Skip to content

Tags

Tags give the ability to mark specific points in history as being important
  • debian/15.8-1_deb10u1
    Release shim version 15.8-1~deb10u1
    
  • debian/15.8-1_deb11u1
    Release shim version 15.8-1~deb11u1
    
  • debian/15.8-1_deb12u1
    Release shimversion 15.8-1~deb12u1
    
  • debian/15.8-1
    1c1d50da · Release 15.8-1 ·
    Release shimversion 15.8-1
    
  • upstream/15.8
    a075e586 · New upstream version 15.8 ·
    Upstream version 15.8
  • 15.8
    5914984a · Bump version to 15.8 ·
    shim 15.8:
    
    What's changed
    * Various CVE fixes:
    CVE-2023-40546 mok: fix LogError() invocation
    CVE-2023-40547 - avoid incorrectly trusting HTTP headers
    CVE-2023-40548 Fix integer overflow on SBAT section size on 32-bit system
    CVE-2023-40549 Authenticode: verify that the signature header is in bounds.
    CVE-2023-40550 pe: Fix an out-of-bound read in verify_buffer_sbat()
    CVE-2023-40551: pe-relocate: Fix bounds check for MZ binaries
    * Add make infrastructure to set the NX_COMPAT flag by @vathpela in https://github.com/rhboot/shim/pull/530
    * Make sbat_var.S parse right with buggy gcc/binutils by @vathpela in https://github.com/rhboot/shim/pull/535
    * Drop invalid calls to CRYPTO_set_mem_functions by @nicholasbishop in https://github.com/rhboot/shim/pull/537
    * pe: Align section size up to page size for mem attrs by @nicholasbishop in https://github.com/rhboot/shim/pull/539
    * test-sbat: Fix exit code by @vathpela in https://github.com/rhboot/shim/pull/540
    * pe: Add IS_PAGE_ALIGNED macro by @nicholasbishop in https://github.com/rhboot/shim/pull/541
    * CryptoPkg/BaseCryptLib: Fix buffer overflow issue in realloc wrapper by @nicholasbishop in https://github.com/rhboot/shim/pull/546
    * Don't loop forever in load_certs() with buggy firmware by @rmetrich in https://github.com/rhboot/shim/pull/547
    * Block Debian grub binaries with SBAT < 4 by @steve-mcintyre in https://github.com/rhboot/shim/pull/550
    * Shim unable to locate grubx64 in PXE boot mode when grubx64 is stored in a different file path by @Alberto-Perez-Guevara in https://github.com/rhboot/shim/pull/551
    * Further improve load_certs() for non-compliant drivers/firmwares by @pbatard in https://github.com/rhboot/shim/pull/560
    * pe: only process RelocDir->Size of reloc section by @mikebeaton in https://github.com/rhboot/shim/pull/562
    * Rename 'msecs' to 'usecs' to avoid potential confusion by @aronowski in https://github.com/rhboot/shim/pull/563
    * Optionally allow to keep shim protocol installed by @bluca in https://github.com/rhboot/shim/pull/565
    * SBAT-related documents formatting and spelling by @aronowski in https://github.com/rhboot/shim/pull/566
    * Add SbatLevel_Variable.txt to document the various revocations by @jsetje in https://github.com/rhboot/shim/pull/569
    * Add a security contact email address in README.md by @vathpela in https://github.com/rhboot/shim/pull/572
    * Use -Wno-unused-but-set-variable for Cryptlib and OpenSSL by @vathpela in https://github.com/rhboot/shim/pull/576
    * mok: fix LogError() invocation by @vathpela in https://github.com/rhboot/shim/pull/577
    * Minor housekeeping by @vathpela in https://github.com/rhboot/shim/pull/578
    * Test ImageAddress() by @vathpela in https://github.com/rhboot/shim/pull/579
    * FreePages() is used to return memory allocated by AllocatePages() by @dennis-tseng99 in https://github.com/rhboot/shim/pull/580
    * Size should minus 1 when calculating 'RelocBaseEnd' by @jsetje in https://github.com/rhboot/shim/pull/581
    * Verify signature before verifying sbat levels by @jsetje in https://github.com/rhboot/shim/pull/583
    * Add libFuzzer support for csv.c and sbat.c by @vathpela in https://github.com/rhboot/shim/pull/584
    * mok: Avoid underflow in maximum variable size calculation by @alpernebbi in https://github.com/rhboot/shim/pull/587
    * Housekeeping by @vathpela in https://github.com/rhboot/shim/pull/605
    
    Signed-off-by: Peter Jones <pjones@redhat.com>
    
  • debian/15.7-1_deb10u1
    releasing package shim version 15.7-1~deb10u1
    
  • debian/15.7-1_deb11u1
    744ed9bc · Release 15.7-1~deb11u1 ·
    releasing package shim version 15.7-1~deb11u1
    
