-
edk2 (2022.02-3ubuntu0.22.04.2) jammy; urgency=medium
* Cherry-pick security fixes from upstream:
- Fix heap buffer overflow in Tcg2MeasureGptTable(), CVE-2022-36763
+ 0001-SecurityPkg-DxeTpm2MeasureBootLib-SECURITY-PATCH-411.patch
+ 0002-SecurityPkg-DxeTpmMeasureBootLib-SECURITY-PATCH-4117.patch
+ 0003-SecurityPkg-Adding-CVE-2022-36763-to-SecurityFixes.y.patch
- Fix heap buffer overflow in Tcg2MeasurePeImage(), CVE-2022-36764
+ 0001-SecurityPkg-DxeTpm2MeasureBootLib-SECURITY-PATCH-411-2.patch
+ 0002-SecurityPkg-DxeTpmMeasureBootLib-SECURITY-PATCH-4118.patch
+ 0003-SecurityPkg-Adding-CVE-2022-36764-to-SecurityFixes.y.patch
- Fix build failure due to symbol collision in above patches:
+ 0001-SecurityPkg-DxeTpm2MeasureBootLib-SECURITY-PATCH-411-3.patch
+ 0002-SecurityPkg-DxeTpmMeasureBootLib-SECURITY-PATCH-4117-2.patch
+ 0003-SecurityPkg-Updating-SecurityFixes.yaml-after-symbol.patch
- Fix integer overflow in CreateHob(), CVE-2022-36765
+ 0001-UefiPayloadPkg-Hob-Integer-Overflow-in-CreateHob.patch
- Fix a buffer overflow via a long server ID option in DHCPv6
client, CVE-2023-45230:
+ 0001-NetworkPkg-Dhcp6Dxe-SECURITY-PATCH-CVE-2023-45230-Pa.patch
+ 0002-NetworkPkg-Add-Unit-tests-to-CI-and-create-Host-Test.patch
+ 0003-NetworkPkg-Dhcp6Dxe-SECURITY-PATCH-CVE-2023-45230-Un.patch
- Fix an out-of-bounds read vulnerability when processing the IA_NA
or IA_TA option in a DHCPv6 Advertise message, CVE-2023-45229:
+ 0004-NetworkPkg-Dhcp6Dxe-SECURITY-PATCH-CVE-2023-45229-Pa.patch
+ 0005-NetworkPkg-Dhcp6Dxe-SECURITY-PATCH-CVE-2023-45229-Un.patch
- Fix an out-of-bounds read when processing Neighbor Discovery
Redirect messages, CVE-2023-45231:
+ 0006-NetworkPkg-Ip6Dxe-SECURITY-PATCH-CVE-2023-45231-Patc.patch
+ 0007-NetworkPkg-Ip6Dxe-SECURITY-PATCH-CVE-2023-45231-Unit.patch
- Avoid an infinite loop when parsing unknown options in the
Destination Options header of IPv6, CVE-2023-45232:
+ 0008-NetworkPkg-Ip6Dxe-SECURITY-PATCH-CVE-2023-45232-Patc.patch
+ 0009-NetworkPkg-Ip6Dxe-SECURITY-PATCH-CVE-2023-45232-Unit.patch
- Avoid an infinite loop when parsing a PadN option in the
Destination Options header of IPv6, CVE-2023-45233:
+ 0010-NetworkPkg-UefiPxeBcDxe-SECURITY-PATCH-CVE-2023-4523.patch
+ 0011-NetworkPkg-UefiPxeBcDxe-SECURITY-PATCH-CVE-2023-4523.patch
- Fix a potential buffer overflow when processing a DNS Servers
option from a DHCPv6 Advertise message, CVE-2023-45234:
+ 0013-NetworkPkg-UefiPxeBcDxe-SECURITY-PATCH-CVE-2023-4523.patch
- Fix a potential buffer overflow when handling a Server ID option
from a DHCPv6 proxy Advertise message, CVE-2023-45235:
+ 0014-NetworkPkg-UefiPxeBcDxe-SECURITY-PATCH-CVE-2023-4523.patch
- Record fixes in a SecurityFix.yaml file:
+ 0015-NetworkPkg-Adds-a-SecurityFix.yaml-file.patch
* Disable the built-in Shell when SecureBoot is enabled, CVE-2023-48733.
Thanks to Mate Kukri. LP: #2040137.
- Backport support for IsSecureBootEnabled():
+ 0001-SecurityPkg-SecureBootVariableLib-Added-newly-suppor.patch
- Disable the built-in Shell when SecureBoot is enabled:
+ Disable-the-Shell-when-SecureBoot-is-enabled.patch
- d/tests: Drop the boot-to-shell tests for images w/ Secure Boot active.
- d/tests: Update run_cmd_check_secure_boot() to not expect shell
interaction.
