Debian Package Tracker
Register | Log in
Subscribe

edk2

Choose email to subscribe with

general
  • source: edk2 (main)
  • version: 2025.02-8
  • maintainer: Debian QEMU Team (archive) (DMD)
  • uploaders: dann frazier [DMD]
  • arch: all
  • std-ver: 4.5.0
  • VCS: Git (Browse, QA)
versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]
[pool directory]
  • o-o-stable: 0~20181115.85588389-3+deb10u3
  • o-o-sec: 0~20181115.85588389-3+deb10u4
  • oldstable: 2020.11-2+deb11u2
  • old-sec: 2020.11-2+deb11u2
  • stable: 2022.11-6+deb12u2
  • stable-sec: 2022.11-6+deb12u1
  • testing: 2025.02-6
  • unstable: 2025.02-8
versioned links
  • 0~20181115.85588389-3+deb10u3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 0~20181115.85588389-3+deb10u4: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 2020.11-2+deb11u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 2022.11-6+deb12u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 2022.11-6+deb12u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 2025.02-6: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 2025.02-8: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
binaries
  • efi-shell-aa64
  • efi-shell-arm
  • efi-shell-ia32
  • efi-shell-loongarch64
  • efi-shell-riscv64
  • efi-shell-x64
  • ovmf (6 bugs: 0, 5, 1, 0)
  • ovmf-ia32 (1 bugs: 0, 1, 0, 0)
  • qemu-efi-aarch64 (1 bugs: 0, 1, 0, 0)
  • qemu-efi-arm
  • qemu-efi-loongarch64
  • qemu-efi-riscv64
action needed
20 security issues in bullseye high

There are 20 open security issues in bullseye.

