--===============0207913608458460554==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit

==========================================================================
Ubuntu Security Notice USN-7894-1
November 26, 2025

edk2 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 25.04
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS

Summary:

Several security issues were fixed in EDK II.

Software Description:
- edk2: UEFI firmware for virtual machines

Details:

It was discovered that EDK II was susceptible to a predictable TCP Initial
Sequence Number. An attacker could possibly use this issue to gain
unauthorized access. This issue only affected Ubuntu 22.04 LTS, and Ubuntu
24.04 LTS. (CVE-2023-45236, CVE-2023-45237)

It was discovered that EDK II incorrectly handled S3 sleep. An attacker
could possibly use this issue to cause a denial of service. This issue only
affected Ubuntu 22.04 LTS, and Ubuntu 24.04 LTS. (CVE-2024-1298)

It was discovered that the EDK II PE/COFF loader incorrectly handled
certain memory operations. An attacker could possibly use this issue to
cause a denial of service, obtain sensitive information, or execute
arbitrary code. This issue only affected Ubuntu 22.04 LTS, and Ubuntu
24.04 LTS. (CVE-2024-38796)

It was discovered that the EDK II PE image hashing function incorrectly
handled certain memory operations. An attacker could possibly use this
issue to cause a denial of service, or execute arbitrary code.
(CVE-2024-38797)

It was discovered that the EDK II BIOS incorrectly handled certain memory
operations. An attacker could possibly use this issue to cause a denial of
service. (CVE-2024-38805, CVE-2025-2295)

It was discovered that EDK II incorrectly handled the enabling of MCE. An
attacker could possibly use this issue to cause a denial of service, or
execute arbitrary code. (CVE-2025-3770)

It was discovered that the OpenSSL library embedded in EDK II contained
multiple vulnerabilties. An attacker could possibly use these issues to
cause a denial of service, obtain sensitive information, or execute
arbitrary code. (CVE-2021-3712, CVE-2022-0778, CVE-2022-4304,
CVE-2022-4450, CVE-2023-0215, CVE-2023-0286, CVE-2023-0464, CVE-2023-0465,
CVE-2023-0466, CVE-2023-2650, CVE-2023-3446, CVE-2023-3817, CVE-2023-5678,
CVE-2023-6237, CVE-2024-0727, CVE-2024-13176, CVE-2024-2511,
CVE-2024-41996, CVE-2024-4741, CVE-2024-5535, CVE-2024-6119, CVE-2024-9143,
CVE-2025-9232)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 25.04
  ovmf                            2025.02-3ubuntu2.2
  ovmf-ia32                       2025.02-3ubuntu2.2
  qemu-efi-aarch64                2025.02-3ubuntu2.2
  qemu-efi-arm                    2025.02-3ubuntu2.2
  qemu-efi-loongarch64            2025.02-3ubuntu2.2
  qemu-efi-riscv64                2025.02-3ubuntu2.2

Ubuntu 24.04 LTS
  ovmf                            2024.02-2ubuntu0.6
  ovmf-ia32                       2024.02-2ubuntu0.6
  qemu-efi-aarch64                2024.02-2ubuntu0.6
  qemu-efi-arm                    2024.02-2ubuntu0.6
  qemu-efi-riscv64                2024.02-2ubuntu0.6

Ubuntu 22.04 LTS
  ovmf                            2022.02-3ubuntu0.22.04.4
  ovmf-ia32                       2022.02-3ubuntu0.22.04.4
  qemu-efi                        2022.02-3ubuntu0.22.04.4
  qemu-efi-aarch64                2022.02-3ubuntu0.22.04.4
  qemu-efi-arm                    2022.02-3ubuntu0.22.04.4

After a standard system update you need to restart the virtual machines
that use the affected firmware to make all the necessary changes.

References:
  https://ubuntu.com/security/notices/USN-7894-1
  CVE-2021-3712, CVE-2022-0778, CVE-2022-4304, CVE-2022-4450,
  CVE-2023-0215, CVE-2023-0286, CVE-2023-0464, CVE-2023-0465,
  CVE-2023-0466, CVE-2023-2650, CVE-2023-3446, CVE-2023-3817,
  CVE-2023-45236, CVE-2023-45237, CVE-2023-5678, CVE-2023-6237,
  CVE-2024-0727, CVE-2024-1298, CVE-2024-13176, CVE-2024-2511,
  CVE-2024-38796, CVE-2024-38797, CVE-2024-38805, CVE-2024-4741,
  CVE-2024-5535, CVE-2024-6119, CVE-2024-9143, CVE-2025-2295,
  CVE-2025-3770, CVE-2025-9232

Package Information:
  https://launchpad.net/ubuntu/+source/edk2/2025.02-3ubuntu2.2
  https://launchpad.net/ubuntu/+source/edk2/2024.02-2ubuntu0.6
  https://launchpad.net/ubuntu/+source/edk2/2022.02-3ubuntu0.22.04.4

--===============0207913608458460554==
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEE+8neBLO2Hp/ppPlOcpJm3tlzhgEFAmknLCIACgkQcpJm3tlz
hgH8kBAA0nbbkBqJYI4fu+PrpNvj+1F/QzTvyHCnwxiVYBB3h78MhxGcXGCNLkWD
+Bqkbw3CqQHNY53ewZGM/jx6jgSJnJwcHG8Ef6KrJn3d5TH0V9TI1NQXTJqsTV0y
PYppmM7qSTXrQOfNnLe2AebwUqr5KnVRrt4OJuv+8Ew8eMYOC5BC1La5y8ZiK0au
SrDPpjotufly0mCYm8tZbzSilM0M3lgdYOdU57X4tRIsF9MdcqpAu0A72t7/gKZ8
JckyVO+FIxXWrcvHc6HjGAarXADK+6G2sgyeZ/kAoeNo87kX9uAwFAMLDqouxtFD
wnZat69GZzJX8Di0Tax/3lcbuGJRTIysRBW0pXqmuGad+xwmKSA3q4XLJ4N8aaqJ
0G+i9t/bCjUfAYnyZTXM0Pgv/JQXH67Uz2O36F/oUnl5UNzTIbYQARCvbMc585UM
8kIQaCUb8B7n1K1355lVbbDDsQMWkoIFvNwVC01L9v6w6HhwgB9cDR+vUaCB4Z90
S4Bza7aATsBd5aGdZGQoDYnhLL07y4+Va1U/MW2W2FZ3sHwqBPV+77YO2sBIFSQf
XwH2XHgv5WV/t2e6gLPfHTz0PILmzOY8tIZAqPMNkUhs2l02zeMS9NRagLfnBLaa
SU+cMJ30JM4PIoHeuhVZEWZnfV2Zd/25Lo546lSql9jBj2MBlgI=
=kNP4
-----END PGP SIGNATURE-----

--===============0207913608458460554==--