager and fallback. - Set ENABLE_SBSIGN, to use sbsign instead of pesign for signing fallback and MokManager. * debian/patches/second-stage-path: dropped; the default loader path now includes an arch suffix. * debian/patches/sbsigntool-no-pesign: dropped; no longer needed.. * debian/patches/0001-shim-fix-the-mirroring-MokSBState-fail.patch: dropped, included upstream. * debian/shim.install: update paths in light of using shim's upstream install target. * debian/rules, debian/shim.install: make sure the 'make install' step does what it's meant to do by upstream: we can easily make use of the end result to have the files we need. -- Mathieu Trudel-Lapierre Fri, 29 Sep 2017 15:11:28 -0400 shim (0.9+1474479173.6c180c6-1ubuntu1) zesty; urgency=medium [ Steve Langasek ] * Merge (not yet NEW cleared) changes from Debian branch. [ Mathieu Trudel-Lapierre ] * debian/patches/0001-shim-fix-the-mirroring-MokSBState-fail.patch: guard against errors in mirroring MokSBState to MokSBStateRT. Thanks to Ivan Hu for the patch. This will fix issues updating MokSBStateRT if the variable already exists with different attributes. (LP: #1644806) -- Mathieu Trudel-Lapierre Thu, 01 Dec 2016 16:55:50 -0500 shim (0.9+1474479173.6c180c6-1) unstable; urgency=medium [ Steve Langasek ] * Initial Debian upload. Closes: #820052. * Update Standards-Version. * Embed the newly-minted Debian CA certificate. * Vendorize debian/rules so that the same package can be used in both Debian and Ubuntu without modification. * Fix debian/copyright to match the spec (last match wins, not first) * Fix shim.efi to not be executable. * Add watchfile. * Support parallel builds, because eh why not * Update Vcs-Bzr. * Resync with Ubuntu, including patch to fix debian/copyright. [ Julien Cristau ] * Add some missing copyright holders in d/copyright, update Upstream-Contact. Thanks to Helen Koike for the help. -- Julien Cristau Sat, 15 Oct 2016 15:17:34 +0200 shim (0.9+1474479173.6c180c6-0ubuntu1) yakkety; urgency=medium [ Helen Koike ] * debian/copyright: add OpenSSL license [ Mathieu Trudel-Lapierre ] * New upstream release. (LP: #1624096) * debian/copyright: patches should be BSD, like the rest of the upstream code. * debian/patches/unused-variable: dropped; applied upstream. * debian/patches/binutils-version-matching: dropped, fixed upstream. * debian/shim.install: built EFI binaries were renamed; update our install file to properly pick up shim (shim$arch), MokManager (mm$arch), and fallback (fb$arch). -- Mathieu Trudel-Lapierre Thu, 22 Sep 2016 15:02:20 -0400 shim (0.9+1465500757.14a5905-0ubuntu1) yakkety; urgency=medium * New upstream release. - Better handle LoadOptions. (LP: #1581299) - Measure state and second stage in TPM. - Mirror MokSBState in runtime as MokSBStateRT. - Fix failure to build with GCC 5. (LP: #1429978) - Various bug fixes and other improvements. * Refreshed patches. - Remaining patches: + second-stage-path + sbsigntool-not-pesign * debian/patches/unused-variable: remove unused variable size. * debian/patches/binutils-version-matching: revert d9a4c912 to correctly match objcopy's version on Ubuntu. * debian/copyright: update copyright for patches. -- Mathieu Trudel-Lapierre Tue, 26 Jul 2016 16:48:32 -0400 shim (0.8-0ubuntu2) wily; urgency=medium * No-change rebuild against gnu-efi 3.0v-5ubuntu1. -- Steve Langasek Tue, 12 May 2015 17:48:30 +0000 shim (0.8-0ubuntu1) wily; urgency=medium * New upstream release. - Clarify meaning of insecure_mode. (LP: #1384973) * debian/patches/CVE-2014-3675.patch, debian/patches/CVE-2014-3677.patch, debian/patches/0001-Update-openssl-to-0.9.8za.patch: dropped, included in the upstream release. * debian/patches/sbsigntool-not-pesign,debian/patches/second-stage-path: refreshed. -- Mathieu Trudel-Lapierre Mon, 11 May 2015 19:50:49 -0400 shim (0.7-0ubuntu4) utopic; urgency=medium * SECURITY UPDATE: heap overflow and out-of-bounds read access when parsing DHCPv6 information - debian/patches/CVE-2014-3675.patch: apply proper bounds checking when parsing data provided in DHCPv6 packets. - CVE-2014-3675 - CVE-2014-3676 * SECURITY UPDATE: memory corruption when processing user-provided key lists - debian/patches/CVE-2014-3677.patch: detect malformed machine owner key (MOK) lists and ignore them, avoiding possible memory corruption. - CVE-2014-3677 -- Steve Langasek Wed, 08 Oct 2014 06:40:40 +0000 # For older changelog entries, run 'apt-get changelog shim'