edk2 - Debian Package Tracker

general

source: edk2 (main)
version: 2025.11-3
maintainer: Debian QEMU Team (archive) (DMD)
uploaders: dann frazier [DMD]
arch: all
std-ver: 4.5.0
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 2020.11-2+deb11u2
o-o-sec: 2020.11-2+deb11u3
oldstable: 2022.11-6+deb12u2
old-sec: 2022.11-6+deb12u1
stable: 2025.02-8
testing: 2025.02-9
unstable: 2025.11-3

versioned links

2020.11-2+deb11u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2020.11-2+deb11u3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2022.11-6+deb12u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2022.11-6+deb12u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2025.02-8: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2025.02-9: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2025.11-3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

efi-shell-aa64
efi-shell-loongarch64
efi-shell-riscv64
efi-shell-x64
ovmf (6 bugs: 0, 5, 1, 0)
ovmf-amdsev
ovmf-generic
ovmf-inteltdx
qemu-efi-aarch64 (3 bugs: 1, 2, 0, 0)
qemu-efi-loongarch64
qemu-efi-riscv64

action needed

1 security issue in forky high

There is 1 open security issue in forky.

1 important issue:

CVE-2024-38798: EDK2 contains a vulnerability in BIOS where an attacker may cause “Exposure of Sensitive Information to an Unauthorized Actor” by local access. Successful exploitation of this vulnerability will lead to possible information disclosure or escalation of privilege and impact Confidentiality.

Created: 2025-12-09 Last update: 2026-01-10 13:00

9 security issues in bullseye high

There are 9 open security issues in bullseye.

3 important issues:

CVE-2025-2296: EDK2 contains a vulnerability in BIOS where an attacker may cause “ Improper Input Validation” by local access. Successful exploitation of this vulnerability could alter control flow in unexpected ways, potentially allowing arbitrary command execution and impacting Confidentiality, Integrity, and Availability.
CVE-2024-13176: Issue summary: A timing side-channel which could potentially allow recovering the private key exists in the ECDSA signature computation. Impact summary: A timing side-channel in ECDSA signature computations could allow recovering the private key by an attacker. However, measuring the timing would require either local access to the signing application or a very fast network connection with low latency. There is a timing signal of around 300 nanoseconds when the top word of the inverted ECDSA nonce value is zero. This can happen with significant probability only for some of the supported elliptic curves. In particular the NIST P-521 curve is affected. To be able to measure this leak, the attacker process must either be located in the same physical computer or must have a very fast network connection with low latency. For that reason the severity of this vulnerability is Low. The FIPS modules in 3.4, 3.3, 3.2, 3.1 and 3.0 are affected by this issue.
CVE-2024-38798: EDK2 contains a vulnerability in BIOS where an attacker may cause “Exposure of Sensitive Information to an Unauthorized Actor” by local access. Successful exploitation of this vulnerability will lead to possible information disclosure or escalation of privilege and impact Confidentiality.

6 issues postponed or untriaged:

CVE-2025-2295: (postponed; to be fixed through a stable update) EDK2 contains a vulnerability in BIOS where a user may cause an Integer Overflow or Wraparound by network means. A successful exploitation of this vulnerability may lead to denial of service.
CVE-2025-3770: (postponed; to be fixed through a stable update) EDK2 contains a vulnerability in BIOS where an attacker may cause “Protection Mechanism Failure” by local access. Successful exploitation of this vulnerability will lead to arbitrary code execution and impact Confidentiality, Integrity, and Availability.
CVE-2023-45236: (postponed; to be fixed through a stable update) EDK2's Network Package is susceptible to a predictable TCP Initial Sequence Number. This vulnerability can be exploited by an attacker to gain unauthorized access and potentially lead to a loss of Confidentiality.
CVE-2023-45237: (postponed; to be fixed through a stable update) EDK2's Network Package is susceptible to a predictable TCP Initial Sequence Number. This vulnerability can be exploited by an attacker to gain unauthorized access and potentially lead to a loss of Confidentiality.
CVE-2024-38797: (postponed; to be fixed through a stable update) EDK2 contains a vulnerability in the HashPeImageByType(). A user may cause a read out of bounds when a corrupted data pointer and length are sent via an adjecent network. A successful exploit of this vulnerability may lead to a loss of Integrity and/or Availability.
CVE-2024-38805: (postponed; to be fixed through a stable update) EDK2 contains a vulnerability in BIOS where a user may cause an Integer Overflow or Wraparound by network means. A successful exploitation of this vulnerability may lead to denial of service.

