shim-signed (1.58) noble; urgency=medium
* Prevent postinst failing when broken grub-common was previously
installed(LP: #2056562)
-- Mate Kukri <mate.kukri@canonical.com> Thu, 04 Apr 2024 13:39:00 +0100
shim-signed (1.57) mantic; urgency=medium
* New upstream version 15.8 (LP: #2051151):
- pe: Align section size up to page size for mem attrs (LP: #2036604)
- SBAT level: shim,4
- SBAT policy:
- Latest: "shim,4\ngrub,3\ngrub.debian,4\n"
- Automatic: "shim,2\ngrub,3\ngrub.debian,4\n"
- Note that this does not yet revoke pre NTFS CVE fix GRUB binaries.
* SECURITY UPDATE: a bug in an error message [LP: #2051151]
- mok: fix LogError() invocation
- CVE-2023-40546
* SECURITY UPDATE: out-of-bounds write and UEFI Secure Boot bypass
when booting via HTTP [LP: #2051151]
- avoid incorrectly trusting HTTP headers
- CVE-2023-40547
* SECURITY UPDATE: out-of-bounds write and possible bug [LP: #2051151]
- Fix integer overflow on SBAT section size on 32-bit system
- CVE-2023-40548
* SECURITY UPDATE: out-of-bounds read and possible bug [LP: #2051151]
- Authenticode: verify that the signature header is in bounds.
- CVE-2023-40549
* SECURITY UPDATE: out-of-bounds read and possible bug [LP: #2051151]
- pe: Fix an out-of-bound read in verify_buffer_sbat()
- CVE-2023-40550
* SECURITY UPDATE: out-of-bounds read and possible bug [LP: #2051151]
- pe-relocate: Fix bounds check for MZ binaries
- CVE-2023-40551
* Makefile: Add option for building without an externally signed shim
-- Mate Kukri <mate.kukri@canonical.com> Thu, 29 Feb 2024 10:26:43 +0000
shim-signed (1.56) mantic; urgency=medium
* Drop --auto-nvram from grub-multi-install call (LP: #2037185)
-- Julian Andres Klode <juliank@ubuntu.com> Wed, 04 Oct 2023 18:54:03 +0200
shim-signed (1.54) kinetic; urgency=medium
[ dann frazier ]
* Fix arm64 issues due to hardcoding "x64" as the EFI architecture.
(LP: #2004208)
* is-not-revoked: Support vmlinux.gz files as used on arm64.
(LP: #2004201)
-- Julian Andres Klode <juliank@ubuntu.com> Tue, 31 Jan 2023 12:57:37 +0100
shim-signed (1.52) kinetic; urgency=medium
* New upstream version 15.7 (LP: #1996503)
- SBAT level: shim,3
- SBAT policy bumped to for grub,2 in previous and grub,3 in latest:
SBAT policy: latest="shim,2\ngrub,3\n" previous="grub,2\n"
* SECURITY FIX: Buffer overflow when loading crafted EFI images.
- CVE-2022-28737
* debian/control: Depend on new grub versions (1.191 on lunar+, 1.187.2 elsewhere)
* Break fwupd-signed signed with old keys
* Check for revoked fb,mm binaries in build, grubs, fwupd in autopkgtest
* Install both previous and latest shim as alternatives. On secure boot
systems, if the current kernel or any newer one is revoked, the previous
shim will continue to be used until current kernel and all newer ones
are signed with a non-revoked key.
-- Julian Andres Klode <juliank@ubuntu.com> Thu, 26 Jan 2023 13:03:25 +0100
shim-signed (1.51) impish; urgency=medium
* Update to shim 15.4-0ubuntu9
- Fix booting installer media on some machines (LP: #1937115)
+ Always fallback to the default loader (PR #393)
+ Dump load options parsed (PR #393)
+ Disable load option parsing on removable media path (PR #399)
- trivial: Fix a minor overflow in the mok importing code (PR #365)
- Fix fall back loader to find the correct boot entry, avoiding potential
corruption of firmware (PR #396).
-- Julian Andres Klode <juliank@ubuntu.com> Fri, 13 Aug 2021 18:00:15 +0200
shim-signed (1.50) impish; urgency=medium
* download-signed: Fetch signed artefacts from versioned URL instead
of current/ symlink to work around caching (LP: #1936640)
-- Julian Andres Klode <juliank@ubuntu.com> Fri, 16 Jul 2021 13:18:10 +0200
shim-signed (1.49) impish; urgency=medium
* Update to shim 15.4-0ubuntu7:
- Fix load option parsing, and thus fwupd execution (LP: #1929471) (PR #379)
- Fix occasional crashes in _relocate() on arm64 (LP: #1928010) (PR #383)
- Fix accidental deletion of RT variables (LP: #1934506) (PR #387)
- mok: relax the maximum variable size check (LP: #1934780) (PR #369)
-- Julian Andres Klode <juliank@ubuntu.com> Thu, 15 Jul 2021 11:00:51 +0200
shim-signed (1.48) impish; urgency=medium
[ Dimitri John Ledkov ]
* Ship externally signed shims in the source package, instead of
detached signatures.
