[ubuntu/resolute-proposed] edk2 2025.11-3ubuntu1 (Accepted)

Hector Cao hector.cao at canonical.com
Mon Feb 9 17:21:25 UTC 2026 

edk2 (2025.11-3ubuntu1) resolute; urgency=medium

  * Merge with Debian latest (LP: #2126016). Remaining changes:
    - SECURITY UPDATE: Out-of-bounds read in HTTP client no_proxy handling
      - debian/patches/CVE-2025-9232.patch: add missing terminating NUL byte
        in CryptoPkg/Library/OpensslLib/openssl/crypto/http/http_lib.c.
      - CVE-2025-9232
  * Dropped:
    - Add firmware for AMD SEV
      - d/rules: Build OVMF.amdsev.fd (LP #2106771)
      - d/descriptors: Add amd-sev JSON
      - d/ovmf.README.Debian: Mention OVMF.amdsev.fd firmware
    - Add firmware for Intel TDX with secure boot capability (LP #2125123)
      - d/rules : Build OVMF.tdx.fd and OVMF.tdx.secboot.fd
      - d/control : add deps on jq and python3-virt-firmware for keys
        import in OVMF.tdx.secboot.fd
      - d/descriptors : add Tdx firmware json files
      - d/ovmf.README.Debian : add doc for OVMF.tdx.*.fd
    - SECURITY UPDATE: Timing side-channel in ECDSA signature computation
      - debian/patches/CVE-2024-13176.patch: fix timing side-channel in
        CryptoPkg/Library/OpensslLib/openssl/crypto/bn/bn_exp.c,
        CryptoPkg/Library/OpensslLib/openssl/crypto/ec/ec_lib.c,
        CryptoPkg/Library/OpensslLib/openssl/include/crypto/bn.h.
      - CVE-2024-13176
    - SECURITY UPDATE: DoS via integer overflow
      - debian/patches/CVE-2024-38805.patch: fix for out of bound memory
        access in NetworkPkg/IScsiDxe/IScsiProto.c.
      - CVE-2024-38805
    - SECURITY UPDATE: code execution via IDT register
      - debian/patches/CVE-2025-3770.patch: safe handling of IDT register on
        SMM entry in UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmiEntry.nasm.
      - CVE-2025-3770
  * Unreleased changes from Debian:
    + d/control: Add missing separator, thanks lintian.
    + d/p/no-stack-protector-all-archs.diff: Drop. This patch was
      added over 10 years ago for ARM and has been cargo-culted ever
      since. It's not clear what it fixed, or if it is still necessary.
      Let's find out.
    + d/p/x64-baseline-abi.patch: Refresh.
    + d/control, d/rules: Add ovmf-legacy package, shipping an OVMF.legacy.fd
      firmware that enables deprecated features such as PVSCSI (LP: #2129178)
    + d/tests: Add test-case for PVSCSI, using ovmf-legacy
  * New Ubuntu changes:
    + Do not build loongarch64 target
    + Enable NX in all Secure Boot variants and drop strictnx variant