Created: 2025-12-09 Last update: 2026-01-10 13:00

lintian reports 1 error and 3 warnings high

Lintian reports 1 error and 3 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2026-01-09 Last update: 2026-01-09 12:30

21 security issues in buster high

There are 21 open security issues in buster.

2 important issues:

CVE-2024-1298: EDK2 contains a vulnerability when S3 sleep is activated where an Attacker may cause a Division-By-Zero due to a UNIT32 overflow via local access. A successful exploit of this vulnerability may lead to a loss of Availability.
CVE-2023-48733: An insecure default to allow UEFI Shell in EDK2 was left enabled in Ubuntu's EDK2. This allows an OS-resident attacker to bypass Secure Boot.

19 issues postponed or untriaged:

CVE-2019-11098: (needs triaging) Insufficient input validation in MdeModulePkg in EDKII may allow an unauthenticated user to potentially enable escalation of privilege, denial of service and/or information disclosure via physical access.
CVE-2021-28210: (needs triaging) An unlimited recursion in DxeCore in EDK II.
CVE-2021-28211: (needs triaging) A heap overflow in LzmaUefiDecompressGetInfo function in EDK II.
CVE-2021-28216: (needs triaging) BootPerformanceTable pointer is read from an NVRAM variable in PEI. Recommend setting PcdFirmwarePerformanceDataTableS3Support to FALSE.
CVE-2021-38575: (needs triaging) NetworkPkg/IScsiDxe has remotely exploitable buffer overflows.
CVE-2021-38576: (needs triaging) A BIOS bug in firmware for a particular PC model leaves the Platform authorization value empty. This can be used to permanently brick the TPM in multiple ways, as well as to non-permanently DoS the system.
CVE-2021-38578: (needs triaging) Existing CommBuffer checks in SmmEntryPoint will not catch underflow when computing BufferSize.
CVE-2022-36763: (needs triaging) EDK2 is susceptible to a vulnerability in the Tcg2MeasureGptTable() function, allowing a user to trigger a heap buffer overflow via a local network. Successful exploitation of this vulnerability may result in a compromise of confidentiality, integrity, and/or availability.
CVE-2022-36764: (needs triaging) EDK2 is susceptible to a vulnerability in the Tcg2MeasurePeImage() function, allowing a user to trigger a heap buffer overflow via a local network. Successful exploitation of this vulnerability may result in a compromise of confidentiality, integrity, and/or availability.
CVE-2022-36765: (needs triaging) EDK2 is susceptible to a vulnerability in the CreateHob() function, allowing a user to trigger a integer overflow to buffer overflow via a local network. Successful exploitation of this vulnerability may result in a compromise of confidentiality, integrity, and/or availability.
CVE-2023-45229: (needs triaging) EDK2's Network Package is susceptible to an out-of-bounds read vulnerability when processing the IA_NA or IA_TA option in a DHCPv6 Advertise message. This vulnerability can be exploited by an attacker to gain unauthorized access and potentially lead to a loss of Confidentiality.
CVE-2023-45230: (needs triaging) EDK2's Network Package is susceptible to a buffer overflow vulnerability via a long server ID option in DHCPv6 client. This vulnerability can be exploited by an attacker to gain unauthorized access and potentially lead to a loss of Confidentiality, Integrity and/or Availability.
CVE-2023-45231: (needs triaging) EDK2's Network Package is susceptible to an out-of-bounds read vulnerability when processing Neighbor Discovery Redirect message. This vulnerability can be exploited by an attacker to gain unauthorized access and potentially lead to a loss of Confidentiality.
CVE-2023-45232: (needs triaging) EDK2's Network Package is susceptible to an infinite loop vulnerability when parsing unknown options in the Destination Options header of IPv6. This vulnerability can be exploited by an attacker to gain unauthorized access and potentially lead to a loss of Availability.
CVE-2023-45233: (needs triaging) EDK2's Network Package is susceptible to an infinite lop vulnerability when parsing a PadN option in the Destination Options header of IPv6. This vulnerability can be exploited by an attacker to gain unauthorized access and potentially lead to a loss of Availability.
CVE-2023-45234: (needs triaging) EDK2's Network Package is susceptible to a buffer overflow vulnerability when processing DNS Servers option from a DHCPv6 Advertise message. This vulnerability can be exploited by an attacker to gain unauthorized access and potentially lead to a loss of Confidentiality, Integrity and/or Availability.
CVE-2023-45235: (needs triaging) EDK2's Network Package is susceptible to a buffer overflow vulnerability when handling Server ID option from a DHCPv6 proxy Advertise message. This vulnerability can be exploited by an attacker to gain unauthorized access and potentially lead to a loss of Confidentiality, Integrity and/or Availability.
CVE-2023-45236: (needs triaging) EDK2's Network Package is susceptible to a predictable TCP Initial Sequence Number. This vulnerability can be exploited by an attacker to gain unauthorized access and potentially lead to a loss of Confidentiality.
CVE-2023-45237: (needs triaging) EDK2's Network Package is susceptible to a predictable TCP Initial Sequence Number. This vulnerability can be exploited by an attacker to gain unauthorized access and potentially lead to a loss of Confidentiality.

