Ubuntu
edk2 package

Change logs for edk2 source package in Jammy

  1. Jammy (22.04)
  2. Change log 
  • edk2 (2022.02-3ubuntu0.22.04.2) jammy; urgency=medium

  * Cherry-pick security fixes from upstream:
    - Fix heap buffer overflow in Tcg2MeasureGptTable(), CVE-2022-36763
      + 0001-SecurityPkg-DxeTpm2MeasureBootLib-SECURITY-PATCH-411.patch
      + 0002-SecurityPkg-DxeTpmMeasureBootLib-SECURITY-PATCH-4117.patch
      + 0003-SecurityPkg-Adding-CVE-2022-36763-to-SecurityFixes.y.patch
    - Fix heap buffer overflow in Tcg2MeasurePeImage(), CVE-2022-36764
      + 0001-SecurityPkg-DxeTpm2MeasureBootLib-SECURITY-PATCH-411-2.patch
      + 0002-SecurityPkg-DxeTpmMeasureBootLib-SECURITY-PATCH-4118.patch
      + 0003-SecurityPkg-Adding-CVE-2022-36764-to-SecurityFixes.y.patch
    - Fix build failure due to symbol collision in above patches:
      + 0001-SecurityPkg-DxeTpm2MeasureBootLib-SECURITY-PATCH-411-3.patch
      + 0002-SecurityPkg-DxeTpmMeasureBootLib-SECURITY-PATCH-4117-2.patch
      + 0003-SecurityPkg-Updating-SecurityFixes.yaml-after-symbol.patch
    - Fix integer overflow in CreateHob(), CVE-2022-36765
      + 0001-UefiPayloadPkg-Hob-Integer-Overflow-in-CreateHob.patch
    - Fix a buffer overflow via a long server ID option in DHCPv6
      client, CVE-2023-45230:
      + 0001-NetworkPkg-Dhcp6Dxe-SECURITY-PATCH-CVE-2023-45230-Pa.patch
      + 0002-NetworkPkg-Add-Unit-tests-to-CI-and-create-Host-Test.patch
      + 0003-NetworkPkg-Dhcp6Dxe-SECURITY-PATCH-CVE-2023-45230-Un.patch
    - Fix an out-of-bounds read vulnerability when processing the IA_NA
      or IA_TA option in a DHCPv6 Advertise message, CVE-2023-45229:
      + 0004-NetworkPkg-Dhcp6Dxe-SECURITY-PATCH-CVE-2023-45229-Pa.patch
      + 0005-NetworkPkg-Dhcp6Dxe-SECURITY-PATCH-CVE-2023-45229-Un.patch
    - Fix an out-of-bounds read when processing Neighbor Discovery
      Redirect messages, CVE-2023-45231:
      + 0006-NetworkPkg-Ip6Dxe-SECURITY-PATCH-CVE-2023-45231-Patc.patch
      + 0007-NetworkPkg-Ip6Dxe-SECURITY-PATCH-CVE-2023-45231-Unit.patch
    - Avoid an infinite loop when parsing unknown options in the
      Destination Options header of IPv6, CVE-2023-45232:
      + 0008-NetworkPkg-Ip6Dxe-SECURITY-PATCH-CVE-2023-45232-Patc.patch
      + 0009-NetworkPkg-Ip6Dxe-SECURITY-PATCH-CVE-2023-45232-Unit.patch
    - Avoid an infinite loop when parsing a PadN option in the
      Destination Options header of IPv6, CVE-2023-45233:
      + 0010-NetworkPkg-UefiPxeBcDxe-SECURITY-PATCH-CVE-2023-4523.patch
      + 0011-NetworkPkg-UefiPxeBcDxe-SECURITY-PATCH-CVE-2023-4523.patch
    - Fix a potential buffer overflow when processing a DNS Servers
      option from a DHCPv6 Advertise message, CVE-2023-45234:
      + 0013-NetworkPkg-UefiPxeBcDxe-SECURITY-PATCH-CVE-2023-4523.patch
    - Fix a potential buffer overflow when handling a Server ID option
      from a DHCPv6 proxy Advertise message, CVE-2023-45235:
      + 0014-NetworkPkg-UefiPxeBcDxe-SECURITY-PATCH-CVE-2023-4523.patch
    - Record fixes in a SecurityFix.yaml file:
      + 0015-NetworkPkg-Adds-a-SecurityFix.yaml-file.patch
  * Disable the built-in Shell when SecureBoot is enabled, CVE-2023-48733.
    Thanks to Mate Kukri. LP: #2040137.
    - Backport support for IsSecureBootEnabled():
      + 0001-SecurityPkg-SecureBootVariableLib-Added-newly-suppor.patch
    - Disable the built-in Shell when SecureBoot is enabled:
      + Disable-the-Shell-when-SecureBoot-is-enabled.patch
    - d/tests: Drop the boot-to-shell tests for images w/ Secure Boot active.
    - d/tests: Update run_cmd_check_secure_boot() to not expect shell
      interaction.