-- dann frazier <email address hidden> Mon, 12 Feb 2024 13:19:59 -0700
-
edk2 (2022.02-3ubuntu0.22.04.1) jammy; urgency=medium
* Enroll snakeoil keys w/ EnrollDefaultKeys.efi --no-default, fixing
a regression introduced with the transition to edk2-vars-generator.py.
LP: #1986692.
* autopkgtest: Add regression tests for snakeoil images.
-- dann frazier <email address hidden> Mon, 12 Sep 2022 21:05:26 -0600
-
edk2 (2022.02-3) unstable; urgency=medium
* Fix NVMe controller support in QEMU (Closes: #1007793).
- d/p/0001-MdeModulePkg-NvmExpressDxe-fix-check-for-Cap.Css.patch
- d/p/0002-MdeModulePkg-NvmExpressPei-fix-check-for-NVM-command.patch
Thanks to Mara Sophie Grosch!
-- dann frazier <email address hidden> Mon, 28 Mar 2022 14:59:17 -0600
-
edk2 (2022.02-2) unstable; urgency=medium
* Fix TPM support which regressed due to an upstream build flag rename.
(Closes: #1006842)
-- dann frazier <email address hidden> Tue, 08 Mar 2022 07:43:32 -0700
-
edk2 (2022.02-1) unstable; urgency=medium
* New upstream release, based on edk2-stable202202 tag.
* Drop patch merged upstream:
- 0001-OvmfPkg-FvbServicesSmm-use-the-VmgExitLibNull.patch
* qemu-efi-arm: Build with non-hard-float ARM compiler, allowing
us to stop carrying debian/patches/ftbfs-gcc-11.patch.
-- dann frazier <email address hidden> Fri, 25 Feb 2022 12:12:36 -0700
-
edk2 (2022.02~rc1-1ubuntu1) jammy; urgency=medium
* qemu-efi-arm: Build with non-hard-float ARM compiler, allowing
us to stop carrying debian/patches/ftbfs-gcc-11.patch.
-- dann frazier <email address hidden> Thu, 24 Feb 2022 13:14:21 -0700
-
edk2 (2022.02~rc1-1) unstable; urgency=medium
* New upstream release, based on edk2-stable202202-rc1 tag.
* d/p/0001-OvmfPkg-FvbServicesSmm-use-the-VmgExitLibNull.patch:
Fix regression causing OVMF builds w/ SMM to crash.
-- dann frazier <email address hidden> Tue, 15 Feb 2022 09:20:52 -0700
-
edk2 (2021.11-2) unstable; urgency=medium
* Set NETWORK_IP6_ENABLE to support IPv6 PXE. (Closes: #1004147)
* Move descriptions for OVMF32 images to ovmf-ia32's README.Debian.
* qemu-efi-*: Add README.Debian files with image descriptions.
-- dann frazier <email address hidden> Fri, 04 Feb 2022 17:23:13 -0700
-
edk2 (2021.11-1) unstable; urgency=medium
* New upstream release, based on edk2-stable202111 tag.
* d/find-binaries.py: Cleanup pyflake issues
* Inclusivity cleanup:
- Rename d/binary-check.blacklist -> d/binary-check.remove
- Rename d/binary-check.whitelist -> d/binary-check.allow
-- dann frazier <email address hidden> Wed, 01 Dec 2021 18:30:09 -0700
-
edk2 (2021.11~rc1-1) unstable; urgency=medium
* New upstream release, based on edk2-stable202111-rc1 tag.
- d/binary-check.blacklist: Update ResetVector file list to match
upstream.
* d/rules: Use shallow clones to save time when initializing submodules.
-- dann frazier <email address hidden> Mon, 15 Nov 2021 15:03:21 -0700
-
edk2 (2021.08-3) unstable; urgency=medium
* d/p/ftbfs-gcc-11.patch: Resurrect, since gcc-11 has changed defaults
again. Use -march=armv7-a+fp instead of -march=armv7-a to fix FTBFS.
(Closes: #997200)
-- dann frazier <email address hidden> Mon, 25 Oct 2021 10:49:28 -0600
-
edk2 (2021.08-2) unstable; urgency=medium
* README.Debian: Document OVMF.fd image.
* autopkgtest: Only run AAVMF Secure Boot test on distributions that
derive from Ubuntu. Debian's shim-signed on arm64 is currently, in
fact, not signed (see #992073). (Closes: #995656)
-- dann frazier <email address hidden> Fri, 08 Oct 2021 14:49:45 -0600
-
edk2 (2021.08~rc0-2) experimental; urgency=medium
* d/p/ftbfs-gcc-11.patch: Use -march=armv7-a+fp instead of -march=armv7-a
to fix FTBFS w/ the new gcc-11 defaults. (Closes: #992100)
-- dann frazier <email address hidden> Wed, 11 Aug 2021 11:24:42 -0600