Created: 2024-01-10 Last update: 2024-06-29 13:15

The package has not entered testing even though the delay is over normal

The package has not entered testing even though the 5-day delay is over. Check why.

Created: 2026-01-22 Last update: 2026-02-02 09:30

2 bugs tagged patch in the BTS normal

The BTS contains patches fixing 2 bugs, consider including or untagging them.

Created: 2025-01-06 Last update: 2026-02-02 09:00

Fails to build during reproducibility testing normal

A package building reproducibly enables third parties to verify that the source matches the distributed binaries. It has been identified that this source package produced different results, failed to build or had other issues in a test environment. Please read about how to improve the situation!

Created: 2025-06-03 Last update: 2026-02-02 06:02

5 open merge requests in Salsa normal

There are 5 open merge requests for this package on Salsa. You should consider reviewing and/or merging these merge requests.

Created: 2025-09-23 Last update: 2026-01-26 04:00

version in VCS is newer than in repository, is it time to upload? normal

vcswatch reports that this package seems to have a new changelog entry (version 2025.11-4, distribution UNRELEASED) and new commits in its VCS. You should consider whether it's time to make an upload.

Here are the relevant commit messages:

commit d58c5fa00f09917ce0b4cc5f98cc129f1f18d356
Merge: bbd7412d bd7a4b5a
Author: dann frazier <dannf@debian.org>
Date:   Sat Jan 24 14:36:19 2026 -0600

    Merge remote-tracking branch 'slyon/pvscsi-legacy' into debian/latest

commit bd7a4b5a91e6b8b382da59497949d5c12cdfb2bf
Author: Lukas Märdian <slyon@ubuntu.com>
Date:   Wed Oct 22 15:03:07 2025 +0200

    changelog

commit a3be60cc93d5d7f19d49a4ece696d0c3a90b1dac
Author: Lukas Märdian <slyon@ubuntu.com>
Date:   Wed Jan 21 10:12:23 2026 +0100

    d/tests: Add test-case for PVSCSI, using ovmf-legacy

commit ce3557b02631f1d06ab9182abdc8fe8323ed6059
Author: Lukas Märdian <slyon@ubuntu.com>
Date:   Wed Dec 10 11:08:14 2025 +0100

    d/control, d/rules: Add ovmf-legacy package, shipping an OVMF.legacy.fd
    
    firmware that enables deprecated features such as PVSCSI (LP: #2129178)

commit bbd7412d09416d0b3a4f6b29bcde52daa5dc8fe2
Author: dann frazier <dannf@debian.org>
Date:   Thu Jan 8 16:46:54 2026 -0700

    d/p/x64-baseline-abi.patch: Refresh.
    