 -- dann frazier <email address hidden>  Mon, 12 Feb 2024 13:19:59 -0700
  • edk2 (2022.02-3ubuntu0.22.04.1) jammy; urgency=medium

  * Enroll snakeoil keys w/ EnrollDefaultKeys.efi --no-default, fixing
    a regression introduced with the transition to edk2-vars-generator.py.
    LP: #1986692.
  * autopkgtest: Add regression tests for snakeoil images.

 -- dann frazier <email address hidden>  Mon, 12 Sep 2022 21:05:26 -0600
  • edk2 (2022.02-3) unstable; urgency=medium

  * Fix NVMe controller support in QEMU (Closes: #1007793).
    - d/p/0001-MdeModulePkg-NvmExpressDxe-fix-check-for-Cap.Css.patch
    - d/p/0002-MdeModulePkg-NvmExpressPei-fix-check-for-NVM-command.patch
    Thanks to Mara Sophie Grosch!

 -- dann frazier <email address hidden>  Mon, 28 Mar 2022 14:59:17 -0600
  • edk2 (2022.02-2) unstable; urgency=medium

  * Fix TPM support which regressed due to an upstream build flag rename.
    (Closes: #1006842)

 -- dann frazier <email address hidden>  Tue, 08 Mar 2022 07:43:32 -0700
  • edk2 (2022.02-1) unstable; urgency=medium

  * New upstream release, based on edk2-stable202202 tag.
  * Drop patch merged upstream:
    - 0001-OvmfPkg-FvbServicesSmm-use-the-VmgExitLibNull.patch
  * qemu-efi-arm: Build with non-hard-float ARM compiler, allowing
    us to stop carrying debian/patches/ftbfs-gcc-11.patch.

 -- dann frazier <email address hidden>  Fri, 25 Feb 2022 12:12:36 -0700
  • edk2 (2022.02~rc1-1ubuntu1) jammy; urgency=medium

  * qemu-efi-arm: Build with non-hard-float ARM compiler, allowing
    us to stop carrying debian/patches/ftbfs-gcc-11.patch.

 -- dann frazier <email address hidden>  Thu, 24 Feb 2022 13:14:21 -0700
  • edk2 (2022.02~rc1-1) unstable; urgency=medium

  * New upstream release, based on edk2-stable202202-rc1 tag.
  * d/p/0001-OvmfPkg-FvbServicesSmm-use-the-VmgExitLibNull.patch:
    Fix regression causing OVMF builds w/ SMM to crash.

 -- dann frazier <email address hidden>  Tue, 15 Feb 2022 09:20:52 -0700
  • edk2 (2021.11-2) unstable; urgency=medium

  * Set NETWORK_IP6_ENABLE to support IPv6 PXE. (Closes: #1004147)
  * Move descriptions for OVMF32 images to ovmf-ia32's README.Debian.
  * qemu-efi-*: Add README.Debian files with image descriptions.

 -- dann frazier <email address hidden>  Fri, 04 Feb 2022 17:23:13 -0700
  • edk2 (2021.11-1) unstable; urgency=medium

  * New upstream release, based on edk2-stable202111 tag.
  * d/find-binaries.py: Cleanup pyflake issues
  * Inclusivity cleanup:
    - Rename d/binary-check.blacklist -> d/binary-check.remove
    - Rename d/binary-check.whitelist -> d/binary-check.allow

 -- dann frazier <email address hidden>  Wed, 01 Dec 2021 18:30:09 -0700
  • edk2 (2021.11~rc1-1) unstable; urgency=medium

  * New upstream release, based on edk2-stable202111-rc1 tag.
    - d/binary-check.blacklist: Update ResetVector file list to match
      upstream.
  * d/rules: Use shallow clones to save time when initializing submodules.

 -- dann frazier <email address hidden>  Mon, 15 Nov 2021 15:03:21 -0700
  • edk2 (2021.08-3) unstable; urgency=medium

  * d/p/ftbfs-gcc-11.patch: Resurrect, since gcc-11 has changed defaults
    again. Use -march=armv7-a+fp instead of -march=armv7-a to fix FTBFS.
    (Closes: #997200)

 -- dann frazier <email address hidden>  Mon, 25 Oct 2021 10:49:28 -0600
  • edk2 (2021.08-2) unstable; urgency=medium

  * README.Debian: Document OVMF.fd image.
  * autopkgtest: Only run AAVMF Secure Boot test on distributions that
    derive from Ubuntu. Debian's shim-signed on arm64 is currently, in
    fact, not signed (see #992073). (Closes: #995656)

 -- dann frazier <email address hidden>  Fri, 08 Oct 2021 14:49:45 -0600
  • edk2 (2021.08~rc0-2) experimental; urgency=medium

  * d/p/ftbfs-gcc-11.patch: Use -march=armv7-a+fp instead of -march=armv7-a
    to fix FTBFS w/ the new gcc-11 defaults. (Closes: #992100)

 -- dann frazier <email address hidden>  Wed, 11 Aug 2021 11:24:42 -0600