3 important issues:
  • CVE-2025-2295: EDK2 contains a vulnerability in BIOS where a user may cause an Integer Overflow or Wraparound by network means. A successful exploitation of this vulnerability may lead to denial of service.
  • CVE-2024-38796: EDK2 contains a vulnerability in the PeCoffLoaderRelocateImage(). An Attacker may cause memory corruption due to an overflow via an adjacent network. A successful exploit of this vulnerability may lead to a loss of Confidentiality, Integrity, and/or Availability.
  • CVE-2024-38797: EDK2 contains a vulnerability in the HashPeImageByType(). A user may cause a read out of bounds when a corrupted data pointer and length are sent via an adjecent network. A successful exploit of this vulnerability may lead to a loss of Integrity and/or Availability.
17 issues postponed or untriaged:
  • CVE-2024-1298: (needs triaging) EDK2 contains a vulnerability when S3 sleep is activated where an Attacker may cause a Division-By-Zero due to a UNIT32 overflow via local access. A successful exploit of this vulnerability may lead to a loss of Availability.
  • CVE-2021-28216: (needs triaging) BootPerformanceTable pointer is read from an NVRAM variable in PEI. Recommend setting PcdFirmwarePerformanceDataTableS3Support to FALSE.
  • CVE-2021-38575: (needs triaging) NetworkPkg/IScsiDxe has remotely exploitable buffer overflows.
  • CVE-2021-38576: (needs triaging) A BIOS bug in firmware for a particular PC model leaves the Platform authorization value empty. This can be used to permanently brick the TPM in multiple ways, as well as to non-permanently DoS the system.
  • CVE-2021-38578: (needs triaging) Existing CommBuffer checks in SmmEntryPoint will not catch underflow when computing BufferSize.
  • CVE-2022-36763: (needs triaging) EDK2 is susceptible to a vulnerability in the Tcg2MeasureGptTable() function, allowing a user to trigger a heap buffer overflow via a local network. Successful exploitation of this vulnerability may result in a compromise of confidentiality, integrity, and/or availability.
  • CVE-2022-36764: (needs triaging) EDK2 is susceptible to a vulnerability in the Tcg2MeasurePeImage() function, allowing a user to trigger a heap buffer overflow via a local network. Successful exploitation of this vulnerability may result in a compromise of confidentiality, integrity, and/or availability.
  • CVE-2022-36765: (needs triaging) EDK2 is susceptible to a vulnerability in the CreateHob() function, allowing a user to trigger a integer overflow to buffer overflow via a local network. Successful exploitation of this vulnerability may result in a compromise of confidentiality, integrity, and/or availability.
  • CVE-2023-45229: (needs triaging) EDK2's Network Package is susceptible to an out-of-bounds read vulnerability when processing the IA_NA or IA_TA option in a DHCPv6 Advertise message. This vulnerability can be exploited by an attacker to gain unauthorized access and potentially lead to a loss of Confidentiality.
  • CVE-2023-45230: (needs triaging) EDK2's Network Package is susceptible to a buffer overflow vulnerability via a long server ID option in DHCPv6 client. This vulnerability can be exploited by an attacker to gain unauthorized access and potentially lead to a loss of Confidentiality, Integrity and/or Availability.
  • CVE-2023-45231: (needs triaging) EDK2's Network Package is susceptible to an out-of-bounds read vulnerability when processing  Neighbor Discovery Redirect message. This vulnerability can be exploited by an attacker to gain unauthorized access and potentially lead to a loss of Confidentiality.
  • CVE-2023-45232: (needs triaging) EDK2's Network Package is susceptible to an infinite loop vulnerability when parsing unknown options in the Destination Options header of IPv6. This vulnerability can be exploited by an attacker to gain unauthorized access and potentially lead to a loss of Availability.
  • CVE-2023-45233: (needs triaging) EDK2's Network Package is susceptible to an infinite lop vulnerability when parsing a PadN option in the Destination Options header of IPv6. This vulnerability can be exploited by an attacker to gain unauthorized access and potentially lead to a loss of Availability.
  • CVE-2023-45234: (needs triaging) EDK2's Network Package is susceptible to a buffer overflow vulnerability when processing DNS Servers option from a DHCPv6 Advertise message. This vulnerability can be exploited by an attacker to gain unauthorized access and potentially lead to a loss of Confidentiality, Integrity and/or Availability.
  • CVE-2023-45235: (needs triaging) EDK2's Network Package is susceptible to a buffer overflow vulnerability when handling Server ID option from a DHCPv6 proxy Advertise message. This vulnerability can be exploited by an attacker to gain unauthorized access and potentially lead to a loss of Confidentiality, Integrity and/or Availability.
  • CVE-2023-45236: (needs triaging) EDK2's Network Package is susceptible to a predictable TCP Initial Sequence Number. This vulnerability can be exploited by an attacker to gain unauthorized access and potentially lead to a loss of Confidentiality.
  • CVE-2023-45237: (needs triaging) EDK2's Network Package is susceptible to a predictable TCP Initial Sequence Number. This vulnerability can be exploited by an attacker to gain unauthorized access and potentially lead to a loss of Confidentiality.
Created: 2024-09-29 Last update: 2025-05-13 10:29
1 security issue in trixie high

There is 1 open security issue in trixie.

1 important issue:
  • CVE-2024-38797: EDK2 contains a vulnerability in the HashPeImageByType(). A user may cause a read out of bounds when a corrupted data pointer and length are sent via an adjecent network. A successful exploit of this vulnerability may lead to a loss of Integrity and/or Availability.
Created: 2025-05-13 Last update: 2025-05-13 10:29
21 security issues in buster high

There are 21 open security issues in buster.