    Signed-off-by: dann frazier <dannf@debian.org>

commit 6129daf2c04b6ddb2332b4da8d704032eedec6e9
Author: dann frazier <dannf@debian.org>
Date:   Thu Jan 8 16:45:08 2026 -0700

    d/p/no-stack-protector-all-archs.diff: Drop
    
    This patch was added over 10 years ago for ARM and has been cargo-culted
    ever since. It's not clear what it fixed, or if it is still necessary.
    Let's find out.
    
    Signed-off-by: dann frazier <dannf@debian.org>

commit da03a4d04d53e6a74836c4390ac0f6caa96d9e37
Author: dann frazier <dannf@debian.org>
Date:   Thu Jan 8 16:38:38 2026 -0700

    Drop absolute symlink from future orig.tar.gz's
    
    Signed-off-by: dann frazier <dannf@debian.org>

commit 923eb11bfa912c74ee5ce210d00353c4846fbf07
Author: dann frazier <dannf@debian.org>
Date:   Thu Jan 8 16:20:05 2026 -0700

    d/control: Add missing separator, thanks lintian.

Created: 2026-01-26 Last update: 2026-01-26 04:00

Multiarch hinter reports 4 issue(s) low

There are issues with the multiarch metadata for this package.

efi-shell-aa64 could be marked Multi-Arch: foreign
efi-shell-loongarch64 could be marked Multi-Arch: foreign
efi-shell-riscv64 could be marked Multi-Arch: foreign
efi-shell-x64 could be marked Multi-Arch: foreign

Created: 2023-07-26 Last update: 2026-02-02 08:01

1 low-priority security issue in trixie low

There is 1 open security issue in trixie.

1 issue left for the package maintainer to handle:

CVE-2024-38798: (needs triaging) EDK2 contains a vulnerability in BIOS where an attacker may cause “Exposure of Sensitive Information to an Unauthorized Actor” by local access. Successful exploitation of this vulnerability will lead to possible information disclosure or escalation of privilege and impact Confidentiality.

You can find information about how to handle this issue in the security team's documentation.

Created: 2025-12-09 Last update: 2026-01-10 13:00

9 low-priority security issues in bookworm low

There are 9 open security issues in bookworm.

9 issues left for the package maintainer to handle:

CVE-2025-2295: (needs triaging) EDK2 contains a vulnerability in BIOS where a user may cause an Integer Overflow or Wraparound by network means. A successful exploitation of this vulnerability may lead to denial of service.
CVE-2025-2296: (needs triaging) EDK2 contains a vulnerability in BIOS where an attacker may cause “ Improper Input Validation” by local access. Successful exploitation of this vulnerability could alter control flow in unexpected ways, potentially allowing arbitrary command execution and impacting Confidentiality, Integrity, and Availability.
CVE-2025-3770: (needs triaging) EDK2 contains a vulnerability in BIOS where an attacker may cause “Protection Mechanism Failure” by local access. Successful exploitation of this vulnerability will lead to arbitrary code execution and impact Confidentiality, Integrity, and Availability.
CVE-2023-45236: (needs triaging) EDK2's Network Package is susceptible to a predictable TCP Initial Sequence Number. This vulnerability can be exploited by an attacker to gain unauthorized access and potentially lead to a loss of Confidentiality.
CVE-2023-45237: (needs triaging) EDK2's Network Package is susceptible to a predictable TCP Initial Sequence Number. This vulnerability can be exploited by an attacker to gain unauthorized access and potentially lead to a loss of Confidentiality.
CVE-2024-13176: (needs triaging) Issue summary: A timing side-channel which could potentially allow recovering the private key exists in the ECDSA signature computation. Impact summary: A timing side-channel in ECDSA signature computations could allow recovering the private key by an attacker. However, measuring the timing would require either local access to the signing application or a very fast network connection with low latency. There is a timing signal of around 300 nanoseconds when the top word of the inverted ECDSA nonce value is zero. This can happen with significant probability only for some of the supported elliptic curves. In particular the NIST P-521 curve is affected. To be able to measure this leak, the attacker process must either be located in the same physical computer or must have a very fast network connection with low latency. For that reason the severity of this vulnerability is Low. The FIPS modules in 3.4, 3.3, 3.2, 3.1 and 3.0 are affected by this issue.
CVE-2024-38797: (needs triaging) EDK2 contains a vulnerability in the HashPeImageByType(). A user may cause a read out of bounds when a corrupted data pointer and length are sent via an adjecent network. A successful exploit of this vulnerability may lead to a loss of Integrity and/or Availability.
CVE-2024-38798: (needs triaging) EDK2 contains a vulnerability in BIOS where an attacker may cause “Exposure of Sensitive Information to an Unauthorized Actor” by local access. Successful exploitation of this vulnerability will lead to possible information disclosure or escalation of privilege and impact Confidentiality.
CVE-2024-38805: (needs triaging) EDK2 contains a vulnerability in BIOS where a user may cause an Integer Overflow or Wraparound by network means. A successful exploitation of this vulnerability may lead to denial of service.

