Fedora has issued an advisory on August 15: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/TQYVZRFEXSN3KS43AVH4D7QX553EZQYP/ The issues are fixed upstream in 20190501stable.
Component: RPM Packages => SecurityQA Contact: (none) => security
That basically means syncing mga7's edk2 pkg with cauldron...
Status comment: (none) => Fixed upstream in 20190501stable
RedHat has issued an advisory today (April 28): https://access.redhat.com/errata/RHSA-2020:1712 It fixes CVE-2019-14563, which was fixed in 20190830. Upstream also shows CVE-2019-14553 being fixed in 20191202: https://github.com/tianocore/edk2/releases/tag/edk2-stable201911 The second issue only exists if compile time options HTTP_BOOT_ENABLE or TLS_ENABLE are enabled.
Status comment: Fixed upstream in 20190501stable => Fixed upstream in 20191202stableSummary: edk2 new security issues CVE-2018-12179, CVE-2018-1218[23], CVE-2019-016[01] => edk2 new security issues CVE-2018-12179, CVE-2018-1218[23], CVE-2019-016[01], CVE-2019-14553, CVE-2019-14563
Ubuntu has issued an advisory on April 30: https://usn.ubuntu.com/4349-1/ This adds 5 more CVEs. It looks like the issues have been fixed upstream, but I'm not sure if all the fixes are in 202002.
Summary: edk2 new security issues CVE-2018-12179, CVE-2018-1218[23], CVE-2019-016[01], CVE-2019-14553, CVE-2019-14563 => edk2 new security issues CVE-2018-12179, CVE-2018-1218[23], CVE-2019-016[01], CVE-2019-1455[389], CVE-2019-14563, CVE-2019-14575, CVE-2019-1458[67]Whiteboard: (none) => MGA7TOOVersion: 7 => Cauldron
Fedora has issued an advisory for this on October 1: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/A23OH3MXQU7WURSP4PC66EXMG6INYFH6/
Status comment: Fixed upstream in 20191202stable => Fixed upstream in 20200801stable
Cauldron updated by Thierry.
Version: Cauldron => 7Whiteboard: MGA7TOO => (none)
Ubuntu has issued an advisory on January 7: https://ubuntu.com/security/notices/USN-4684-1 The two new issues are fixed upstream in stable202011 (November 27): https://github.com/tianocore/edk2/releases/tag/edk2-stable202011
Summary: edk2 new security issues CVE-2018-12179, CVE-2018-1218[23], CVE-2019-016[01], CVE-2019-1455[389], CVE-2019-14563, CVE-2019-14575, CVE-2019-1458[67] => edk2 new security issues CVE-2018-12179, CVE-2018-1218[23], CVE-2019-016[01], CVE-2019-1455[389], CVE-2019-14563, CVE-2019-14575, CVE-2019-1458[467], CVE-2019-14562Version: 7 => CauldronStatus comment: Fixed upstream in 20200801stable => Fixed upstream in 202011Whiteboard: (none) => MGA7TOO
Freeze push asked for cauldron
CC: (none) => mageia
new version pushed in mga7: src: edk2-20201101stable-1.mga7
Package list for Mageia 7 update: edk2-tools-20201101stable-1.mga7 edk2-tools-python-20201101stable-1.mga7 edk2-tools-doc-20201101stable-1.mga7 edk2-qosb-20201101stable-1.mga7 edk2-ovmf-20201101stable-1.mga7 edk2-ovmf-ia32-20201101stable-1.mga7 edk2-aarch64-20201101stable-1.mga7 edk2-arm-20201101stable-1.mga7 from edk2-20201101stable-1.mga7.src.rpm The version tag is incorrect though. The date part should be defined with the macro variables, and for this update should be 27, not 01. Also, why is it bundling openssl??? (SOURCE1)
i have not touched to all this, only updated the version :-) i don't understand what you mean for the version, as the latest version is : https://github.com/tianocore/edk2/releases/tag/edk2-stable202011
This is wrong: %global edk2_stable_date 202011 Version: %{edk2_stable_date}01stable The 01 should be 27. edk-stable202011 was released on 20201127, not 20201101.
oh yes thank you :-)
should be better on next rpms
fixed on cauldron
Whiteboard: MGA7TOO => (none)Version: Cauldron => 7
Date macros fixed in Cauldron SVN. New package list: edk2-tools-20201127stable-1.mga7 edk2-tools-python-20201127stable-1.mga7 edk2-tools-doc-20201127stable-1.mga7 edk2-qosb-20201127stable-1.mga7 edk2-ovmf-20201127stable-1.mga7 edk2-ovmf-ia32-20201127stable-1.mga7 edk2-aarch64-20201127stable-1.mga7 edk2-arm-20201127stable-1.mga7 from edk2-20201127stable-1.mga7.src.rpm References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12179 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12182 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12183 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0160 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0161 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14553 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14558 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14559 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14563 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14575 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14584 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14586 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14587 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14562 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/TQYVZRFEXSN3KS43AVH4D7QX553EZQYP/ https://access.redhat.com/errata/RHSA-2020:1712 https://usn.ubuntu.com/4349-1/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/A23OH3MXQU7WURSP4PC66EXMG6INYFH6/ https://ubuntu.com/security/notices/USN-4684-1 https://github.com/tianocore/edk2/releases
Status comment: Fixed upstream in 202011 => (none)CC: (none) => thierry.vignaudAssignee: thierry.vignaud => qa-bugs
Mageia 7 Installed all the packages on a 64-bit system then attempted to find out what it is all about. The documentation is pretty opaque but information on the web indicates that it may be a development kit and build system for UEFI system firmware. There is early mention of QEMU so the "e" may stand for emulation and the package names show that it covers a range of architectures. Definitely something QA is not qualified to run. All the packages updated cleanly. $ rpm -qa | grep edk2 edk2-aarch64-20201127stable-1.mga7 edk2-ovmf-20201127stable-1.mga7 edk2-qosb-20201127stable-1.mga7 edk2-tools-doc-20201127stable-1.mga7 edk2-tools-python-20201127stable-1.mga7 edk2-arm-20201127stable-1.mga7 edk2-ovmf-ia32-20201127stable-1.mga7 edk2-tools-20201127stable-1.mga7 Looked at batches of a few sample files in /usr/share/doc. All had been updated to Nov 27. The License.txt files in /usr/share/licenses showed Nov 27. Giving this an OK.
