From: "Saloni Kasbekar" <saloni.kasbekar@intel.com>
To: "Douglas Flick [MSFT]" <doug.edk2@gmail.com>,
"devel@edk2.groups.io" <devel@edk2.groups.io>
Cc: "Clark-williams, Zachary" <zachary.clark-williams@intel.com>
Subject: Re: [edk2-devel] [PATCH v2 15/15] NetworkPkg: : Adds a SecurityFix.yaml file
Date: Thu, 1 Feb 2024 22:18:19 +0000 [thread overview]
Message-ID: <SN7PR11MB8281CCB9C4B4D84E86D83C74F1432@SN7PR11MB8281.namprd11.prod.outlook.com> (raw)
In-Reply-To: <7cff1e0c867f716759a3aea9a67e3ded0ac59620.1706219324.git.doug.edk2@gmail.com>
Reviewed-by: Saloni Kasbekar <saloni.kasbekar@intel.com>
-----Original Message-----
From: Douglas Flick [MSFT] <doug.edk2@gmail.com>
Sent: Thursday, January 25, 2024 1:55 PM
To: devel@edk2.groups.io
Cc: Douglas Flick [MSFT] <doug.edk2@gmail.com>; Kasbekar, Saloni <saloni.kasbekar@intel.com>; Clark-williams, Zachary <zachary.clark-williams@intel.com>
Subject: [PATCH v2 15/15] NetworkPkg: : Adds a SecurityFix.yaml file
This creates / adds a security file that tracks the security fixes found in this package and can be used to find the fixes that were applied.
Cc: Saloni Kasbekar <saloni.kasbekar@intel.com>
Cc: Zachary Clark-williams <zachary.clark-williams@intel.com>
Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
---
NetworkPkg/SecurityFixes.yaml | 123 ++++++++++++++++++++++++++++++++++
1 file changed, 123 insertions(+)
create mode 100644 NetworkPkg/SecurityFixes.yaml
diff --git a/NetworkPkg/SecurityFixes.yaml b/NetworkPkg/SecurityFixes.yaml new file mode 100644 index 000000000000..7e900483fec5
--- /dev/null
+++ b/NetworkPkg/SecurityFixes.yaml
@@ -0,0 +1,123 @@
+## @file+# Security Fixes for SecurityPkg+#+# Copyright (c) Microsoft Corporation+# SPDX-License-Identifier: BSD-2-Clause-Patent+##+CVE_2023_45229:+ commit_titles:+ - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45229 Patch"+ - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45229 Unit Tests"+ cve: CVE-2023-45229+ date_reported: 2023-08-28 13:56 UTC+ description: "Bug 01 - edk2/NetworkPkg: Out-of-bounds read when processing IA_NA/IA_TA options in a DHCPv6 Advertise message"+ note:+ files_impacted:+ - NetworkPkg\Dhcp6Dxe\Dhcp6Io.c+ - NetworkPkg\Dhcp6Dxe\Dhcp6Impl.h+ links:+ - https://bugzilla.tianocore.org/show_bug.cgi?id=4534+ - https://nvd.nist.gov/vuln/detail/CVE-2023-45229+ - http://www.openwall.com/lists/oss-security/2024/01/16/2+ - http://packetstormsecurity.com/files/176574/PixieFail-Proof-Of-Concepts.html+ - https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html+CVE_2023_45230:+ commit_titles:+ - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45230 Patch"+ - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45230 Unit Tests"+ cve: CVE-2023-45230+ date_reported: 2023-08-28 13:56 UTC+ description: "Bug 02 - edk2/NetworkPkg: Buffer overflow in the DHCPv6 client via a long Server ID option"+ note:+ files_impacted:+ - NetworkPkg\Dhcp6Dxe\Dhcp6Io.c+ - NetworkPkg\Dhcp6Dxe\Dhcp6Impl.h+ links:+ - https://bugzilla.tianocore.org/show_bug.cgi?id=4535+ - https://nvd.nist.gov/vuln/detail/CVE-2023-45230+ - http://www.openwall.com/lists/oss-security/2024/01/16/2+ - http://packetstormsecurity.com/files/176574/PixieFail-Proof-Of-Concepts.html+ - https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html+CVE_2023_45231:+ commit_titles:+ - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45231 Patch"+ - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45231 Unit Tests"+ cve: CVE-2023-45231+ date_reported: 2023-08-28 13:56 UTC+ description: "Bug 03 - edk2/NetworkPkg: Out-of-bounds read