You can find information about how to handle these issues in the security team's documentation.

Created: 2023-06-10 Last update: 2026-01-10 13:00

debian/patches: 2 patches to forward upstream low

Among the 5 debian patches available in version 2025.11-3 of the package, we noticed the following issues:

2 patches where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.

Created: 2023-02-26 Last update: 2026-01-09 08:32

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.3 instead of 4.5.0).

Created: 2020-11-17 Last update: 2026-01-09 06:30

testing migrations

This package will soon be part of the s390-31-bit-rm transition. You might want to ensure that your package is ready for it. You can probably find supplementary information in the debian-release archives or in the corresponding release.debian.org bug.
excuses:
- Migration status for edk2 (2025.02-9 to 2025.11-3): BLOCKED: Rejected/violates migration policy/introduces a regression
- Issues preventing migration:
- ∙ ∙ Updating edk2 would introduce bugs in testing: #1124168
- ∙ ∙ Autopkgtest for debvm/0.5.2: amd64: Pass, arm64: Regression ♻ (reference ♻), i386: No tests, superficial or marked flaky ♻, ppc64el: Pass, riscv64: No tests, superficial or marked flaky ♻ (reference ♻), s390x: Pass
- ∙ ∙ Autopkgtest for dracut/109-5: amd64: Pass ♻ (reference ♻), i386: No tests, superficial or marked flaky ♻ (reference ♻), ppc64el: Pass ♻ (reference ♻), riscv64: No tests, superficial or marked flaky ♻ (reference ♻), s390x: Pass ♻ (reference ♻)
- ∙ ∙ Autopkgtest for edk2/2025.11-3: amd64: Pass, arm64: Pass, i386: Pass, ppc64el: Pass, riscv64: Pass, s390x: Pass
- ∙ ∙ Autopkgtest for initramfs-tools/0.150: amd64: Pass, arm64: Regression ♻ (reference ♻), i386: No tests, superficial or marked flaky ♻, ppc64el: Pass, riscv64: No tests, superficial or marked flaky ♻, s390x: Pass
- ∙ ∙ Autopkgtest for ipxe/1.21.1+git-20250829.969ce2c55+dfsg-3: amd64: Regression ♻ (reference ♻), arm64: Regression ♻ (reference ♻), i386: Pass, ppc64el: Regression ♻ (reference ♻), riscv64: Regression ♻ (reference ♻), s390x: Regression ♻ (reference ♻)
- Additional info (not blocking):
- ∙ ∙ Updating edk2 will fix bugs in testing: #1119236
- ∙ ∙ Piuparts tested OK - https://piuparts.debian.org/sid/source/e/edk2.html
- ∙ ∙ Not reproducible on amd64 (not a regression): efi-shell-aa64, qemu-efi-aarch64
- ∙ ∙ Not reproducible on arm64 (not a regression): efi-shell-aa64, qemu-efi-aarch64
- ∙ ∙ Not reproducible on armhf (not a regression): efi-shell-aa64, qemu-efi-aarch64
- ∙ ∙ Not reproducible on i386 (not a regression): efi-shell-aa64, qemu-efi-aarch64
- ∙ ∙ Not reproducible on ppc64el (not a regression): efi-shell-aa64, qemu-efi-aarch64
- ∙ ∙ 24 days old (needed 5 days)
- Not considered

news

[rss feed]

