VirtualBox

source: vbox/trunk/src/VBox/Devices/EFI/Firmware/NetworkPkg/SecurityFixes.yaml@ 106386

Last change on this file since 106386 was 105670, checked in by vboxsync, 7 months ago

Devices/EFI/FirmwareNew: Merge edk2-stable-202405 and make it build on aarch64, bugref:4643
  • Property svn:eol-style set to native
File size: 8.3 KB
Line 
1## @file
2# Security Fixes for SecurityPkg
3#
4# Copyright (c) Microsoft Corporation
5# SPDX-License-Identifier: BSD-2-Clause-Patent
6##
7CVE_2023_45229:
8 commit_titles:
9 - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45229 Patch"
10 - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45229 Unit Tests"
11 - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45229 Related Patch"
12 cve: CVE-2023-45229
13 date_reported: 2023-08-28 13:56 UTC
14 description: "Bug 01 - edk2/NetworkPkg: Out-of-bounds read when processing IA_NA/IA_TA options in a DHCPv6 Advertise message"
15 note:
16 files_impacted:
17 - NetworkPkg\Dhcp6Dxe\Dhcp6Io.c
18 - NetworkPkg\Dhcp6Dxe\Dhcp6Impl.h
19 links:
20 - https://bugzilla.tianocore.org/show_bug.cgi?id=4534
21 - https://nvd.nist.gov/vuln/detail/CVE-2023-45229
22 - http://www.openwall.com/lists/oss-security/2024/01/16/2
23 - http://packetstormsecurity.com/files/176574/PixieFail-Proof-Of-Concepts.html
24 - https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html
25CVE_2023_45230:
26 commit_titles:
27 - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45230 Patch"
28 - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45230 Unit Tests"
29 cve: CVE-2023-45230
30 date_reported: 2023-08-28 13:56 UTC
31 description: "Bug 02 - edk2/NetworkPkg: Buffer overflow in the DHCPv6 client via a long Server ID option"
32 note:
33 files_impacted:
34 - NetworkPkg\Dhcp6Dxe\Dhcp6Io.c
35 - NetworkPkg\Dhcp6Dxe\Dhcp6Impl.h
36 links:
37 - https://bugzilla.tianocore.org/show_bug.cgi?id=4535
38 - https://nvd.nist.gov/vuln/detail/CVE-2023-45230
39 - http://www.openwall.com/lists/oss-security/2024/01/16/2
40 - http://packetstormsecurity.com/files/176574/PixieFail-Proof-Of-Concepts.html
41 - https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html
42CVE_2023_45231:
43 commit_titles:
44 - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45231 Patch"
45 - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45231 Unit Tests"
46 cve: CVE-2023-45231
47 date_reported: 2023-08-28 13:56 UTC
48 description: "Bug 03 - edk2/NetworkPkg: Out-of-bounds read when handling a ND Redirect message with truncated options"
49 note:
50 files_impacted:
51 - NetworkPkg/Ip6Dxe/Ip6Option.c
52 links:
53 - https://bugzilla.tianocore.org/show_bug.cgi?id=4536
54 - https://nvd.nist.gov/vuln/detail/CVE-2023-45231
55 - http://www.openwall.com/lists/oss-security/2024/01/16/2
56 - http://packetstormsecurity.com/files/176574/PixieFail-Proof-Of-Concepts.html
57 - https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html
58CVE_2023_45232:
59 commit_titles:
60 - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45232 Patch"
61 - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45232 Unit Tests"
62 cve: CVE-2023-45232
63 date_reported: 2023-08-28 13:56 UTC
64 description: "Bug 04 - edk2/NetworkPkg: Infinite loop when parsing unknown options in the Destination Options header"
65 note:
66 files_impacted:
67 - NetworkPkg/Ip6Dxe/Ip6Option.c
68 - NetworkPkg/Ip6Dxe/Ip6Option.h
69 links:
70 - https://bugzilla.tianocore.org/show_bug.cgi?id=4537
71 - https://nvd.nist.gov/vuln/detail/CVE-2023-45232
72 - http://www.openwall.com/lists/oss-security/2024/01/16/2
73 - http://packetstormsecurity.com/files/176574/PixieFail-Proof-Of-Concepts.html
74 - https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html
75CVE_2023_45233:
76 commit_titles:
77 - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45232 Patch"
78 - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45232 Unit Tests"
79 cve: CVE-2023-45233
80 date_reported: 2023-08-28 13:56 UTC
81 description: "Bug 05 - edk2/NetworkPkg: Infinite loop when parsing a PadN option in the Destination Options header "
82 note: This was fixed along with CVE-2023-45233
83 files_impacted:
84 - NetworkPkg/Ip6Dxe/Ip6Option.c
85 - NetworkPkg/Ip6Dxe/Ip6Option.h
86 links:
87 - https://bugzilla.tianocore.org/show_bug.cgi?id=4538
88 - https://nvd.nist.gov/vuln/detail/CVE-2023-45233
89 - http://www.openwall.com/lists/oss-security/2024/01/16/2
