[ubuntu/questing-proposed] edk2 2025.02-8ubuntu3 (Accepted)

[Marc Deslauriers]

edk2 (2025.02-8ubuntu3) questing; urgency=medium

  * SECURITY UPDATE: Timing side-channel in ECDSA signature computation
    - debian/patches/CVE-2024-13176.patch: fix timing side-channel in
      CryptoPkg/Library/OpensslLib/openssl/crypto/bn/bn_exp.c,
      CryptoPkg/Library/OpensslLib/openssl/crypto/ec/ec_lib.c,
      CryptoPkg/Library/OpensslLib/openssl/include/crypto/bn.h.
    - CVE-2024-13176
  * SECURITY UPDATE: DoS via integer overflow
    - debian/patches/CVE-2024-38805.patch: fix for out of bound memory
      access in NetworkPkg/IScsiDxe/IScsiProto.c.
    - CVE-2024-38805
  * SECURITY UPDATE: code execution via IDT register
    - debian/patches/CVE-2025-3770.patch: safe handling of IDT register on
      SMM entry in UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmiEntry.nasm.
    - CVE-2025-3770
  * SECURITY UPDATE: Out-of-bounds read in HTTP client no_proxy handling
    - debian/patches/CVE-2025-9232.patch: add missing terminating NUL byte
      in CryptoPkg/Library/OpensslLib/openssl/crypto/http/http_lib.c.
    - CVE-2025-9232

Date: Wed, 08 Oct 2025 09:44:23 -0400
Changed-By: Marc Deslauriers <marc.deslauriers at ubuntu.com>
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
https://launchpad.net/ubuntu/+source/edk2/2025.02-8ubuntu3
-------------- next part --------------
Format: 1.8
Date: Wed, 08 Oct 2025 09:44:23 -0400
Source: edk2
Built-For-Profiles: noudeb
Architecture: source
Version: 2025.02-8ubuntu3
Distribution: questing
Urgency: medium
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Changed-By: Marc Deslauriers <marc.deslauriers at ubuntu.com>
Changes:
 edk2 (2025.02-8ubuntu3) questing; urgency=medium
 .
   * SECURITY UPDATE: Timing side-channel in ECDSA signature computation
     - debian/patches/CVE-2024-13176.patch: fix timing side-channel in
       CryptoPkg/Library/OpensslLib/openssl/crypto/bn/bn_exp.c,
       CryptoPkg/Library/OpensslLib/openssl/crypto/ec/ec_lib.c,
       CryptoPkg/Library/OpensslLib/openssl/include/crypto/bn.h.
     - CVE-2024-13176
   * SECURITY UPDATE: DoS via integer overflow
     - debian/patches/CVE-2024-38805.patch: fix for out of bound memory
       access in NetworkPkg/IScsiDxe/IScsiProto.c.
     - CVE-2024-38805
   * SECURITY UPDATE: code execution via IDT register
     - debian/patches/CVE-2025-3770.patch: safe handling of IDT register on
       SMM entry in UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmiEntry.nasm.
     - CVE-2025-3770
   * SECURITY UPDATE: Out-of-bounds read in HTTP client no_proxy handling
     - debian/patches/CVE-2025-9232.patch: add missing terminating NUL byte
       in CryptoPkg/Library/OpensslLib/openssl/crypto/http/http_lib.c.
     - CVE-2025-9232
Checksums-Sha1:
 8c4d094dd2626923ee1989616623a1149ef7e177 3323 edk2_2025.02-8ubuntu3.dsc
 e368cc62a67b7e022e69c47d1ed3380ce9a54b26 55140 edk2_2025.02-8ubuntu3.debian.tar.xz
 f6328ec3cc17f71ecb17489afe267acfc63b7bbc 12762 edk2_2025.02-8ubuntu3_source.buildinfo
Checksums-Sha256:
 d1218d0357ec9bf32a906b9bdacaf8de6a326cd5ef3cc055b040b9d55e87d16a 3323 edk2_2025.02-8ubuntu3.dsc
 c40df2562c478eaf993ebc1b7cc343dfa4f49fd68f9b3ad7429e9e7a243e9139 55140 edk2_2025.02-8ubuntu3.debian.tar.xz
 a6c17615ef756929255a1a379e5aee06e474294082f24729bdad9bd579d0aedc 12762 edk2_2025.02-8ubuntu3_source.buildinfo
Files:
 2bd0c65a8c5130c22fb8b02469a99b84 3323 misc optional edk2_2025.02-8ubuntu3.dsc
 a7c14c5da1e693ccaba1b81a544673d0 55140 misc optional edk2_2025.02-8ubuntu3.debian.tar.xz
 f5ab9fa09508659e4e4a6b82c49ea510 12762 misc optional edk2_2025.02-8ubuntu3_source.buildinfo
Original-Maintainer: Debian QEMU Team <pkg-qemu-devel at lists.alioth.debian.org>