2 important issues:
  • CVE-2024-1298: EDK2 contains a vulnerability when S3 sleep is activated where an Attacker may cause a Division-By-Zero due to a UNIT32 overflow via local access. A successful exploit of this vulnerability may lead to a loss of Availability.
  • CVE-2023-48733: An insecure default to allow UEFI Shell in EDK2 was left enabled in Ubuntu's EDK2. This allows an OS-resident attacker to bypass Secure Boot.
19 issues postponed or untriaged:
  • CVE-2019-11098: (needs triaging) Insufficient input validation in MdeModulePkg in EDKII may allow an unauthenticated user to potentially enable escalation of privilege, denial of service and/or information disclosure via physical access.
  • CVE-2021-28210: (needs triaging) An unlimited recursion in DxeCore in EDK II.
  • CVE-2021-28211: (needs triaging) A heap overflow in LzmaUefiDecompressGetInfo function in EDK II.
  • CVE-2021-28216: (needs triaging) BootPerformanceTable pointer is read from an NVRAM variable in PEI. Recommend setting PcdFirmwarePerformanceDataTableS3Support to FALSE.
  • CVE-2021-38575: (needs triaging) NetworkPkg/IScsiDxe has remotely exploitable buffer overflows.
  • CVE-2021-38576: (needs triaging) A BIOS bug in firmware for a particular PC model leaves the Platform authorization value empty. This can be used to permanently brick the TPM in multiple ways, as well as to non-permanently DoS the system.
  • CVE-2021-38578: (needs triaging) Existing CommBuffer checks in SmmEntryPoint will not catch underflow when computing BufferSize.
  • CVE-2022-36763: (needs triaging) EDK2 is susceptible to a vulnerability in the Tcg2MeasureGptTable() function, allowing a user to trigger a heap buffer overflow via a local network. Successful exploitation of this vulnerability may result in a compromise of confidentiality, integrity, and/or availability.
  • CVE-2022-36764: (needs triaging) EDK2 is susceptible to a vulnerability in the Tcg2MeasurePeImage() function, allowing a user to trigger a heap buffer overflow via a local network. Successful exploitation of this vulnerability may result in a compromise of confidentiality, integrity, and/or availability.
  • CVE-2022-36765: (needs triaging) EDK2 is susceptible to a vulnerability in the CreateHob() function, allowing a user to trigger a integer overflow to buffer overflow via a local network. Successful exploitation of this vulnerability may result in a compromise of confidentiality, integrity, and/or availability.
  • CVE-2023-45229: (needs triaging) EDK2's Network Package is susceptible to an out-of-bounds read vulnerability when processing the IA_NA or IA_TA option in a DHCPv6 Advertise message. This vulnerability can be exploited by an attacker to gain unauthorized access and potentially lead to a loss of Confidentiality.
  • CVE-2023-45230: (needs triaging) EDK2's Network Package is susceptible to a buffer overflow vulnerability via a long server ID option in DHCPv6 client. This vulnerability can be exploited by an attacker to gain unauthorized access and potentially lead to a loss of Confidentiality, Integrity and/or Availability.
  • CVE-2023-45231: (needs triaging) EDK2's Network Package is susceptible to an out-of-bounds read vulnerability when processing  Neighbor Discovery Redirect message. This vulnerability can be exploited by an attacker to gain unauthorized access and potentially lead to a loss of Confidentiality.
  • CVE-2023-45232: (needs triaging) EDK2's Network Package is susceptible to an infinite loop vulnerability when parsing unknown options in the Destination Options header of IPv6. This vulnerability can be exploited by an attacker to gain unauthorized access and potentially lead to a loss of Availability.
  • CVE-2023-45233: (needs triaging) EDK2's Network Package is susceptible to an infinite lop vulnerability when parsing a PadN option in the Destination Options header of IPv6. This vulnerability can be exploited by an attacker to gain unauthorized access and potentially lead to a loss of Availability.
  • CVE-2023-45234: (needs triaging) EDK2's Network Package is susceptible to a buffer overflow vulnerability when processing DNS Servers option from a DHCPv6 Advertise message. This vulnerability can be exploited by an attacker to gain unauthorized access and potentially lead to a loss of Confidentiality, Integrity and/or Availability.
  • CVE-2023-45235: (needs triaging) EDK2's Network Package is susceptible to a buffer overflow vulnerability when handling Server ID option from a DHCPv6 proxy Advertise message. This vulnerability can be exploited by an attacker to gain unauthorized access and potentially lead to a loss of Confidentiality, Integrity and/or Availability.
  • CVE-2023-45236: (needs triaging) EDK2's Network Package is susceptible to a predictable TCP Initial Sequence Number. This vulnerability can be exploited by an attacker to gain unauthorized access and potentially lead to a loss of Confidentiality.
  • CVE-2023-45237: (needs triaging) EDK2's Network Package is susceptible to a predictable TCP Initial Sequence Number. This vulnerability can be exploited by an attacker to gain unauthorized access and potentially lead to a loss of Confidentiality.
Created: 2024-01-10 Last update: 2024-06-29 13:15
Does not build reproducibly during testing normal
A package building reproducibly enables third parties to verify that the source matches the distributed binaries. It has been identified that this source package produced different results, failed to build or had other issues in a test environment. Please read about how to improve the situation!
Created: 2024-11-29 Last update: 2025-05-30 07:02
2 bugs tagged patch in the BTS normal
The BTS contains patches fixing 2 bugs, consider including or untagging them.
Created: 2025-01-06 Last update: 2025-05-30 07:00
version in VCS is newer than in repository, is it time to upload? normal
vcswatch reports that this package seems to have a new changelog entry (version 2025.02-9, distribution UNRELEASED) and new commits in its VCS. You should consider whether it's time to make an upload.