when handling a ND Redirect message with truncated options"+ note:+ files_impacted:+ - NetworkPkg/Ip6Dxe/Ip6Option.c+ links:+ - https://bugzilla.tianocore.org/show_bug.cgi?id=4536+ - https://nvd.nist.gov/vuln/detail/CVE-2023-45231+ - http://www.openwall.com/lists/oss-security/2024/01/16/2+ - http://packetstormsecurity.com/files/176574/PixieFail-Proof-Of-Concepts.html+ - https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html+CVE_2023_45232:+ commit_titles:+ - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45232 Patch"+ - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45232 Unit Tests"+ cve: CVE-2023-45232+ date_reported: 2023-08-28 13:56 UTC+ description: "Bug 04 - edk2/NetworkPkg: Infinite loop when parsing unknown options in the Destination Options header"+ note:+ files_impacted:+ - NetworkPkg/Ip6Dxe/Ip6Option.c+ - NetworkPkg/Ip6Dxe/Ip6Option.h+ links:+ - https://bugzilla.tianocore.org/show_bug.cgi?id=4537+ - https://nvd.nist.gov/vuln/detail/CVE-2023-45232+ - http://www.openwall.com/lists/oss-security/2024/01/16/2+ - http://packetstormsecurity.com/files/176574/PixieFail-Proof-Of-Concepts.html+ - https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html+CVE_2023_45233:+ commit_titles:+ - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45232 Patch"+ - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45232 Unit Tests"+ cve: CVE-2023-45233+ date_reported: 2023-08-28 13:56 UTC+ description: "Bug 05 - edk2/NetworkPkg: Infinite loop when parsing a PadN option in the Destination Options header "+ note: This was fixed along with CVE-2023-45233+ files_impacted:+ - NetworkPkg/Ip6Dxe/Ip6Option.c+ - NetworkPkg/Ip6Dxe/Ip6Option.h+ links:+ - https://bugzilla.tianocore.org/show_bug.cgi?id=4538+ - https://nvd.nist.gov/vuln/detail/CVE-2023-45233+ - http://www.openwall.com/lists/oss-security/2024/01/16/2+ - http://packetstormsecurity.com/files/176574/PixieFail-Proof-Of-Concepts.html+ - https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html+CVE_2023_45234:+ commit_titles:+ - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45234 Patch"+ - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45234 Unit Tests"+ cve: CVE-2023-45234+ date_reported: 2023-08-28 13:56 UTC+ description: "Bug 06 - edk2/NetworkPkg: Buffer overflow when processing DNS Servers option in a DHCPv6 Advertise message"+ note:+ files_impacted:+ - NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c+ links:+ - https://bugzilla.tianocore.org/show_bug.cgi?id=4539+ - https://nvd.nist.gov/vuln/detail/CVE-2023-45234+ - http://www.openwall.com/lists/oss-security/2024/01/16/2+ - http://packetstormsecurity.com/files/176574/PixieFail-Proof-Of-Concepts.html+ - https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html+CVE_2023_45235:+ commit_titles:+ - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45235 Patch"+ - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45235 Unit Tests"+ cve: CVE-2023-45235+ date_reported: 2023-08-28 13:56 UTC+ description: "Bug 07 - edk2/NetworkPkg: Buffer overflow when handling Server ID option from a DHCPv6 proxy Advertise message"+ note:+ files_impacted:+ - NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c+ - NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.h+ links:+ - https://bugzilla.tianocore.org/show_bug.cgi?id=4540+ - https://nvd.nist.gov/vuln/detail/CVE-2023-45235+ - http://www.openwall.com/lists/oss-security/2024/01/16/2+ - http://packetstormsecurity.com/files/176574/PixieFail-Proof-Of-Concepts.html+ - https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html--
