-
Notifications
You must be signed in to change notification settings - Fork 128
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
NetworkPkg: : Adds a SecurityFix.yaml file
This creates / adds a security file that tracks the security fixes found in this package and can be used to find the fixes that were applied. Cc: Saloni Kasbekar <[email protected]> Cc: Zachary Clark-williams <[email protected]> Signed-off-by: Doug Flick [MSFT] <[email protected]> Reviewed-by: Saloni Kasbekar <[email protected]>
- Loading branch information
Showing
1 changed file
with
123 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,123 @@ | ||
| ## @file | ||
| # Security Fixes for SecurityPkg | ||
| # | ||
| # Copyright (c) Microsoft Corporation | ||
| # SPDX-License-Identifier: BSD-2-Clause-Patent | ||
| ## | ||
| CVE_2023_45229: | ||
| commit_titles: | ||
| - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45229 Patch" | ||
| - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45229 Unit Tests" | ||
| cve: CVE-2023-45229 | ||
| date_reported: 2023-08-28 13:56 UTC | ||
| description: "Bug 01 - edk2/NetworkPkg: Out-of-bounds read when processing IA_NA/IA_TA options in a DHCPv6 Advertise message" | ||
| note: | ||
| files_impacted: | ||
| - NetworkPkg\Dhcp6Dxe\Dhcp6Io.c | ||
| - NetworkPkg\Dhcp6Dxe\Dhcp6Impl.h | ||
| links: | ||
| - https://bugzilla.tianocore.org/show_bug.cgi?id=4534 | ||
| - https://nvd.nist.gov/vuln/detail/CVE-2023-45229 | ||
| - http://www.openwall.com/lists/oss-security/2024/01/16/2 | ||
| - http://packetstormsecurity.com/files/176574/PixieFail-Proof-Of-Concepts.html | ||
| - https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html | ||
| CVE_2023_45230: | ||
| commit_titles: | ||
| - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45230 Patch" | ||
| - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45230 Unit Tests" | ||
| cve: CVE-2023-45230 | ||
| date_reported: 2023-08-28 13:56 UTC | ||
| description: "Bug 02 - edk2/NetworkPkg: Buffer overflow in the DHCPv6 client via a long Server ID option" | ||
| note: | ||
| files_impacted: | ||
| - NetworkPkg\Dhcp6Dxe\Dhcp6Io.c | ||
| - NetworkPkg\Dhcp6Dxe\Dhcp6Impl.h | ||
| links: | ||
| - https://bugzilla.tianocore.org/show_bug.cgi?id=4535 | ||
| - https://nvd.nist.gov/vuln/detail/CVE-2023-45230 | ||
| - http://www.openwall.com/lists/oss-security/2024/01/16/2 | ||
| - http://packetstormsecurity.com/files/176574/PixieFail-Proof-Of-Concepts.html | ||
| - https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html | ||
| CVE_2023_45231: | ||
| commit_titles: | ||
| - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45231 Patch" | ||
| - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45231 Unit Tests" | ||
| cve: CVE-2023-45231 | ||
| date_reported: 2023-08-28 13:56 UTC | ||
| description: "Bug 03 - edk2/NetworkPkg: Out-of-bounds read when handling a ND Redirect message with truncated options" | ||
| note: | ||
| files_impacted: | ||
| - NetworkPkg/Ip6Dxe/Ip6Option.c | ||
| links: | ||
| - https://bugzilla.tianocore.org/show_bug.cgi?id=4536 | ||
| - https://nvd.nist.gov/vuln/detail/CVE-2023-45231 | ||
| - http://www.openwall.com/lists/oss-security/2024/01/16/2 | ||
| - http://packetstormsecurity.com/files/176574/PixieFail-Proof-Of-Concepts.html | ||
| - https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html | ||
| CVE_2023_45232: | ||
| commit_titles: | ||
| - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45232 Patch" | ||
| - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45232 Unit Tests" | ||
| cve: CVE-2023-45232 | ||
| date_reported: 2023-08-28 13:56 UTC | ||
| description: "Bug 04 - edk2/NetworkPkg: Infinite loop when parsing unknown options in the Destination Options header" | ||
| note: | ||
| files_impacted: | ||
| - NetworkPkg/Ip6Dxe/Ip6Option.c | ||
| - NetworkPkg/Ip6Dxe/Ip6Option.h | ||
| links: | ||
| - https://bugzilla.tianocore.org/show_bug.cgi?id=4537 | ||
| - https://nvd.nist.gov/vuln/detail/CVE-2023-45232 | ||
| - http://www.openwall.com/lists/oss-security/2024/01/16/2 | ||
| - http://packetstormsecurity.com/files/176574/PixieFail-Proof-Of-Concepts.html | ||
| - https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html | ||
| CVE_2023_45233: | ||
| commit_titles: | ||
| - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45232 Patch" | ||
| - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45232 Unit Tests" | ||
| cve: CVE-2023-45233 | ||
| date_reported: 2023-08-28 13:56 UTC | ||
| description: "Bug 05 - edk2/NetworkPkg: Infinite loop when parsing a PadN option in the Destination Options header " | ||
| note: This was fixed along with CVE-2023-45233 | ||
| files_impacted: | ||
| - NetworkPkg/Ip6Dxe/Ip6Option.c | ||
| - NetworkPkg/Ip6Dxe/Ip6Option.h | ||
| links: | ||
| - https://bugzilla.tianocore.org/show_bug.cgi?id=4538 | ||
| - https://nvd.nist.gov/vuln/detail/CVE-2023-45233 | ||
| - http://www.openwall.com/lists/oss-security/2024/01/16/2 | ||
| - http://packetstormsecurity.com/files/176574/PixieFail-Proof-Of-Concepts.html | ||
| - https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html | ||
| CVE_2023_45234: | ||
| commit_titles: | ||
| - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45234 Patch" | ||
| - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45234 Unit Tests" | ||
| cve: CVE-2023-45234 | ||
| date_reported: 2023-08-28 13:56 UTC | ||
| description: "Bug 06 - edk2/NetworkPkg: Buffer overflow when processing DNS Servers option in a DHCPv6 Advertise message" | ||
| note: | ||
| files_impacted: | ||
| - NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c | ||
| links: | ||
| - https://bugzilla.tianocore.org/show_bug.cgi?id=4539 | ||
| - https://nvd.nist.gov/vuln/detail/CVE-2023-45234 | ||
| - http://www.openwall.com/lists/oss-security/2024/01/16/2 | ||
| - http://packetstormsecurity.com/files/176574/PixieFail-Proof-Of-Concepts.html | ||
| - https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html | ||
| CVE_2023_45235: | ||
| commit_titles: | ||
| - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45235 Patch" | ||
| - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45235 Unit Tests" | ||
| cve: CVE-2023-45235 | ||
| date_reported: 2023-08-28 13:56 UTC | ||
| description: "Bug 07 - edk2/NetworkPkg: Buffer overflow when handling Server ID option from a DHCPv6 proxy Advertise message" | ||
| note: | ||
| files_impacted: | ||
| - NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c | ||
| - NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.h | ||
| links: | ||
| - https://bugzilla.tianocore.org/show_bug.cgi?id=4540 | ||
| - https://nvd.nist.gov/vuln/detail/CVE-2023-45235 | ||
| - http://www.openwall.com/lists/oss-security/2024/01/16/2 | ||
| - http://packetstormsecurity.com/files/176574/PixieFail-Proof-Of-Concepts.html | ||
| - https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html |