Here are the relevant commit messages:
commit 0f31a058150e16d9f51d0fb1d5a9b7773d635612
Author: dann frazier <dannf@debian.org>
Date:   Thu May 15 12:36:38 2025 -0600

    Fix out-of-bounds memory access in NetworkPkg/IScsiDxe, CVE-2024-38805.
    
    * Fix out-of-bounds memory access in NetworkPkg/IScsiDxe, CVE-2024-38805.
      - d/p/0001-NetworkPkg-IScsiDxe-Fix-for-out-of-bound-memory-acce.patch

commit 3ca405c30eb9a9b4499221cbbec49d066c80db0c
Author: dann frazier <dannf@debian.org>
Date:   Thu May 15 12:32:11 2025 -0600

    Cherry-pick openssl fix for timing side-channel in ECDSA signature computation, CVE-2024-13176.
    
    * Cherry-pick openssl fix for timing side-channel in ECDSA signature
      computation, CVE-2024-13176.
      - d/p/0001-Fix-timing-side-channel-in-ECDSA-signature-computati.patch
Created: 2025-05-16 Last update: 2025-05-28 07:32
lintian reports 14 warnings normal
Lintian reports 14 warnings about this package. You should make the package lintian clean getting rid of them.
Created: 2025-05-13 Last update: 2025-05-13 16:02
Multiarch hinter reports 6 issue(s) low
There are issues with the multiarch metadata for this package.
  • efi-shell-aa64 could be marked Multi-Arch: foreign
  • efi-shell-arm could be marked Multi-Arch: foreign
  • efi-shell-ia32 could be marked Multi-Arch: foreign
  • efi-shell-loongarch64 could be marked Multi-Arch: foreign
  • efi-shell-riscv64 could be marked Multi-Arch: foreign
  • efi-shell-x64 could be marked Multi-Arch: foreign
Created: 2023-07-26 Last update: 2025-05-30 07:03
debian/patches: 3 patches to forward upstream low

Among the 11 debian patches available in version 2025.02-8 of the package, we noticed the following issues:

  • 3 patches where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.
Created: 2023-02-26 Last update: 2025-05-13 17:33
4 low-priority security issues in bookworm low

There are 4 open security issues in bookworm.

4 issues left for the package maintainer to handle:
  • CVE-2025-2295: (needs triaging) EDK2 contains a vulnerability in BIOS where a user may cause an Integer Overflow or Wraparound by network means. A successful exploitation of this vulnerability may lead to denial of service.
  • CVE-2023-45236: (needs triaging) EDK2's Network Package is susceptible to a predictable TCP Initial Sequence Number. This vulnerability can be exploited by an attacker to gain unauthorized access and potentially lead to a loss of Confidentiality.
  • CVE-2023-45237: (needs triaging) EDK2's Network Package is susceptible to a predictable TCP Initial Sequence Number. This vulnerability can be exploited by an attacker to gain unauthorized access and potentially lead to a loss of Confidentiality.
  • CVE-2024-38797: (needs triaging) EDK2 contains a vulnerability in the HashPeImageByType(). A user may cause a read out of bounds when a corrupted data pointer and length are sent via an adjecent network. A successful exploit of this vulnerability may lead to a loss of Integrity and/or Availability.

You can find information about how to handle these issues in the security team's documentation.

