[Git][security-tracker-team/security-tracker][master] 2 commits: Update fixing commits and links to patches for edk2 issues.

Markus Koschany (@apo) apo at debian.org
Mon Jun 2 13:44:09 BST 2025 


Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker


Commits:
dc81494f by Markus Koschany at 2025-06-02T14:41:18+02:00
Update fixing commits and links to patches for edk2 issues.

- - - - -
91b16762 by Markus Koschany at 2025-06-02T14:41:20+02:00
edk2: Mark current no-dsa CVE in bookworm postponed in bullseye

wait for the maintainer if he wants to address those problems first in
bookworm. Should another batch of CVE appear in the future and those issues are
still not fixed, we could step in and offer help. At the moment this is not
critical.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -17434,6 +17434,7 @@ CVE-2024-43046 (There may be information disclosure during memory re-allocation
 CVE-2024-38797 (EDK2 contains a vulnerability in the HashPeImageByType(). A user may c ...)
 	- edk2 2025.02-8 (bug #1102519)
 	[bookworm] - edk2 <no-dsa> (Minor issue)
+	[bullseye] - edk2 <postponed> (Minor issue)
 	NOTE: https://github.com/tianocore/edk2/security/advisories/GHSA-4wjw-6xmf-44xf
 CVE-2024-33058 (Memory corruption while assigning memory from the source DDR memory(HL ...)
 	NOT-FOR-US: Qualcomm
@@ -25495,6 +25496,7 @@ CVE-2025-2308 (A vulnerability, which was classified as critical, was found in H
 CVE-2025-2295 (EDK2 contains a vulnerability in BIOS where a user may cause an Intege ...)
 	- edk2 2025.02-4 (bug #1100594)
 	[bookworm] - edk2 <no-dsa> (Minor issue)
+	[bullseye] - edk2 <postponed> (Minor issue)
 	NOTE: https://github.com/tianocore/edk2/security/advisories/GHSA-8522-69fh-w74x
 CVE-2025-2267 (The WP01 plugin for WordPress is vulnerable to Arbitrary File Download ...)
 	NOT-FOR-US: WordPress plugin
@@ -147957,7 +147959,7 @@ CVE-2021-4432 (A vulnerability was found in PCMan FTP Server 2.0.7. It has been
 CVE-2023-45237 (EDK2's Network Package is susceptible to a predictable TCP Initial Seq ...)
 	- edk2 2024.05-1 (bug #1063727)
 	[bookworm] - edk2 <no-dsa> (Minor issue)
-	[bullseye] - edk2 <no-dsa> (Minor issue)
+	[bullseye] - edk2 <postponed> (Minor issue)
 	[buster] - edk2 <no-dsa> (Minor issue)
 	NOTE: https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html
 	NOTE: https://www.openwall.com/lists/oss-security/2024/01/16/2
@@ -147965,7 +147967,7 @@ CVE-2023-45237 (EDK2's Network Package is susceptible to a predictable TCP Initi
 CVE-2023-45236 (EDK2's Network Package is susceptible to a predictable TCP Initial Seq ...)
 	- edk2 2024.05-1 (bug #1063726)
 	[bookworm] - edk2 <no-dsa> (Minor issue)
-	[bullseye] - edk2 <no-dsa> (Minor issue)
+	[bullseye] - edk2 <postponed> (Minor issue)
 	[buster] - edk2 <no-dsa> (Minor issue)
 	NOTE: https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html
 	NOTE: https://www.openwall.com/lists/oss-security/2024/01/16/2
@@ -251548,6 +251550,7 @@ CVE-2022-36765 (EDK2 is susceptible to a vulnerability in the CreateHob() functi
 	[buster] - edk2 <no-dsa> (Minor issue)
 	NOTE: https://github.com/tianocore/edk2/security/advisories/GHSA-ch4w-v7m3-g8wx
 	NOTE: https://bugzilla.tianocore.org/show_bug.cgi?id=4166
+	NOTE: https://github.com/tianocore/edk2/issues/10299
 CVE-2022-36764 (EDK2 is susceptible to a vulnerability in the Tcg2MeasurePeImage() fun ...)
 	- edk2 2023.11-5 (bug #1060408)
 	[bookworm] - edk2 2022.11-6+deb12u1
@@ -251555,6 +251558,7 @@ CVE-2022-36764 (EDK2 is susceptible to a vulnerability in the Tcg2MeasurePeImage
 	[buster] - edk2 <no-dsa> (Minor issue)
 	NOTE: https://github.com/tianocore/edk2/security/advisories/GHSA-4hcq-p8q8-hj8j
 	NOTE: https://bugzilla.tianocore.org/show_bug.cgi?id=4118
+	NOTE: https://github.com/tianocore/edk2/pull/5264
 CVE-2022-36763 (EDK2 is susceptible to a vulnerability in the Tcg2MeasureGptTable() fu ...)
 	- edk2 2023.11-5 (bug #1060408)
 	[bookworm] - edk2 2022.11-6+deb12u1
@@ -251562,6 +251566,7 @@ CVE-2022-36763 (EDK2 is susceptible to a vulnerability in the Tcg2MeasureGptTabl
 	[buster] - edk2 <no-dsa> (Minor issue)
 	NOTE: https://github.com/tianocore/edk2/security/advisories/GHSA-xvv8-66cq-prwr
 	NOTE: https://bugzilla.tianocore.org/show_bug.cgi?id=4117
+	NOTE: https://github.com/tianocore/edk2/pull/5264
 CVE-2022-36762
 	RESERVED
 CVE-2022-36761



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/d7a1ebde0a2f09c654550851736009a5dcf306dd...91b16762cd16540a59086efdc23e20b369cbc6fd

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/d7a1ebde0a2f09c654550851736009a5dcf306dd...91b16762cd16540a59086efdc23e20b369cbc6fd
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20250602/acf4b1fb/attachment.htm>

More information about the debian-security-tracker-commits mailing list