From nobody Fri Mar 13 02:54:04 2026
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of groups.io designates
 66.175.222.108 as permitted sender) client-ip=66.175.222.108;
 envelope-from=bounce+27952+114266+1787277+3901457@groups.io;
 helo=mail02.groups.io;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as
 permitted sender)
  smtp.mailfrom=bounce+27952+114266+1787277+3901457@groups.io
ARC-Seal: i=1; a=rsa-sha256; t=1706073638; cv=none;
	d=zohomail.com; s=zohoarc;
	b=J4dk8HhYuAFCvuGeuvuy8IpXbs8y8ZRT1SPrKkuOxC1v+NE7CewOwg62AknwlJY4CiwB36frg080caWNtwQP2ZJv/yTeao50OBj7aVwWmKOmEXE/pD5vi/ml7Trp4XUEag6S4xM12kwHeW41s3XvOIBKZkgTHG9dTfbhhuHVzx4=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1706073638;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Reply-To:References:Sender:Subject:Subject:To:To:Message-Id;
	bh=ZkOUlcK8L51v+nhzas9NttB+iMp68HAjM6R2HW7UxTI=;
	b=ax8fg7mt1l+3exBrZsrpWeG3sKypek832dJR/8VsJmd25tFgAQ1+7LHvwr7B9LNI3+zSjeTxKLGrvCq+6eXln5/kXyg0mdsyhY7HkvST5eErh+I/WRSLEfKC222oeybeXzCTA4lVM+U7KY2Zl7epnaz0YRvR9Yj7HHRYrMMtQwE=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as
 permitted sender)
  smtp.mailfrom=bounce+27952+114266+1787277+3901457@groups.io
Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by
 mx.zohomail.com
	with SMTPS id 1706073638637210.18852900961178;
 Tue, 23 Jan 2024 21:20:38 -0800 (PST)
Return-Path: <bounce+27952+114266+1787277+3901457@groups.io>
DKIM-Signature: a=rsa-sha256; bh=drwnk8efp7PJ6VNmandE0urkkn5w+6Jvr/1aK/QyhOI=;
 c=relaxed/simple; d=groups.io;
 h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:MIME-Version:Precedence:List-Subscribe:List-Help:Sender:List-Id:Mailing-List:Delivered-To:Reply-To:List-Unsubscribe-Post:List-Unsubscribe:Content-Transfer-Encoding;
 s=20140610; t=1706073638; v=1;
 b=P6Af0OgB2UPlUagJSkdXB29SQ9xPqo9HDhLwgbkzIVlFn3HRqKKWUPbWBJiyTGw7TP7AV+EI
 K4NhvW4ZCwuW0H2ps3CSSj6Tr53H+habZ91iJ+/lMuGlxPtrYgBGmjdIv7sUcTLtQSqtJS6wNLW
 +WLcWFaKo5N1t/tcWgN7JTeQ=
X-Received: by 127.0.0.2 with SMTP id btKxYY1788612xGl8CkkyCQw;
 Tue, 23 Jan 2024 21:20:38 -0800
X-Received: from mail-pl1-f178.google.com (mail-pl1-f178.google.com
 [209.85.214.178])
 by mx.groups.io with SMTP id smtpd.web10.16104.1706073637789147739
 for <devel@edk2.groups.io>;
 Tue, 23 Jan 2024 21:20:37 -0800
X-Received: by mail-pl1-f178.google.com with SMTP id
 d9443c01a7336-1d7859efea5so322045ad.0
        for <devel@edk2.groups.io>; Tue, 23 Jan 2024 21:20:37 -0800 (PST)
X-Gm-Message-State: 7JKl2VWRzh1lWgUvKBv7Axsvx1787277AA=
X-Google-Smtp-Source: 
 AGHT+IFrerRX9HU0Ukc+6Hi6HijpL8Aagv+1MLVZoCLAODS7tScJVzllFTlPduj7TIQjq7EBxjZcsw==
X-Received: by 2002:a17:902:da82:b0:1d7:3131:4dd6 with SMTP id
 j2-20020a170902da8200b001d731314dd6mr208695plx.12.1706073637108;
        Tue, 23 Jan 2024 21:20:37 -0800 (PST)
X-Received: from localhost.localdomain ([24.17.138.83])
        by smtp.gmail.com with ESMTPSA id
 w2-20020a170902c78200b001d71f10aa42sm7831709pla.11.2024.01.23.21.20.36
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 23 Jan 2024 21:20:36 -0800 (PST)
From: "Doug Flick via groups.io" <dougflick=microsoft.com@groups.io>
To: devel@edk2.groups.io
Cc: "Douglas Flick [MSFT]" <doug.edk2@gmail.com>,
	Saloni Kasbekar <saloni.kasbekar@intel.com>,
	Zachary Clark-williams <zachary.clark-williams@intel.com>
Subject: [edk2-devel] [PATCH 14/14] NetworkPkg: : Adds a SecurityFix.yaml file
Date: Tue, 23 Jan 2024 19:33:37 -0800
Message-ID: 
 <851a15e8da32b3e6ecc43cd92a59c6ff3064a8f2.1706062164.git.doug.edk2@gmail.com>
In-Reply-To: <cover.1706062164.git.doug.edk2@gmail.com>
References: <cover.1706062164.git.doug.edk2@gmail.com>
MIME-Version: 1.0
Precedence: Bulk
List-Subscribe: <mailto:devel+subscribe@edk2.groups.io>
List-Help: <mailto:devel+help@edk2.groups.io>
Sender: devel@edk2.groups.io
List-Id: <devel.edk2.groups.io>
Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io
Reply-To: devel@edk2.groups.io,dougflick@microsoft.com
List-Unsubscribe-Post: List-Unsubscribe=One-Click
List-Unsubscribe: 
 <https://edk2.groups.io/g/devel/leave/3901457/1787277/102458076/plugh>
Content-Transfer-Encoding: quoted-printable
X-ZohoMail-DKIM: pass (identity @groups.io)
X-ZM-MESSAGEID: 1706073640554100057
Content-Type: text/plain; charset="utf-8"

