[ubuntu/resolute-proposed] edk2 2025.11-3ubuntu3 (Accepted)

Mate Kukri mate.kukri at canonical.com
Mon Feb 16 13:49:19 UTC 2026 

edk2 (2025.11-3ubuntu3) resolute; urgency=medium

  * Merge with Debian latest (LP: #2126016). Remaining changes:
    - SECURITY UPDATE: Out-of-bounds read in HTTP client no_proxy handling
      - debian/patches/CVE-2025-9232.patch: add missing terminating NUL byte
        in CryptoPkg/Library/OpensslLib/openssl/crypto/http/http_lib.c.
      - CVE-2025-9232
  * Dropped:
    - Add firmware for AMD SEV
      - d/rules: Build OVMF.amdsev.fd (LP #2106771)
      - d/descriptors: Add amd-sev JSON
      - d/ovmf.README.Debian: Mention OVMF.amdsev.fd firmware
    - Add firmware for Intel TDX with secure boot capability (LP #2125123)
      - d/rules : Build OVMF.tdx.fd and OVMF.tdx.secboot.fd
      - d/control : add deps on jq and python3-virt-firmware for keys
        import in OVMF.tdx.secboot.fd
      - d/descriptors : add Tdx firmware json files
      - d/ovmf.README.Debian : add doc for OVMF.tdx.*.fd
    - SECURITY UPDATE: Timing side-channel in ECDSA signature computation
      - debian/patches/CVE-2024-13176.patch: fix timing side-channel in
        CryptoPkg/Library/OpensslLib/openssl/crypto/bn/bn_exp.c,
        CryptoPkg/Library/OpensslLib/openssl/crypto/ec/ec_lib.c,
        CryptoPkg/Library/OpensslLib/openssl/include/crypto/bn.h.
      - CVE-2024-13176
    - SECURITY UPDATE: DoS via integer overflow
      - debian/patches/CVE-2024-38805.patch: fix for out of bound memory
        access in NetworkPkg/IScsiDxe/IScsiProto.c.
      - CVE-2024-38805
    - SECURITY UPDATE: code execution via IDT register
      - debian/patches/CVE-2025-3770.patch: safe handling of IDT register on
        SMM entry in UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmiEntry.nasm.
      - CVE-2025-3770
  * Unreleased changes from Debian:
    + d/control: Add missing separator, thanks lintian.
    + d/p/no-stack-protector-all-archs.diff: Drop. This patch was
      added over 10 years ago for ARM and has been cargo-culted ever
      since. It's not clear what it fixed, or if it is still necessary.
      Let's find out.
    + d/p/x64-baseline-abi.patch: Refresh.
    + d/control, d/rules: Add ovmf-legacy package, shipping an OVMF.legacy.fd
      firmware that enables deprecated features such as PVSCSI (LP: #2129178)
    + d/tests: Add test-case for PVSCSI, using ovmf-legacy
    + d/rules: Declare AMDSEV variant flags at the top like others
    + d/rules: Use OVMF_4M_COMMON_FLAGS instead of OVMF_COMMON_FLAGS for OVMF_4M_NO_SECBOOT_FLAGS
    + d/rules: Add NO_STRICTNX_COMMON_FLAGS to OVMF legacy target as well
    + d/rules: Drop unused OVMF32 flags
  * New Ubuntu changes:
    + Do not build loongarch64 target
    + Enable NX in all Secure Boot variants and drop strictnx variant
    + d/python: flush the data after shutil.copyfileobj() calls