  • debian/15.7-1
    e02f5a25 · Release 15.7-1 ·
    releasing package shim version 15.7-1
    
  • upstream/15.7
    2dd2f760 · New upstream version 15.7 ·
    Upstream version 15.7
  • 15.7
    11491619 · Update version to 15.7 ·
    shim 15.7
    
    What's Changed
    * Make SBAT variable payload introspectable by @chrisccoulson in https://github.com/rhboot/shim/pull/483
    * Reference MokListRT instead of MokList by @esnowberg in https://github.com/rhboot/shim/pull/488
    * Add a link to the test plan in the readme. by @vathpela in https://github.com/rhboot/shim/pull/494
    * [V3] Enable TDX measurement to RTMR register by @kenplusplus in https://github.com/rhboot/shim/pull/485
    * Discard load-options that start with a NUL by @frozencemetery in https://github.com/rhboot/shim/pull/505
    * load_cert_file bugs by @esnowberg in https://github.com/rhboot/shim/pull/523
    * Add -malign-double to IA32 compiler flags by @nicholasbishop in https://github.com/rhboot/shim/pull/516
    * pe: Fix image section entry-point validation by @iokomin in https://github.com/rhboot/shim/pull/518
    * make-archive: Build reproducible tarball by @julian-klode in https://github.com/rhboot/shim/pull/527
    * mok: remove MokListTrusted from PCR 7 by @baloo in https://github.com/rhboot/shim/pull/519
    * Shim 15.7 version update by @vathpela in https://github.com/rhboot/shim/pull/528
    
    New Contributors
    * @kenplusplus made their first contribution in https://github.com/rhboot/shim/pull/485
    * @iokomin made their first contribution in https://github.com/rhboot/shim/pull/518
    * @baloo made their first contribution in https://github.com/rhboot/shim/pull/519
    
    **Full Changelog**: https://github.com/rhboot/shim/compare/15.6...15.7
    
  • debian/15.6-1_deb10u1
    bc471329 · Release 15.6-1~deb10u1 ·
    releasing package shim version 15.6-1~deb10u1
    
  • debian/15.6-1_deb11u1
    0ce2ba3c · Release 15.6-1~deb11u1 ·
    releasing package shim version 15.6-1~deb11u1
    
  • debian/15.6-1
    85e5473c · Release 15.6-1 ·
    releasing package shim version 15.6-1
    
  • upstream/15.6
    e6ace38a · New upstream version 15.6 ·
    Upstream version 15.6
  • 15.6
    505cdb67 · bump version to shim-15.6 ·
    shim-15.6
    
    - What's Changed
    * MokManager: removed Locate graphic output protocol fail error message by @joeyli in https://github.com/rhboot/shim/pull/441
    * shim: implement SBAT verification for the shim_lock protocol by @chrisccoulson in https://github.com/rhboot/shim/pull/456
    * post-process-pe: Fix a missing return code check by @vathpela in https://github.com/rhboot/shim/pull/462
    * Update github actions matrix to be more useful by @frozencemetery in https://github.com/rhboot/shim/pull/469
    * Add f36 and centos9 CI builds by @vathpela in https://github.com/rhboot/shim/pull/470
    * post-process-pe: Fix format string warnings on 32-bit platforms by @steve-mcintyre in https://github.com/rhboot/shim/pull/464
    * tests: also look for system headers in multi-arch directories by @steve-mcintyre in https://github.com/rhboot/shim/pull/466
    * tests: fix gcc warnings by @akodanev in https://github.com/rhboot/shim/pull/463
    * Allow MokListTrusted to be enabled by default by @esnowberg in https://github.com/rhboot/shim/pull/455
    * Add code of conduct by @frozencemetery in https://github.com/rhboot/shim/pull/427
    * Re-add ARM AArch64 support by @vathpela in https://github.com/rhboot/shim/pull/468
    * Use ASCII as fallback if Unicode Box Drawing characters fail by @vathpela in https://github.com/rhboot/shim/pull/428
    * make: don't treat cert.S specially by @vathpela in https://github.com/rhboot/shim/pull/475
    * shim: use SHIM_DEVEL_VERBOSE when built in devel mode by @vathpela in https://github.com/rhboot/shim/pull/474
    * Break out of the inner sbat loop if we find the entry. by @vathpela in https://github.com/rhboot/shim/pull/476
    * Support loading additional certificates by @esnowberg in https://github.com/rhboot/shim/pull/446
    * Add support for NX (W^X) mitigations. by @vathpela in https://github.com/rhboot/shim/pull/459
    * Misc fixups from scan-build. by @vathpela in https://github.com/rhboot/shim/pull/477
    * Fix preserve_sbat_uefi_variable() logic by @jsetje in https://github.com/rhboot/shim/pull/478
    * SBAT Policy latest should be a one-shot by @jsetje in https://github.com/rhboot/shim/pull/481
    * pe: Fix a buffer overflow when SizeOfRawData > VirtualSize by @chriscoulson
    * pe: Perform image verification earlier when loading grub by @chriscoulson
    * Update advertised sbat generation number for shim by @jsetje
    * Update SBAT generation requirements for 05/24/22 by @jsetje
    * Also avoid CVE-2022-28737 in verify_image() by @vathpela
    
