USN-7894-1 introduced a regression in EDK II
Software Description:
- edk2: UEFI firmware for virtual machines
Details:
USN-7894-1 fixed vulnerabilities in EDK II. The update introduced a
regression in the UEFI network boot. This update reverts the corresponding
fixes for CVE-2023-45236 and CVE-2023-45237 pending further investigation.
We apologize for the inconvenience.
Original advisory details:
It was discovered that EDK II was susceptible to a predictable TCP Initial
Sequence Number. An attacker could possibly use this issue to gain
unauthorized access. This issue only affected Ubuntu 22.04 LTS, and Ubuntu
24.04 LTS. (CVE-2023-45236, CVE-2023-45237)
It was discovered that EDK II incorrectly handled S3 sleep. An attacker
could possibly use this issue to cause a denial of service. This issue only
affected Ubuntu 22.04 LTS, and Ubuntu 24.04 LTS. (CVE-2024-1298)
It was discovered that the EDK II PE/COFF loader incorrectly handled
certain memory operations. An attack...
The problem can be corrected by updating your system to the following package versions: Ubuntu 24.04 LTS efi-shell-aa64 2024.02-2ubuntu0.7 efi-shell-arm 2024.02-2ubuntu0.7 efi-shell-ia32 2024.02-2ubuntu0.7 efi-shell-riscv64 2024.02-2ubuntu0.7 efi-shell-x64 2024.02-2ubuntu0.7 ovmf 2024.02-2ubuntu0.7 ovmf-ia32 2024.02-2ubuntu0.7 qemu-efi-aarch64 2024.02-2ubuntu0.7 qemu-efi-arm 2024.02-2ubuntu0.7 qemu-efi-riscv64 2024.02-2ubuntu0.7 Ubuntu 22.04 LTS ovmf 2022.02-3ubuntu0.22.04.5 ovmf-ia32 2022.02-3ubuntu0.22.04.5 qemu-efi 2022.02-3ubuntu0.22.04.5 qemu-efi-aarch64 2022.02-3ubuntu0.22.04.5 qemu-efi-arm 2022.02-3ubuntu0.22.04.5 After a standard system update you need to restart the virtual machines that use the affected firmware to make all the necessary changes.
https://ubuntu.com/security/notices/USN-7894-2
https://ubuntu.com/security/notices/USN-7894-1
https://bugs.launchpad.net/ubuntu/+source/edk2/+bug/2133157
Get the latest Linux and open source security news straight to your inbox.