-
edk2 (0~20191122.bd85bf54-2ubuntu3.5) focal; urgency=medium
* Disable the built-in Shell when SecureBoot is enabled, CVE-2023-48733.
Thanks to Mate Kukri. LP: #2040137.
- Backport support for GetSetupMode() and IsSecureBootEnabled():
+ 0001-SecurityPkg-Create-SecureBootVariableLib.patch
+ 0002-ArmVirtPkg-add-SecureBootVariableLib-class-resolutio.patch
+ 0003-OvmfPkg-add-SecureBootVariableLib-class-resolution.patch
+ 0004-SecurityPkg-SecureBootVariableLib-Added-newly-suppor.patch
+ 0005-EmulatorPkg-add-SecureBootVariableLib-class-resoluti.patch
- Disable the built-in Shell when SecureBoot is enabled:
+ Disable-the-Shell-when-SecureBoot-is-enabled.patch
-- dann frazier <email address hidden> Tue, 13 Feb 2024 17:52:30 -0700
-
edk2 (0~20191122.bd85bf54-2ubuntu3.4) focal; urgency=medium
[ dann frazier ]
* Provide 4MB OVMF images: The existing 2MB images no longer
have sufficient variable space for the current Secure Boot
Forbidden Signature Database. (LP: #1885662)
- Convert targets for pre-enrolled variable template images
into pattern rules. This will be useful for adding additional
pre-enrolled variable templates.
- Update fw descriptors to reference 4M images instead of their
2M counterparts. This will migrate tools that use the descriptor
interface (like libvirt) over to the 4M images when creating new
VMs. Existing 2M VMs will require manual migration.
* Increase autopkgtest timeout from 30s to 60s. (LP: #1885186)
[ Mustafa Kemal Gilor ]
* Added autopkg tests for 4MB OVMF images. (LP: #1885662)
-- Mustafa Kemal GILOR <email address hidden> Tue, 08 Nov 2022 11:40:07 +0300
-
edk2 (0~20191122.bd85bf54-2ubuntu3.3) focal-security; urgency=medium
* SECURITY UPDATE: Insufficient input validation in MdeModulePkg
- debian/patches/CVE-2019-11098-*.patch
- CVE-2019-11098
* SECURITY UPDATE: overflow in openssl EVP_DecryptUpdate
- debian/patches/CVE-2021-23840.patch
- CVE-2021-23840
* SECURITY UPDATE: DoS via incorrect ASN.1 string termination in openssl
- debian/patches/CVE-2021-3712-*.patch
- CVE-2021-3712
* SECURITY UPDATE: remote buffer overflow in IScsiHexToBin
- debian/patches/CVE-2021-38575-*.patch
- CVE-2021-38575
-- Marc Deslauriers <email address hidden> Mon, 20 Sep 2021 09:11:31 -0400
-
edk2 (0~20191122.bd85bf54-2ubuntu3.2) focal-security; urgency=medium
* SECURITY UPDATE: unlimited FV recursion
- debian/patches/CVE-2021-28210-1.patch: assert SectionInstance
invariant in FindChildNode() in
MdeModulePkg/Core/Dxe/SectionExtraction/CoreSectionExtraction.c.
- debian/patches/CVE-2021-28210-2.patch: limit FwVol encapsulation
section recursion in MdeModulePkg/Core/Dxe/DxeMain.inf,
MdeModulePkg/Core/Dxe/SectionExtraction/CoreSectionExtraction.c,
MdeModulePkg/MdeModulePkg.dec, MdeModulePkg/MdeModulePkg.uni.
- CVE-2021-28210
* SECURITY UPDATE: possible heap corruption in LzmaUefiDecompressGetInfo
- debian/patches/CVE-2021-28211.patch: catch 4GB+ uncompressed
buffer sizes in
MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaDecompress.c,
MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaDecompressLibInternal.h.
- CVE-2021-28211
-- Marc Deslauriers <email address hidden> Mon, 12 Apr 2021 08:18:49 -0400
-
edk2 (0~20191122.bd85bf54-2ubuntu3.1) focal-security; urgency=medium
* Fix integer overflow in DxeImageVerificationHandler. (CVE-2019-14562)
* CryptoPkg/BaseCryptLib: fix NULL dereference. (CVE-2019-14584)
-- dann frazier <email address hidden> Tue, 15 Dec 2020 15:33:20 -0700
-
edk2 (0~20191122.bd85bf54-2ubuntu3) focal; urgency=medium
* Actually install the new "ms" descriptor.
-- dann frazier <email address hidden> Sat, 11 Apr 2020 10:19:44 -0600
-
edk2 (0~20191122.bd85bf54-2ubuntu2) focal; urgency=medium
* Bring back (and fix) the "ms" option and restore the behavior of the
"secboot" option, which had changed when libvirt moved from built-in
nvram configs to parsing external firmware descriptors. LP: #1864532.