CC: (none) => tarazed25Whiteboard: (none) => MGA7-64-OK
Validating. Suggested advisory: ======================== The updated packages fix multiples security vulnerabilities. Improper configuration in system firmware for EDK II may allow unauthenticated user to potentially enable escalation of privilege, information disclosure and/or denial of service via local access. (CVE-2018-12179). Insufficient memory write check in SMM service for EDK II may allow an authenticated user to potentially enable escalation of privilege, information disclosure and/or denial of service via local access. (CVE-2018-12182). Stack overflow in DxeCore for EDK II may allow an unauthenticated user to potentially enable escalation of privilege, information disclosure and/or denial of service via local access. (CVE-2018-12183). Buffer overflow in system firmware for EDK II may allow unauthenticated user to potentially enable escalation of privilege and/or denial of service via network access. (CVE-2019-0160). Stack overflow in XHCI for EDK II may allow an unauthenticated user to potentially enable denial of service via local access. (CVE-2019-0161). Improper authentication in EDK II may allow a privileged user to potentially enable information disclosure via network access. (CVE-2019-14553). Insufficient control flow management in BIOS firmware for 8th, 9th, 10th Generation Intel(R) Core(TM), Intel(R) Celeron(R) Processor 4000 & 5000 Series Processors may allow an authenticated user to potentially enable denial of service via adjacent access. (CVE-2019-14558). Uncontrolled resource consumption in EDK II may allow an unauthenticated user to potentially enable denial of service via network access. (CVE-2019-14559). Integer truncation in EDK II may allow an authenticated user to potentially enable escalation of privilege via local access. (CVE-2019-14563). Logic issue in DxeImageVerificationHandler() for EDK II may allow an authenticated user to potentially enable escalation of privilege via local access. (CVE-2019-14575). EDK II incorrectly parsed signed PKCS #7 data. An attacker could use this issue to cause EDK II to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2019-14584). Use after free vulnerability in EDK II may allow an authenticated user to potentially enable escalation of privilege, information disclosure and/or denial of service via adjacent access. (CVE-2019-14586). Logic issue EDK II may allow an unauthenticated user to potentially enable denial of service via adjacent access. (CVE-2019-14587). Integer overflow in DxeImageVerificationHandler() EDK II may allow an authenticated user to potentially enable denial of service via local access. (CVE-2019-14562). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12179 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12182 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12183 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0160 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0161 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14553 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14558 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14559 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14563 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14575 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14584 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14586 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14587 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14562 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/TQYVZRFEXSN3KS43AVH4D7QX553EZQYP/ https://access.redhat.com/errata/RHSA-2020:1712 https://usn.ubuntu.com/4349-1/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/A23OH3MXQU7WURSP4PC66EXMG6INYFH6/ https://ubuntu.com/security/notices/USN-4684-1 https://github.com/tianocore/edk2/releases ======================== Updated packages in core/updates_testing: ======================== edk2-tools-20201127stable-1.mga7 edk2-tools-python-20201127stable-1.mga7 edk2-tools-doc-20201127stable-1.mga7 edk2-qosb-20201127stable-1.mga7 edk2-ovmf-20201127stable-1.mga7 edk2-ovmf-ia32-20201127stable-1.mga7 edk2-aarch64-20201127stable-1.mga7 edk2-arm-20201127stable-1.mga7 from SRPM: edk2-20201127stable-1.mga7.src.rpm Advisory pushed to SVN.
CC: (none) => ouaurelien
CC: (none) => sysadmin-bugsKeywords: (none) => advisory, validated_update
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0035.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED
This update also fixed CVE-2021-28210, CVE-2021-28211: https://www.debian.org/lts/security/2021/dla-2645 https://ubuntu.com/security/notices/USN-4923-1
Summary: edk2 new security issues CVE-2018-12179, CVE-2018-1218[23], CVE-2019-016[01], CVE-2019-1455[389], CVE-2019-14563, CVE-2019-14575, CVE-2019-1458[467], CVE-2019-14562 => edk2 new security issues CVE-2018-12179, CVE-2018-1218[23], CVE-2019-016[01], CVE-2019-1455[389], CVE-2019-14563, CVE-2019-14575, CVE-2019-1458[467], CVE-2019-14562, CVE-2021-28210, CVE-2021-28211