90 - http://packetstormsecurity.com/files/176574/PixieFail-Proof-Of-Concepts.html
91 - https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html
92CVE_2023_45234:
93 commit_titles:
94 - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45234 Patch"
95 - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45234 Unit Tests"
96 cve: CVE-2023-45234
97 date_reported: 2023-08-28 13:56 UTC
98 description: "Bug 06 - edk2/NetworkPkg: Buffer overflow when processing DNS Servers option in a DHCPv6 Advertise message"
99 note:
100 files_impacted:
101 - NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c
102 links:
103 - https://bugzilla.tianocore.org/show_bug.cgi?id=4539
104 - https://nvd.nist.gov/vuln/detail/CVE-2023-45234
105 - http://www.openwall.com/lists/oss-security/2024/01/16/2
106 - http://packetstormsecurity.com/files/176574/PixieFail-Proof-Of-Concepts.html
107 - https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html
108CVE_2023_45235:
109 commit_titles:
110 - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45235 Patch"
111 - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45235 Unit Tests"
112 cve: CVE-2023-45235
113 date_reported: 2023-08-28 13:56 UTC
114 description: "Bug 07 - edk2/NetworkPkg: Buffer overflow when handling Server ID option from a DHCPv6 proxy Advertise message"
115 note:
116 files_impacted:
117 - NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c
118 - NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.h
119 links:
120 - https://bugzilla.tianocore.org/show_bug.cgi?id=4540
121 - https://nvd.nist.gov/vuln/detail/CVE-2023-45235
122 - http://www.openwall.com/lists/oss-security/2024/01/16/2
123 - http://packetstormsecurity.com/files/176574/PixieFail-Proof-Of-Concepts.html
124 - https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html
125CVE_2023_45236:
126 commit_titles:
127 - "NetworkPkg: TcpDxe: SECURITY PATCH CVE-2023-45236 Patch"
128 cve: CVE-2023-45236
129 date_reported: 2023-08-28 13:56 UTC
130 description: "Bug 08 - edk2/NetworkPkg: Predictable TCP Initial Sequence Numbers"
131 note:
132 files_impacted:
133 - NetworkPkg/Include/Library/NetLib.h
134 - NetworkPkg/TcpDxe/TcpDriver.c
135 - NetworkPkg/TcpDxe/TcpDxe.inf
136 - NetworkPkg/TcpDxe/TcpFunc.h
137 - NetworkPkg/TcpDxe/TcpInput.c
138 - NetworkPkg/TcpDxe/TcpMain.h
139 - NetworkPkg/TcpDxe/TcpMisc.c
140 - NetworkPkg/TcpDxe/TcpTimer.c
141 links:
142 - https://bugzilla.tianocore.org/show_bug.cgi?id=4541
143 - https://nvd.nist.gov/vuln/detail/CVE-2023-45236
144 - http://www.openwall.com/lists/oss-security/2024/01/16/2
145 - http://packetstormsecurity.com/files/176574/PixieFail-Proof-Of-Concepts.html
146 - https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html
147CVE_2023_45237:
148 commit_titles:
149 - "NetworkPkg:: SECURITY PATCH CVE 2023-45237"
150 cve: CVE-2023-45237
151 date_reported: 2023-08-28 13:56 UTC
152 description: "Bug 09 - Use of a Weak PseudoRandom Number Generator"
153 note:
154 files_impacted:
155 - NetworkPkg/Dhcp4Dxe/Dhcp4Driver.c
156 - NetworkPkg/Dhcp6Dxe/Dhcp6Driver.c
157 - NetworkPkg/DnsDxe/DnsDhcp.c
158 - NetworkPkg/DnsDxe/DnsImpl.c
159 - NetworkPkg/HttpBootDxe/HttpBootDhcp6.c
160 - NetworkPkg/IScsiDxe/IScsiCHAP.c
161 - NetworkPkg/IScsiDxe/IScsiMisc.c
162 - NetworkPkg/IScsiDxe/IScsiMisc.h
163 - NetworkPkg/Include/Library/NetLib.h
164 - NetworkPkg/Ip4Dxe/Ip4Driver.c
165 - NetworkPkg/Ip6Dxe/Ip6ConfigImpl.c
166 - NetworkPkg/Ip6Dxe/Ip6Driver.c
167 - NetworkPkg/Ip6Dxe/Ip6If.c
168 - NetworkPkg/Ip6Dxe/Ip6Mld.c
169 - NetworkPkg/Ip6Dxe/Ip6Nd.c
170 - NetworkPkg/Ip6Dxe/Ip6Nd.h
171 - NetworkPkg/Library/DxeNetLib/DxeNetLib.c
172 - NetworkPkg/Library/DxeNetLib/DxeNetLib.inf
173 - NetworkPkg/NetworkPkg.dec
174 - NetworkPkg/TcpDxe/TcpDriver.c
175 - NetworkPkg/Udp4Dxe/Udp4Driver.c
176 - NetworkPkg/Udp6Dxe/Udp6Driver.c
177 - NetworkPkg/UefiPxeBcDxe/PxeBcDhcp4.c
178 - NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c
179 - NetworkPkg/UefiPxeBcDxe/PxeBcDriver.c
180 links:
181 - https://bugzilla.tianocore.org/show_bug.cgi?id=4542
182 - https://nvd.nist.gov/vuln/detail/CVE-2023-45237
183 - http://www.openwall.com/lists/oss-security/2024/01/16/2
184 - http://packetstormsecurity.com/files/176574/PixieFail-Proof-Of-Concepts.html
185 - https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html
Note: See TracBrowser for help on using the repository browser.

© 2025 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy Automated Access Etiquette