- Reintroduce OVMF_CODE.ms.fd symlink, but now it points to
OVMF_CODE.secboot.fd instead of OVMF_CODE.fd, which enforces SMM.
- Update firmware descriptor JSON files:
+ Update the existing secboot descriptor to use an empty variable
store. This makes it Secure Boot-capable, but with Secure Boot
initially disabled. Note that previously it used a store w/ keys
pre-enrolled, without advertising that feature.
+ Add a new "ms" descriptor which has keys pre-enrolled, has Secure
Boot enabled, and advertises the "enrolled-keys" feature.
+ Provide more details in "description" fields.
- README.Debian: Improve the use-case description for each image.
-- dann frazier <email address hidden> Fri, 03 Apr 2020 07:47:19 -0600
-
edk2 (0~20191122.bd85bf54-2ubuntu1) focal; urgency=medium
* Fix numeric truncation in S3BootScript[Save]*() API. (CVE-2019-14563)
* Fix use-after-free in PcdHiiOsRuntimeSupport. (CVE-2019-14586)
* Clear memory before free to avoid potential password leak.
(CVE-2019-14558)
* Fix double-unmap in SdMmcCreateTrb(). This did not impact any
of the images built from this package. (CVE-2019-14587)
* Fix memory leak in ArpOnFrameRcvdDpc(). (CVE-2019-14559)
* Fix issue that could allow an efi image with a blacklisted hash in the
dbx to be loaded. (CVE-2019-14575)
* Fix a memory leak in the ARP handler. (CVE-2019-14559)
-- dann frazier <email address hidden> Mon, 16 Mar 2020 10:56:00 -0600
-
edk2 (0~20191122.bd85bf54-2) unstable; urgency=medium
* Bump debhelper compatibility level to 12.
* Provide an OVMF_VARS.snakeoil.fd image and matching private key for
development testing. LP: #1850848.
* Drop OVMF_CODE.ms.fd symlink. LP: #1864535.
-- dann frazier <email address hidden> Thu, 27 Feb 2020 07:23:16 -0700
-
edk2 (0~20191122.bd85bf54-1ubuntu1) focal; urgency=medium
[ dann frazier <email address hidden> ]
* Provide an OVMF_VARS.snakeoil.fd image and matching private key for
development testing. LP: #1850848.
-- Dimitri John Ledkov <email address hidden> Mon, 13 Jan 2020 14:19:34 +0000
-
edk2 (0~20191122.bd85bf54-1) unstable; urgency=medium
* New upstream release, based on edk2-stable201911 tag.
* Drop patches merged upstream:
- BaseTools-Fix-the-lib-order-in-static_library_files..patch
- 0001-MdePkg-Include-Protocol-Tls.h-Add-the-data-type-of-E.patch
- 0002-CryptoPkg-TlsLib-Add-the-new-API-TlsSetVerifyHost-CV.patch
- 0003-CryptoPkg-Crt-turn-strchr-into-a-function-CVE-2019-1.patch
- 0004-CryptoPkg-Crt-satisfy-inet_pton.c-dependencies-CVE-2.patch
- 0005-CryptoPkg-Crt-import-inet_pton.c-CVE-2019-14553.patch
- 0006-CryptoPkg-TlsLib-TlsSetVerifyHost-parse-IP-address-l.patch
- 0007-NetworkPkg-TlsDxe-Add-the-support-of-host-validation.patch
- 0008-NetworkPkg-HttpDxe-Set-the-HostName-for-the-verifica.patch
* Compile the liblto plugins for ARM & AARCH64, allowing us to
move our toolchain config from GCC49 to GCC5. Move to GCC5.
-- dann frazier <email address hidden> Sun, 08 Dec 2019 09:16:40 -0700
-
edk2 (0~20190828.37eef910-4) unstable; urgency=medium
* Support server identify validation in HTTPS Boot (CVE-2019-14553).
Closes: #941775.
-- dann frazier <email address hidden> Mon, 11 Nov 2019 19:37:52 +0100
-
edk2 (0~20190828.37eef910-3) unstable; urgency=medium
* Don't require an SMM for the OVMF.fd image. Closes: #939928.
-- dann frazier <email address hidden> Tue, 01 Oct 2019 11:23:42 -0600
-
edk2 (0~20190606.20d2e5a1-2ubuntu1) eoan; urgency=medium
* d/p/ovmf-vars-generator-ignore-qemu-warnings.patch: Avoid build
hang resulting from unexpected QEMU warnings in output while
enrolling keys.
-- dann frazier <email address hidden> Thu, 01 Aug 2019 22:53:39 +0000