Doug:

  Thanks for your clarification. For the changes in MdePkg and EmulatorPkg, I have no comments. Reviewed-by: Liming Gao <gaoliming@byosoft.com.cn>

 

Thanks

Liming

发件人: Doug Flick via groups.io <dougflick=microsoft.com@groups.io>
发送时间: 2024510 2:26
收件人: gaoliming <gaoliming@byosoft.com.cn>; devel@edk2.groups.io
主题: Re: [edk2-devel] 回复: [edk2-devel][edk2-stable202405] [PATCH v2 00/13] NetworkPkg: CVE-2023-45236 and CVE-2023-45237

 

From the two CVE patches there should be no functional differences to a platform assuming the platform provides them with a RNG implementation and HASH2 implementation.

The "NetworkPkg:: SECURITY PATCH CVE-2023-45237" change simply get's it's random numbers from outside of the NetworkPkg and makes it a platform decision. The "NetworkPkg: TcpDxe: SECURITY PATCH CVE-2023-45236" changes how the TCP Isn number is generated and puts the platform in compliance with the relevant specification.

There is a functional change with "SecurityPkg: RngDxe: Remove incorrect limitation on GetRng" as this will now allow a caller to call less than 32 bytes.

The other changes are unit tests and platform integration changes.

_._,_._,_
Groups.io Links:

You receive all messages sent to this group.

View/Reply Online (#118897) | | Mute This Topic | New Topic
Your Subscription | Contact Group Owner | Unsubscribe [rebecca@openfw.io]

_._,_._,_