Created: 2023-06-10 Last update: 2025-05-13 10:29
Standards version of the package is outdated. wishlist
The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.2 instead of 4.5.0).
Created: 2020-11-17 Last update: 2025-05-13 10:32
testing migrations
  • excuses:
    • Migration status for edk2 (2025.02-6 to 2025.02-8): Waiting for test results or another package, or too young (no action required now - check later)
    • Issues preventing migration:
    • ∙ ∙ Too young, only 17 of 20 days old
    • Additional info:
    • ∙ ∙ Piuparts tested OK - https://piuparts.debian.org/sid/source/e/edk2.html
    • ∙ ∙ autopkgtest for edk2/2025.02-8: amd64: Pass, arm64: Pass, armel: Pass, armhf: Pass, i386: Pass, ppc64el: Pass, riscv64: Pass, s390x: Pass
    • ∙ ∙ Ignoring non-reproducibility on amd64 (not a regression) - info ♻
    • ∙ ∙ Waiting for reproducibility test results on armhf - info ♻
    • ∙ ∙ not blocked: has successful autopkgtest
    • Not considered
news
[rss feed]
  • [2025-05-13] Accepted edk2 2025.02-8 (source) into unstable (dann frazier)
  • [2025-04-16] Accepted edk2 2025.02-7 (source) into unstable (dann frazier)
  • [2025-04-11] edk2 2025.02-6 MIGRATED to testing (Debian testing watch)
  • [2025-04-08] Accepted edk2 2025.02-6 (source) into unstable (dann frazier)
  • [2025-04-01] edk2 2025.02-5 MIGRATED to testing (Debian testing watch)
  • [2025-03-29] Accepted edk2 2025.02-5 (source) into unstable (dann frazier)
  • [2025-03-26] edk2 2025.02-4 MIGRATED to testing (Debian testing watch)
  • [2025-03-23] Accepted edk2 2025.02-4 (source) into unstable (dann frazier)
  • [2025-03-21] edk2 2025.02-3 MIGRATED to testing (Debian testing watch)
  • [2025-03-19] Accepted edk2 2025.02-3 (source) into unstable (dann frazier)
  • [2025-03-15] Accepted edk2 2025.02-2 (source) into unstable (dann frazier)
  • [2025-03-09] Accepted edk2 2022.11-6+deb12u2 (source) into proposed-updates (Debian FTP Masters) (signed by: dann frazier)
  • [2025-03-02] Accepted edk2 2025.02-1 (source) into unstable (dann frazier)
  • [2025-01-31] edk2 2024.11-5 MIGRATED to testing (Debian testing watch)
  • [2025-01-28] Accepted edk2 2024.11-5 (source) into unstable (dann frazier)
  • [2025-01-20] edk2 2024.11-4 MIGRATED to testing (Debian testing watch)
  • [2025-01-17] Accepted edk2 2024.11-4 (source) into unstable (dann frazier)
  • [2024-12-30] Accepted edk2 2024.11-3 (source all) into unstable (Debian FTP Masters) (signed by: dann frazier)
  • [2024-12-18] edk2 2024.11-2 MIGRATED to testing (Debian testing watch)
  • [2024-12-16] Accepted edk2 2024.11-2 (source) into unstable (dann frazier)
  • [2024-11-29] edk2 2024.11-1 MIGRATED to testing (Debian testing watch)
  • [2024-11-25] Accepted edk2 2024.11-1 (source) into unstable (dann frazier)
  • [2024-10-30] edk2 2024.08-4 MIGRATED to testing (Debian testing watch)
  • [2024-10-27] edk2 2024.08-3 MIGRATED to testing (Debian testing watch)
  • [2024-10-26] Accepted edk2 2024.08-4 (source) into unstable (dann frazier)
  • [2024-10-24] Accepted edk2 2024.08-3 (source) into unstable (dann frazier)
  • [2024-10-11] edk2 2024.08-2 MIGRATED to testing (Debian testing watch)
  • [2024-10-07] Accepted edk2 2024.08-2 (source) into unstable (dann frazier)
  • [2024-09-21] edk2 2024.08-1 MIGRATED to testing (Debian testing watch)
  • [2024-09-18] Accepted edk2 2024.08-1 (source) into unstable (dann frazier)
  • 1
  • 2
bugs [bug history graph]
  • all: 21
  • RC: 0
  • I&N: 10
  • M&W: 11
  • F&P: 0
  • patch: 2
links
  • homepage
  • lintian (0, 14)
  • buildd: logs, reproducibility
  • popcon
  • browse source code
  • edit tags
  • other distros
  • security tracker
  • debian patches
  • debci
ubuntu Ubuntu logo [Information about Ubuntu for Debian Developers]
  • version: 2025.02-8
  • 11 bugs (1 patch)

Debian Package Tracker — Copyright 2013-2025 The Distro Tracker Developers
Report problems to the tracker.debian.org pseudo-package in the Debian BTS.
Documentation — Bugs — Git Repository — Contributing