There are 9 open security issues in buster.
3 important issues:
- CVE-2021-38576:
A BIOS bug in firmware for a particular PC model leaves the Platform authorization value empty. This can be used to permanently brick the TPM in multiple ways, as well as to non-permanently DoS the system.
- CVE-2021-38577:
Heap Overflow in BaseBmpSupportLib.
- CVE-2021-38578:
Existing CommBuffer checks in SmmEntryPoint will not catch underflow when computing BufferSize.
6 issues left for the package maintainer to handle:
- CVE-2019-11098:
(needs triaging)
Insufficient input validation in MdeModulePkg in EDKII may allow an unauthenticated user to potentially enable escalation of privilege, denial of service and/or information disclosure via physical access.
- CVE-2019-14560:
(needs triaging)
- CVE-2021-28210:
(needs triaging)
An unlimited recursion in DxeCore in EDK II.
- CVE-2021-28211:
(needs triaging)
A heap overflow in LzmaUefiDecompressGetInfo function in EDK II.
- CVE-2021-28216:
(needs triaging)
BootPerformanceTable pointer is read from an NVRAM variable in PEI. Recommend setting PcdFirmwarePerformanceDataTableS3Support to FALSE.
- CVE-2021-38575:
(needs triaging)
NetworkPkg/IScsiDxe has remotely exploitable buffer overflows.
You can find information about how to handle these issues in the security team's documentation.