This creates / adds a security file that tracks the security fixes
found in this package and can be used to find the fixes that were
applied.

Cc: Saloni Kasbekar <saloni.kasbekar@intel.com>
Cc: Zachary Clark-williams <zachary.clark-williams@intel.com>

Signed-off-by: Doug Flick [MSFT] <doug.edk2@gmail.com>
---
 NetworkPkg/SecurityFixes.yaml | 123 ++++++++++++++++++++++++++++++++++
 1 file changed, 123 insertions(+)
 create mode 100644 NetworkPkg/SecurityFixes.yaml

diff --git a/NetworkPkg/SecurityFixes.yaml b/NetworkPkg/SecurityFixes.yaml
new file mode 100644
index 000000000000..7e900483fec5
--- /dev/null
+++ b/NetworkPkg/SecurityFixes.yaml
@@ -0,0 +1,123 @@
+## @file
+# Security Fixes for SecurityPkg
+#
+# Copyright (c) Microsoft Corporation
+# SPDX-License-Identifier: BSD-2-Clause-Patent
+##
+CVE_2023_45229:
+  commit_titles:
+    - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45229 Patch"
+    - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45229 Unit Tests"
+  cve: CVE-2023-45229
+  date_reported: 2023-08-28 13:56 UTC
+  description: "Bug 01 - edk2/NetworkPkg: Out-of-bounds read when processi=
ng IA_NA/IA_TA options in a DHCPv6 Advertise message"
+  note:
+  files_impacted:
+    - NetworkPkg\Dhcp6Dxe\Dhcp6Io.c
+    - NetworkPkg\Dhcp6Dxe\Dhcp6Impl.h
+  links:
+    - https://bugzilla.tianocore.org/show_bug.cgi?id=3D4534
+    - https://nvd.nist.gov/vuln/detail/CVE-2023-45229
+    - http://www.openwall.com/lists/oss-security/2024/01/16/2
+    - http://packetstormsecurity.com/files/176574/PixieFail-Proof-Of-Conce=
pts.html
+    - https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianoco=
res-edk-ii-ipv6-network-stack.html
+CVE_2023_45230:
+  commit_titles:
+    - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45230 Patch"
+    - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45230 Unit Tests"
+  cve: CVE-2023-45230
+  date_reported: 2023-08-28 13:56 UTC
+  description: "Bug 02 - edk2/NetworkPkg: Buffer overflow in the DHCPv6 cl=
ient via a long Server ID option"
+  note:
+  files_impacted:
+    - NetworkPkg\Dhcp6Dxe\Dhcp6Io.c
+    - NetworkPkg\Dhcp6Dxe\Dhcp6Impl.h
+  links:
+    - https://bugzilla.tianocore.org/show_bug.cgi?id=3D4535
+    - https://nvd.nist.gov/vuln/detail/CVE-2023-45230
+    - http://www.openwall.com/lists/oss-security/2024/01/16/2
+    - http://packetstormsecurity.com/files/176574/PixieFail-Proof-Of-Conce=
pts.html
+    - https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianoco=
res-edk-ii-ipv6-network-stack.html
+CVE_2023_45231:
+  commit_titles:
+    - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45231 Patch"
+    - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45231 Unit Tests"
+  cve: CVE-2023-45231
+  date_reported: 2023-08-28 13:56 UTC
+  description: "Bug 03 - edk2/NetworkPkg: Out-of-bounds read when handling=
 a ND Redirect message with truncated options"
+  note:
+  files_impacted:
+    - NetworkPkg/Ip6Dxe/Ip6Option.c
+  links:
+    - https://bugzilla.tianocore.org/show_bug.cgi?id=3D4536
+    - https://nvd.nist.gov/vuln/detail/CVE-2023-45231
+    - http://www.openwall.com/lists/oss-security/2024/01/16/2
+    - http://packetstormsecurity.com/files/176574/PixieFail-Proof-Of-Conce=
pts.html
+    - https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianoco=
res-edk-ii-ipv6-network-stack.html
+CVE_2023_45232:
+  commit_titles:
+    - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45232 Patch"
+    - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45232 Unit Tests"