Date: Mon, 16 Feb 2026 13:46:23 +0000
Changed-By: Mate Kukri <mate.kukri at canonical.com>
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
https://launchpad.net/ubuntu/+source/edk2/2025.11-3ubuntu3
-------------- next part --------------
Format: 1.8
Date: Mon, 16 Feb 2026 13:46:23 +0000
Source: edk2
Built-For-Profiles: noudeb
Architecture: source
Version: 2025.11-3ubuntu3
Distribution: resolute
Urgency: medium
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Changed-By: Mate Kukri <mate.kukri at canonical.com>
Launchpad-Bugs-Fixed: 2126016 2129178
Changes:
 edk2 (2025.11-3ubuntu3) resolute; urgency=medium
 .
   * Merge with Debian latest (LP: #2126016). Remaining changes:
     - SECURITY UPDATE: Out-of-bounds read in HTTP client no_proxy handling
       - debian/patches/CVE-2025-9232.patch: add missing terminating NUL byte
         in CryptoPkg/Library/OpensslLib/openssl/crypto/http/http_lib.c.
       - CVE-2025-9232
   * Dropped:
     - Add firmware for AMD SEV
       - d/rules: Build OVMF.amdsev.fd (LP #2106771)
       - d/descriptors: Add amd-sev JSON
       - d/ovmf.README.Debian: Mention OVMF.amdsev.fd firmware
     - Add firmware for Intel TDX with secure boot capability (LP #2125123)
       - d/rules : Build OVMF.tdx.fd and OVMF.tdx.secboot.fd
       - d/control : add deps on jq and python3-virt-firmware for keys
         import in OVMF.tdx.secboot.fd
       - d/descriptors : add Tdx firmware json files
       - d/ovmf.README.Debian : add doc for OVMF.tdx.*.fd
     - SECURITY UPDATE: Timing side-channel in ECDSA signature computation
       - debian/patches/CVE-2024-13176.patch: fix timing side-channel in
         CryptoPkg/Library/OpensslLib/openssl/crypto/bn/bn_exp.c,
         CryptoPkg/Library/OpensslLib/openssl/crypto/ec/ec_lib.c,
         CryptoPkg/Library/OpensslLib/openssl/include/crypto/bn.h.
       - CVE-2024-13176
     - SECURITY UPDATE: DoS via integer overflow
       - debian/patches/CVE-2024-38805.patch: fix for out of bound memory
         access in NetworkPkg/IScsiDxe/IScsiProto.c.
       - CVE-2024-38805
     - SECURITY UPDATE: code execution via IDT register
       - debian/patches/CVE-2025-3770.patch: safe handling of IDT register on
         SMM entry in UefiCpuPkg/PiSmmCpuDxeSmm/X64/SmiEntry.nasm.
       - CVE-2025-3770
   * Unreleased changes from Debian:
     + d/control: Add missing separator, thanks lintian.
     + d/p/no-stack-protector-all-archs.diff: Drop. This patch was
       added over 10 years ago for ARM and has been cargo-culted ever
       since. It's not clear what it fixed, or if it is still necessary.
       Let's find out.
     + d/p/x64-baseline-abi.patch: Refresh.
     + d/control, d/rules: Add ovmf-legacy package, shipping an OVMF.legacy.fd
       firmware that enables deprecated features such as PVSCSI (LP: #2129178)
     + d/tests: Add test-case for PVSCSI, using ovmf-legacy
     + d/rules: Declare AMDSEV variant flags at the top like others
     + d/rules: Use OVMF_4M_COMMON_FLAGS instead of OVMF_COMMON_FLAGS for OVMF_4M_NO_SECBOOT_FLAGS
     + d/rules: Add NO_STRICTNX_COMMON_FLAGS to OVMF legacy target as well
     + d/rules: Drop unused OVMF32 flags
   * New Ubuntu changes:
     + Do not build loongarch64 target
     + Enable NX in all Secure Boot variants and drop strictnx variant
     + d/python: flush the data after shutil.copyfileobj() calls
Checksums-Sha1:
 ee7a20458bdf9fff1a5ae989aa23deceb367ade4 3651 edk2_2025.11-3ubuntu3.dsc
 b9634e6f473cdb97c866811c7db6bdb0da55aa78 69652 edk2_2025.11-3ubuntu3.debian.tar.xz
 32fbc14b3260812bd8fca9999dcdafad9c0eb88d 6785 edk2_2025.11-3ubuntu3_source.buildinfo
Checksums-Sha256:
 103c9be4535efe8e85b95eafd237a3a641f77c37d7cead7bb7b3848d4fc719f4 3651 edk2_2025.11-3ubuntu3.dsc
 b812ffdea914196f0c39427da0e7f604c4816c961d6df293e284162f65aaf0ac 69652 edk2_2025.11-3ubuntu3.debian.tar.xz
 1d7cdf1194b83f982eaee269ce4d795a41f601df67ac9a0b960f44ded5659953 6785 edk2_2025.11-3ubuntu3_source.buildinfo
Files:
 eb80bb37eb32a130069a6241a79f10d2 3651 misc optional edk2_2025.11-3ubuntu3.dsc
 2a6eb108f3f37ae4ee22f5e352baf23d 69652 misc optional edk2_2025.11-3ubuntu3.debian.tar.xz
 8cc95787f1dabd74fae815ead950b089 6785 misc optional edk2_2025.11-3ubuntu3_source.buildinfo
Original-Maintainer: Debian QEMU Team <pkg-qemu-devel at lists.alioth.debian.org>

More information about the Resolute-changes mailing list