[2026-01-08] Accepted edk2 2025.11-3 (source) into unstable (dann frazier)
[2026-01-04] Accepted edk2 2025.02-8+deb13u1 (source) into proposed-updates (Debian FTP Masters) (signed by: dann frazier)
[2026-01-03] Accepted edk2 2025.11-2 (source) into unstable (Michael Tokarev)
[2025-12-27] Accepted edk2 2025.11-1 (source all) into unstable (Debian FTP Masters) (signed by: dann frazier)
[2025-12-09] Accepted edk2 2025.08.01-6 (source) into unstable (dann frazier)
[2025-12-07] Accepted edk2 2025.08.01-5 (source) into unstable (dann frazier)
[2025-12-02] Accepted edk2 2025.08.01-4 (source) into unstable (Michael Tokarev)
[2025-12-01] Accepted edk2 2025.08.01-3 (source) into unstable (Michael Tokarev)
[2025-11-25] Accepted edk2 2025.08.01-2 (source) into unstable (Michael Tokarev)
[2025-11-12] Accepted edk2 2025.08.01-1 (source) into unstable (dann frazier)
[2025-11-08] Accepted edk2 2025.05-2 (source) into unstable (dann frazier)
[2025-11-03] Accepted edk2 2025.05-1 (source) into unstable (dann frazier)
[2025-09-27] Accepted edk2 2025.02-10 (source) into unstable (dann frazier)
[2025-09-07] edk2 2025.02-9 MIGRATED to testing (Debian testing watch)
[2025-09-01] Accepted edk2 2025.02-9 (source) into unstable (dann frazier)
[2025-06-05] Accepted edk2 2020.11-2+deb11u3 (source) into oldstable-security (Markus Koschany)
[2025-06-02] edk2 2025.02-8 MIGRATED to testing (Debian testing watch)
[2025-05-13] Accepted edk2 2025.02-8 (source) into unstable (dann frazier)
[2025-04-16] Accepted edk2 2025.02-7 (source) into unstable (dann frazier)
[2025-04-11] edk2 2025.02-6 MIGRATED to testing (Debian testing watch)
[2025-04-08] Accepted edk2 2025.02-6 (source) into unstable (dann frazier)
[2025-04-01] edk2 2025.02-5 MIGRATED to testing (Debian testing watch)
[2025-03-29] Accepted edk2 2025.02-5 (source) into unstable (dann frazier)
[2025-03-26] edk2 2025.02-4 MIGRATED to testing (Debian testing watch)
[2025-03-23] Accepted edk2 2025.02-4 (source) into unstable (dann frazier)
[2025-03-21] edk2 2025.02-3 MIGRATED to testing (Debian testing watch)
[2025-03-19] Accepted edk2 2025.02-3 (source) into unstable (dann frazier)
[2025-03-15] Accepted edk2 2025.02-2 (source) into unstable (dann frazier)
[2025-03-09] Accepted edk2 2022.11-6+deb12u2 (source) into proposed-updates (Debian FTP Masters) (signed by: dann frazier)
[2025-03-02] Accepted edk2 2025.02-1 (source) into unstable (dann frazier)

bugs [bug history graph]

all: 22
RC: 1
I&N: 11
M&W: 10
F&P: 0
patch: 2

links

homepage
lintian (1, 3)
buildd: logs, reproducibility
popcon
browse source code
edit tags
other distros
security tracker
debian patches
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 2025.02-8ubuntu3
8 bugs (1 patch)