Date: Thu, 15 Jan 2026 00:13:30 +0100
Changed-By: Hector Cao <hector.cao at canonical.com>
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Signed-By: Mate Kukri <mate.kukri at canonical.com>
https://launchpad.net/ubuntu/+source/edk2/2025.11-3ubuntu1
-------------- next part --------------
Format: 1.8
Date: Thu, 15 Jan 2026 00:13:30 +0100
Source: edk2
Built-For-Profiles: noudeb
Architecture: source
Version: 2025.11-3ubuntu1
Distribution: resolute
Urgency: medium
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Changed-By: Hector Cao <hector.cao at canonical.com>
Launchpad-Bugs-Fixed: 2126016 2129178
Changes:
 edk2 (2025.11-3ubuntu1) resolute; urgency=medium
 .
   * Merge with Debian latest (LP: #2126016). Remaining changes:
     - SECURITY UPDATE: Out-of-bounds read in HTTP client no_proxy handling
       - debian/patches/CVE-2025-9232.patch: add missing terminating NUL byte
         in CryptoPkg/Library/OpensslLib/openssl/crypto/http/http_lib.c.
       - CVE-2025-9232
   * Dropped:
     - Add firmware for AMD SEV
       - d/rules: Build OVMF.amdsev.fd (LP #2106771)
       - d/descriptors: Add amd-sev JSON
       - d/ovmf.README.Debian: Mention OVMF.amdsev.fd firmware
     - Add firmware for Intel TDX with secure boot capability (LP #2125123)
       - d/rules : Build OVMF.tdx.fd and OVMF.tdx.secboot.fd
       - d/control : add deps on jq and python3-virt-firmware for keys
         import in OVMF.tdx.secboot.fd
       - d/descriptors : add Tdx firmware json files
       - d/ovmf.README.Debian : add doc for OVMF.tdx.*.fd
     - SECURITY UPDATE: Timing side-channel in ECDSA signature computation
       - debian/patches/CVE-2024-13176.patch: fix timing side-channel in
         CryptoPkg/Library/OpensslLib/openssl/crypto/bn/bn_exp.c,
         CryptoPkg/Library/OpensslLib/openssl/crypto/ec/ec_lib.c,
         CryptoPkg/Library/OpensslLib/openssl/include/crypto/bn.h.
       - CVE-2024-13176
     - SECURITY UPDATE: DoS via integer overflow
       - debian/patches/CVE-2024-38805.patch: fix for out of bound memory
         access in NetworkPkg/IScsiDxe/IScsiProto.c.
       - CVE-2024-38805
     - SECURITY UPDATE: code execution via IDT register
       - debian/patches/CVE-2025-3770.patch: safe handling of IDT register on
         SMM entry in UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmiEntry.nasm.
       - CVE-2025-3770
   * Unreleased changes from Debian:
     + d/control: Add missing separator, thanks lintian.
     + d/p/no-stack-protector-all-archs.diff: Drop. This patch was
       added over 10 years ago for ARM and has been cargo-culted ever
       since. It's not clear what it fixed, or if it is still necessary.
       Let's find out.
     + d/p/x64-baseline-abi.patch: Refresh.
     + d/control, d/rules: Add ovmf-legacy package, shipping an OVMF.legacy.fd
       firmware that enables deprecated features such as PVSCSI (LP: #2129178)
     + d/tests: Add test-case for PVSCSI, using ovmf-legacy
   * New Ubuntu changes:
     + Do not build loongarch64 target
     + Enable NX in all Secure Boot variants and drop strictnx variant
Checksums-Sha1:
 2419b8ae0cf18725a22e3eb16ca1ba616348ed01 3651 edk2_2025.11-3ubuntu1.dsc
 4fce046bb4dcf7261558c3d8ad038270a7bf87c3 60617840 edk2_2025.11.orig.tar.xz
 6960f34839f78a595e17390a85b28206f45d5492 69512 edk2_2025.11-3ubuntu1.debian.tar.xz
 9c31b004341bbfde1cf2e601703d0143bd73d89e 13402 edk2_2025.11-3ubuntu1_source.buildinfo
Checksums-Sha256:
 ff384401071456572cbc49ed87bde249489c294c812542e91156dbeb905f24fd 3651 edk2_2025.11-3ubuntu1.dsc
 926f148812c119a8d89b763ffd343ca99dd37c7b7e61e335ea51ef7db07d8c24 60617840 edk2_2025.11.orig.tar.xz
 3cd16966b81907f88afea3353af9a7b6ecd02d5e9069f3ea0ead19e4cec234f6 69512 edk2_2025.11-3ubuntu1.debian.tar.xz
 32794f807f04fd3780e16071f00fd11e45f151fce2f625fed18d3fd6278c79f5 13402 edk2_2025.11-3ubuntu1_source.buildinfo
Files:
 4fde852fbcdb833dc26ee83f45cea63d 3651 misc optional edk2_2025.11-3ubuntu1.dsc
 1e434a676e9a8aa36eae6cff15752ed4 60617840 misc optional edk2_2025.11.orig.tar.xz
 1abe5a09ddec831a219b1a53df260217 69512 misc optional edk2_2025.11-3ubuntu1.debian.tar.xz
 291eccc156c6ae9ae8909c4a136ae9bf 13402 misc optional edk2_2025.11-3ubuntu1_source.buildinfo
Original-Maintainer: Debian QEMU Team <pkg-qemu-devel at lists.alioth.debian.org>

More information about the Resolute-changes mailing list