StarlingX

[Debian] Medium CVE: CVE-2023-48733 edk2 OS-resident attacker to bypass Secure Boot

Bug #2054273 reported by Yue Tao on 2024-02-19

256

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	StarlingX	Fix Released	High	Peng Zhang

An insecure default to allow UEFI Shell in EDK2 was left enabled in Ubuntu's EDK2. This allows an OS-resident attacker to bypass Secure Boot.

Base Score: Medium

Reference:

['ovmf_2020.11-2+deb11u1_all.deb===>ovmf_2020.11-2+deb11u2_all.deb']
https://security-tracker.debian.org/tracker/DSA-5624-1

Tags:

Peng Zhang (pzhang2) on 2024-02-21

Changed in starlingx:
assignee:	nobody → Peng Zhang (pzhang2)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2024-02-26: Fix proposed to tools (master)

Changed in starlingx:
status:	Triaged → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2024-02-26: Fix merged to tools (master)

commit a36a1ee862a19a16931abbd03461b1c83c649230
Author: Peng Zhang <email address hidden>
Date: Wed Feb 21 05:56:42 2024 +0000

ovmf: Upgrade to ovmf_2020.11-2+deb11u2_all.deb

Upgrade package ovmf from 2020.11-2+deb11u1 to 2020.11-2+deb11u2 in
order to fixing the CVE issue CVE-2023-48733.

    TestPlan:
    PASS: downloader; build-pkgs; build-image
    PASS: Jenkins Installation

Closes-Bug: 2054273

Change-Id: I42937791da7c25b59ae4cf2f945bdd4b6d57ade3
Signed-off-by: Peng Zhang <email address hidden>

Changed in starlingx:
status:	In Progress → Fix Released

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Bug watches keep track of this bug in other bug trackers.