2.43.0
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#114969): https://edk2.groups.io/g/devel/message/114969
Mute This Topic: https://groups.io/mt/103964993/7686176
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [rebecca@openfw.io]
-=-=-=-=-=-=-=-=-=-=-=-
next prev parent reply other threads:[~2024-02-01 22:18 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-01-25 21:54 [edk2-devel] [PATCH v2 00/15] Security Patches for EDK II Network Stack Doug Flick via groups.io
2024-01-25 21:54 ` [edk2-devel] [PATCH v2 01/15] NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45230 Patch Doug Flick via groups.io
2024-02-01 19:35 ` Saloni Kasbekar
2024-02-05 13:41 ` bryan-bt.tan via groups.io
2024-01-25 21:54 ` [edk2-devel] [PATCH v2 02/15] NetworkPkg: : Add Unit tests to CI and create Host Test DSC Doug Flick via groups.io
2024-02-01 19:36 ` Saloni Kasbekar
2024-01-25 21:54 ` [edk2-devel] [PATCH v2 03/15] NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45230 Unit Tests Doug Flick via groups.io
2024-02-01 19:40 ` Saloni Kasbekar
2024-01-25 21:54 ` [edk2-devel] [PATCH v2 04/15] NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45229 Patch Doug Flick via groups.io
2024-02-01 19:42 ` Saloni Kasbekar
2024-02-05 13:46 ` bryan-bt.tan via groups.io
2024-01-25 21:54 ` [edk2-devel] [PATCH v2 05/15] NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45229 Unit Tests Doug Flick via groups.io
2024-02-01 19:49 ` Saloni Kasbekar
2024-01-25 21:54 ` [edk2-devel] [PATCH v2 06/15] NetworkPkg: Ip6Dxe: SECURITY PATCH CVE-2023-45231 Patch Doug Flick via groups.io
2024-02-01 19:52 ` Saloni Kasbekar
2024-01-25 21:54 ` [edk2-devel] [PATCH v2 07/15] NetworkPkg: Ip6Dxe: SECURITY PATCH CVE-2023-45231 Unit Tests Doug Flick via groups.io
2024-02-01 19:59 ` Saloni Kasbekar
2024-01-25 21:54 ` [edk2-devel] [PATCH v2 08/15] NetworkPkg: Ip6Dxe: SECURITY PATCH CVE-2023-45232 Patch Doug Flick via groups.io
2024-02-01 20:48 ` Saloni Kasbekar
2024-01-25 21:54 ` [edk2-devel] [PATCH v2 09/15] NetworkPkg: Ip6Dxe: SECURITY PATCH CVE-2023-45232 Unit Tests Doug Flick via groups.io
2024-02-01 21:16 ` Saloni Kasbekar
2024-01-25 21:54 ` [edk2-devel] [PATCH v2 10/15] NetworkPkg: UefiPxeBcDxe: SECURITY PATCH CVE-2023-45234 Patch Doug Flick via groups.io
2024-02-01 21:22 ` Saloni Kasbekar
2024-01-25 21:54 ` [edk2-devel] [PATCH v2 11/15] NetworkPkg: UefiPxeBcDxe: SECURITY PATCH CVE-2023-45234 Unit Tests Doug Flick via groups.io
2024-02-01 21:32 ` Saloni Kasbekar
2024-01-25 21:54 ` [edk2-devel] [PATCH v2 12/15] MdePkg: Test: Add gRT_GetTime Google Test Mock Doug Flick via groups.io
2024-01-26 19:52 ` Michael D Kinney
2024-01-25 21:54 ` [edk2-devel] [PATCH v2 13/15] NetworkPkg: UefiPxeBcDxe: SECURITY PATCH CVE-2023-45235 Patch Doug Flick via groups.io
2024-02-01 21:37 ` Saloni Kasbekar
2024-01-25 21:54 ` [edk2-devel] [PATCH v2 14/15] NetworkPkg: UefiPxeBcDxe: SECURITY PATCH CVE-2023-45235 Unit Tests Doug Flick via groups.io
2024-02-01 22:03 ` Saloni Kasbekar
2024-01-25 21:54 ` [edk2-devel] [PATCH v2 15/15] NetworkPkg: : Adds a SecurityFix.yaml file Doug Flick via groups.io
2024-02-01 22:18 ` Saloni Kasbekar [this message]
2024-01-31 5:22 ` [edk2-devel] 回复: [edk2-stable202402][PATCH v2 00/15] Security Patches for EDK II Network Stack gaoliming via groups.io
[not found] ` <17AF5718015C1866.16460@groups.io>
2024-02-07 14:26 ` 回复: " gaoliming via groups.io
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=SN7PR11MB8281CCB9C4B4D84E86D83C74F1432@SN7PR11MB8281.namprd11.prod.outlook.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox