Information on source package edk2

Available versions

Release	Version
jessie/non-free	0~20131112.2590861a-3
stretch	0~20161202.7bbe0b3e-1+deb9u2
buster	0~20181115.85588389-3+deb10u4
bullseye	2020.11-2+deb11u2
bookworm	2022.11-6+deb12u1
trixie	2024.08-4
sid	2024.08-4

Open issues

Bug	jessie	stretch	buster	bullseye	bookworm	trixie	sid	Description
CVE-2024-38796	vulnerable	vulnerable	vulnerable	vulnerable	vulnerable (no DSA)	fixed	fixed	EDK2 contains a vulnerability in the PeCoffLoaderRelocateImage(). An A ...
CVE-2024-1298	vulnerable	vulnerable	vulnerable (no DSA, postponed)	vulnerable (no DSA)	vulnerable (no DSA)	fixed	fixed	EDK2 contains a vulnerability when S3 sleep is activated where an Atta ...
CVE-2023-48733	vulnerable	vulnerable	fixed	fixed	fixed	fixed	fixed	An insecure default to allow UEFI Shell in EDK2 was left enabled in Ub ...
CVE-2023-45237	vulnerable	vulnerable	vulnerable (no DSA)	vulnerable (no DSA)	vulnerable (no DSA)	vulnerable	vulnerable	EDK2's Network Package is susceptible to a predictable TCP Initial Seq ...
CVE-2023-45236	vulnerable	vulnerable	vulnerable (no DSA)	vulnerable (no DSA)	vulnerable (no DSA)	vulnerable	vulnerable	EDK2's Network Package is susceptible to a predictable TCP Initial Seq ...
CVE-2023-45235	vulnerable	vulnerable	vulnerable (no DSA)	vulnerable (no DSA)	fixed	fixed	fixed	EDK2's Network Package is susceptible to a buffer overflow vulnerabili ...
CVE-2023-45234	vulnerable	vulnerable	vulnerable (no DSA)	vulnerable (no DSA)	fixed	fixed	fixed	EDK2's Network Package is susceptible to a buffer overflow vulnerabili ...
CVE-2023-45233	vulnerable	vulnerable	vulnerable (no DSA)	vulnerable (no DSA)	fixed	fixed	fixed	EDK2's Network Package is susceptible to an infinite lop vulnerability ...
CVE-2023-45232	vulnerable	vulnerable	vulnerable (no DSA)	vulnerable (no DSA)	fixed	fixed	fixed	EDK2's Network Package is susceptible to an infinite loop vulnerabilit ...
CVE-2023-45231	vulnerable	vulnerable	vulnerable (no DSA)	vulnerable (no DSA)	fixed	fixed	fixed	EDK2's Network Package is susceptible to an out-of-bounds read vulner ...
CVE-2023-45230	vulnerable	vulnerable	vulnerable (no DSA)	vulnerable (no DSA)	fixed	fixed	fixed	EDK2's Network Package is susceptible to a buffer overflow vulnerabili ...
CVE-2023-45229	vulnerable	vulnerable	vulnerable (no DSA)	vulnerable (no DSA)	fixed	fixed	fixed	EDK2's Network Package is susceptible to an out-of-bounds read vulner ...
CVE-2022-36765	vulnerable	vulnerable	vulnerable (no DSA)	vulnerable (no DSA)	fixed	fixed	fixed	EDK2 is susceptible to a vulnerability in the CreateHob() function, al ...
CVE-2022-36764	vulnerable	vulnerable	vulnerable (no DSA)	vulnerable (no DSA)	fixed	fixed	fixed	EDK2 is susceptible to a vulnerability in the Tcg2MeasurePeImage() fun ...
CVE-2022-36763	vulnerable	vulnerable	vulnerable (no DSA)	vulnerable (no DSA)	fixed	fixed	fixed	EDK2 is susceptible to a vulnerability in the Tcg2MeasureGptTable() fu ...
CVE-2021-38578	vulnerable	vulnerable	vulnerable (no DSA)	vulnerable (no DSA)	fixed	fixed	fixed	Existing CommBuffer checks in SmmEntryPoint will not catch underflow w ...
CVE-2021-38576	vulnerable	vulnerable	vulnerable (no DSA)	vulnerable (no DSA)	fixed	fixed	fixed	A BIOS bug in firmware for a particular PC model leaves the Platform a ...
CVE-2021-38575	vulnerable	vulnerable (no DSA)	vulnerable (no DSA)	vulnerable (no DSA)	fixed	fixed	fixed	NetworkPkg/IScsiDxe has remotely exploitable buffer overflows.
CVE-2021-28216	vulnerable	vulnerable (no DSA)	vulnerable (no DSA)	vulnerable (no DSA)	fixed	fixed	fixed	BootPerformanceTable pointer is read from an NVRAM variable in PEI. Re ...