    - New Contributors
    * @joeyli made their first contribution in https://github.com/rhboot/shim/pull/441
    * @akodanev made their first contribution in https://github.com/rhboot/shim/pull/463
    * @esnowberg made their first contribution in https://github.com/rhboot/shim/pull/455
    
    - Full Changelog**: https://github.com/rhboot/shim/compare/15.5...15.6
    
  • 15.6-rc2
    8ee1e1c1 · shim-15.6~rc2 ·
    shim-15.6~rc2
    
    - What's Changed
    * SBAT Policy latest should be a one-shot by @jsetje in https://github.com/rhboot/shim/pull/481
    * pe: Fix a buffer overflow when SizeOfRawData > VirtualSize by @chriscoulson
    * pe: Perform image verification earlier when loading grub by @chriscoulson
    * Update advertised sbat generation number for shim by @jsetje
    * Update SBAT generation requirements for 05/24/22 by @jsetje
    * Also avoid CVE-2022-28737 in verify_image() by @vathpela
    
    - Full Changelog**: https://github.com/rhboot/shim/compare/15.6-rc1..15.6-rc2
    
  • upstream/15.5
    8529e0f7 · New upstream version 15.5 ·
    Upstream version 15.5
  • 15.5
    f2c598bb · Update to version 15.5 ·
    shim 15.5
    
    Much thanks to those who tested this release.
    
    Changes from -rc2:
    
    - Make Mok config table be runtime services memory
    - Remove post-process-pe on 'make clean'
    - pe: missing perror argument
    
    **Incremental changelog**:
    https://github.com/rhboot/shim/compare/15.5-rc2...15.5
    
    From 15.4, the following people contributed code:
    
    - Peter Jones (46)
    - Heinrich Schuchardt (7)
    - Gary Lin (6)
    - Renaud Métrich (4)
    - Julian Andres Klode (4)
    - Serge Hallyn (2)
    - Robbie Harwood (2)
    - Nicholas Bishop (2)
    - João Paulo Rechi Vita (2)
    - Seth Forshee (1)
    - Jonathan Yong (1)
    - Jonas Witschel (1)
    - Javier Martinez Canillas (1)
    - Jan Setje-Eilers (1)
    - Esther Shimanovich (1)
    - Eric Snowberg (1)
    - Dimitri John Ledkov (1)
    - Daniel Axtens (1)
    - Chris Coulson (1)
    - Adam Williamson (1)
    
    **Full changelog**:
    https://github.com/rhboot/shim/compare/15.4...15.5
    
  • 15.5-rc2
    d0df9304 · Minor coverity fixes ·
    shim 15.5 release candidate 2
    
    What's Changed
    
    * docs: update SBAT UEFI variable name by @nicholasbishop in https://github.com/rhboot/shim/pull/421
    * Don't parse load options if invoked from removable media path by @julian-klode in https://github.com/rhboot/shim/pull/399
    * fallback: fix fallback not passing arguments of the first boot option by @martinezjavier in https://github.com/rhboot/shim/pull/433
    * shim: Don't stop forever at "Secure Boot not enabled" notification by @rmetrich in https://github.com/rhboot/shim/pull/438
    * Shim 15.5 coverity by @vathpela in https://github.com/rhboot/shim/pull/439
    
    New Contributors
    
    * @hallyn made their first contribution in https://github.com/rhboot/shim/pull/389
    * @jyong2 made their first contribution in https://github.com/rhboot/shim/pull/365
    * @sforshee made their first contribution in https://github.com/rhboot/shim/pull/378
    * @frozencemetery made their first contribution in https://github.com/rhboot/shim/pull/403
    * @xypron made their first contribution in https://github.com/rhboot/shim/pull/406
    * @eshiman made their first contribution in https://github.com/rhboot/shim/pull/398
    * @daxtens made their first contribution in https://github.com/rhboot/shim/pull/413
    * @rmetrich made their first contribution in https://github.com/rhboot/shim/pull/414
    * @julian-klode made their first contribution in https://github.com/rhboot/shim/pull/393
    
    **Full Changelog**: https://github.com/rhboot/shim/compare/15.5-rc1...15.5-rc2