+  cve: CVE-2023-45232
+  date_reported: 2023-08-28 13:56 UTC
+  description: "Bug 04 - edk2/NetworkPkg: Infinite loop when parsing unkno=
wn options in the Destination Options header"
+  note:
+  files_impacted:
+    - NetworkPkg/Ip6Dxe/Ip6Option.c
+    - NetworkPkg/Ip6Dxe/Ip6Option.h
+  links:
+    - https://bugzilla.tianocore.org/show_bug.cgi?id=3D4537
+    - https://nvd.nist.gov/vuln/detail/CVE-2023-45232
+    - http://www.openwall.com/lists/oss-security/2024/01/16/2
+    - http://packetstormsecurity.com/files/176574/PixieFail-Proof-Of-Conce=
pts.html
+    - https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianoco=
res-edk-ii-ipv6-network-stack.html
+CVE_2023_45233:
+  commit_titles:
+    - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45232 Patch"
+    - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45232 Unit Tests"
+  cve: CVE-2023-45233
+  date_reported: 2023-08-28 13:56 UTC
+  description: "Bug 05 - edk2/NetworkPkg: Infinite loop when parsing a Pad=
N option in the Destination Options header "
+  note: This was fixed along with CVE-2023-45233
+  files_impacted:
+    - NetworkPkg/Ip6Dxe/Ip6Option.c
+    - NetworkPkg/Ip6Dxe/Ip6Option.h
+  links:
+    - https://bugzilla.tianocore.org/show_bug.cgi?id=3D4538
+    - https://nvd.nist.gov/vuln/detail/CVE-2023-45233
+    - http://www.openwall.com/lists/oss-security/2024/01/16/2
+    - http://packetstormsecurity.com/files/176574/PixieFail-Proof-Of-Conce=
pts.html
+    - https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianoco=
res-edk-ii-ipv6-network-stack.html
+CVE_2023_45234:
+  commit_titles:
+    - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45234 Patch"
+    - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45234 Unit Tests"
+  cve: CVE-2023-45234
+  date_reported: 2023-08-28 13:56 UTC
+  description: "Bug 06 - edk2/NetworkPkg: Buffer overflow when processing =
DNS Servers option in a DHCPv6 Advertise message"
+  note:
+  files_impacted:
+    - NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c
+  links:
+    - https://bugzilla.tianocore.org/show_bug.cgi?id=3D4539
+    - https://nvd.nist.gov/vuln/detail/CVE-2023-45234
+    - http://www.openwall.com/lists/oss-security/2024/01/16/2
+    - http://packetstormsecurity.com/files/176574/PixieFail-Proof-Of-Conce=
pts.html
+    - https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianoco=
res-edk-ii-ipv6-network-stack.html
+CVE_2023_45235:
+  commit_titles:
+    - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45235 Patch"
+    - "NetworkPkg: Dhcp6Dxe: SECURITY PATCH CVE-2023-45235 Unit Tests"
+  cve: CVE-2023-45235
+  date_reported: 2023-08-28 13:56 UTC
+  description: "Bug 07 - edk2/NetworkPkg: Buffer overflow when handling Se=
rver ID option from a DHCPv6 proxy Advertise message"
+  note:
+  files_impacted:
+    - NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.c
+    - NetworkPkg/UefiPxeBcDxe/PxeBcDhcp6.h
+  links:
+    - https://bugzilla.tianocore.org/show_bug.cgi?id=3D4540
+    - https://nvd.nist.gov/vuln/detail/CVE-2023-45235
+    - http://www.openwall.com/lists/oss-security/2024/01/16/2
+    - http://packetstormsecurity.com/files/176574/PixieFail-Proof-Of-Conce=
pts.html
+    - https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianoco=
res-edk-ii-ipv6-network-stack.html
--=20
2.43.0



-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#114266): https://edk2.groups.io/g/devel/message/114266
Mute This Topic: https://groups.io/mt/103926745/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-