[ Steve Langasek ]
* Restore build-time 'cmp' check to assert that the output of sbattach
matches the binary received from Microsoft.
* Include external-$arch.p7c in the clean target.
[ Julian Andres Klode ]
* download-signed: Work around non-HTTP apt sources
* Update to shim 15.4-0ubuntu5:
- Stop addending vendor dbx to MokListXRT during MokListX mirroring. This
is causing systems to run out of EFI storage space, or just hang up
when trying to write it (LP: #1924605) (LP: #1928434)
- Further relax the check for variable mirroring on non-secureboot systems
avoiding boot failures on out of space conditons (pull request #372)
- Don't unhook ExitBootServices() when EBS protection is disabled
(LP: #1931136) (pull request #378)
-- Julian Andres Klode <juliank@ubuntu.com> Tue, 22 Jun 2021 12:19:31 +0200
shim-signed (1.47) impish; urgency=medium
[ Balint Reczey ]
* Fix boot on EFI 1.10 machines, for example on some MacBooks (LP: #1925010)
[ Dimitri John Ledkov ]
* Fix kernel warning when allocating MOK table (LP: #1925139)
* Fix booting with shim SBState disabled (LP: #1925140)
* Use -Zxz compression, for compatibility with dpkg in older releases.
LP: #1925673
-- Dimitri John Ledkov <xnox@ubuntu.com> Fri, 30 Apr 2021 10:46:25 +0100
shim-signed (1.46) hirsute; urgency=medium
* New upstream release 15.4 LP: #1921134
* Ship fb & mm from shim-signed package.
* Remove shim-canonical-unsigned dependency, now provided by shim
itself.
* Generalize attaching externally supplied signatures, to aid building
with embargoed or MS external signatures.
-- Dimitri John Ledkov <xnox@ubuntu.com> Wed, 24 Mar 2021 12:40:28 +0000
shim-signed (1.45) groovy; urgency=medium
* Merge back changes from focal that got lost in the shim revert, as
groovy carried on from the reverted 1.41 upload and did not merge
back 1.40.{1,2,3}:
- Depend on the correct version of grub-signed (LP: #1871895)
- Install grub to multiple ESPs (LP: #1871821)
- Pass --timeout -1 to mokutil in a separate mokutil run (LP: #1869187),
thanks to Aleksander Miera for the patch.
-- Julian Andres Klode <juliank@ubuntu.com> Wed, 21 Oct 2020 11:02:12 +0200
shim-signed (1.44) groovy; urgency=medium
* Set XB-Important: yes and Protected: yes on shim-signed package
so that it cannot be removed by accident (LP: #1898729)
-- Julian Andres Klode <juliank@ubuntu.com> Tue, 20 Oct 2020 12:05:37 +0200
shim-signed (1.43) groovy; urgency=medium
* Add download-signed script from linux-signed package
* Construct and ship dual-signed shim.
-- Dimitri John Ledkov <xnox@ubuntu.com> Tue, 04 Aug 2020 14:23:29 +0100
shim-signed (1.42) groovy; urgency=medium
* Update to the signed 15+1552672080.a4a1fbe-0ubuntu2 binary from Microsoft.
-- Julian Andres Klode <juliank@ubuntu.com> Mon, 03 Aug 2020 12:36:10 +0200
shim-signed (1.41) focal; urgency=medium
* Update to the signed 15+1552672080.a4a1fbe-0ubuntu1 binary from Microsoft.
-- Steve Langasek <steve.langasek@ubuntu.com> Wed, 05 Feb 2020 13:04:08 -0800
shim-signed (1.40.3) focal; urgency=medium
* Depend on the correct version of grub-signed (LP: #1871895)
-- Julian Andres Klode <juliank@ubuntu.com> Thu, 09 Apr 2020 20:48:31 +0200
shim-signed (1.40.2) focal; urgency=medium
* Install grub to multiple ESPs (LP: #1871821)
-- Julian Andres Klode <juliank@ubuntu.com> Thu, 09 Apr 2020 13:05:53 +0200
shim-signed (1.40.1) focal; urgency=medium
* Pass --timeout -1 to mokutil in a separate mokutil run (LP: #1869187),
thanks to Aleksander Miera for the patch.
-- Julian Andres Klode <juliank@ubuntu.com> Thu, 09 Apr 2020 09:57:51 +0200
shim-signed (1.40) focal; urgency=medium
* Pass --timeout -1 to mokutil so that users don't end up with broken
systems by missing MokManager on reboot after install. LP: #1856422.
* Add a versioned dependency on the mokutil that introduces --timeout.
-- Steve Langasek <steve.langasek@ubuntu.com> Sat, 14 Dec 2019 20:26:42 -0800
# Older entries have been removed from this changelog.
# To read the complete changelog use `apt changelog shim-signed`.
Generated by dwww version 1.16 on Mon Dec 15 20:55:16 CET 2025.