CVE-2021-28213	vulnerable	vulnerable	vulnerable	fixed	fixed	fixed	fixed	Example EDK2 encrypted private key in the IpSecDxe.efi present potenti ...
CVE-2021-28211	vulnerable	fixed	vulnerable (no DSA)	fixed	fixed	fixed	fixed	A heap overflow in LzmaUefiDecompressGetInfo function in EDK II.
CVE-2021-28210	vulnerable	fixed	vulnerable (no DSA)	fixed	fixed	fixed	fixed	An unlimited recursion in DxeCore in EDK II.
CVE-2019-14587	vulnerable	fixed	fixed	fixed	fixed	fixed	fixed	Logic issue EDK II may allow an unauthenticated user to potentially en ...
CVE-2019-14586	vulnerable	fixed	fixed	fixed	fixed	fixed	fixed	Use after free vulnerability in EDK II may allow an authenticated user ...
CVE-2019-14584	vulnerable	fixed	fixed	fixed	fixed	fixed	fixed	Null pointer dereference in Tianocore EDK2 may allow an authenticated ...
CVE-2019-14575	vulnerable	fixed	fixed	fixed	fixed	fixed	fixed	Logic issue in DxeImageVerificationHandler() for EDK II may allow an a ...
CVE-2019-14563	vulnerable	fixed	fixed	fixed	fixed	fixed	fixed	Integer truncation in EDK II may allow an authenticated user to potent ...
CVE-2019-14562	vulnerable	fixed	fixed	fixed	fixed	fixed	fixed	Integer overflow in DxeImageVerificationHandler() EDK II may allow an ...
CVE-2019-14559	vulnerable	fixed	fixed	fixed	fixed	fixed	fixed	Uncontrolled resource consumption in EDK II may allow an unauthenticat ...
CVE-2019-14558	vulnerable	fixed	fixed	fixed	fixed	fixed	fixed	Insufficient control flow management in BIOS firmware for 8th, 9th, 10 ...
CVE-2019-11098	vulnerable	vulnerable (no DSA)	vulnerable (no DSA)	fixed	fixed	fixed	fixed	Insufficient input validation in MdeModulePkg in EDKII may allow an un ...
CVE-2019-0161	vulnerable	fixed	fixed	fixed	fixed	fixed	fixed	Stack overflow in XHCI for EDK II may allow an unauthenticated user to ...
CVE-2019-0160	vulnerable	vulnerable	fixed	fixed	fixed	fixed	fixed	Buffer overflow in system firmware for EDK II may allow unauthenticate ...
CVE-2018-12183	vulnerable	vulnerable (no DSA, ignored)	fixed	fixed	fixed	fixed	fixed	Stack overflow in DxeCore for EDK II may allow an unauthenticated user ...
CVE-2018-12181	vulnerable	fixed	fixed	fixed	fixed	fixed	fixed	Stack overflow in corrupted bmp for EDK II may allow unprivileged user ...
CVE-2018-12180	vulnerable	fixed	fixed	fixed	fixed	fixed	fixed	Buffer overflow in BlockIo service for EDK II may allow an unauthentic ...
CVE-2018-12178	vulnerable	fixed	fixed	fixed	fixed	fixed	fixed	Buffer overflow in network stack for EDK II may allow unprivileged use ...

Open unimportant issues

Bug	jessie	stretch	buster	bullseye	bookworm	trixie	sid	Description
CVE-2019-14553	vulnerable	vulnerable	vulnerable	fixed	fixed	fixed	fixed	Improper authentication in EDK II may allow a privileged user to poten ...
CVE-2018-12182	vulnerable	vulnerable	vulnerable	fixed	fixed	fixed	fixed	Insufficient memory write check in SMM service for EDK II may allow an ...
CVE-2018-12179	vulnerable	vulnerable	vulnerable	fixed	fixed	fixed	fixed	Improper configuration in system firmware for EDK II may allow unauthe ...
CVE-2014-4860	vulnerable	vulnerable	vulnerable	fixed	fixed	fixed	fixed	Multiple integer overflows in the Pre-EFI Initialization (PEI) boot ph ...
CVE-2014-4859	vulnerable	vulnerable	vulnerable	fixed	fixed	fixed	fixed	Integer overflow in the Drive Execution Environment (DXE) phase in the ...

Security announcements

DSA / DLA	Description
DLA-3852-1	edk2 - security update
DSA-5624-1	edk2 - security update
DLA-2645-1	edk2 - security update