RHSA-2023:2932: Important: edk2 security update
EDK (Embedded Development Kit) is a project to enable UEFI support for Virtual Machines. This package contains a sample 64-bit UEFI firmware for QEMU and KVM. Security Fix(es): openssl: X.400 address type confusion in X.509 GeneralName (CVE-2023-0286) openssl: timing attack in RSA Decryption implementation (CVE-2022-4304) openssl: double free after calling PEM_read_bio_ex (CVE-2022-4450) openssl: use-after-free following BIO_new_NDEF (CVE-2023-0215) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Additional Changes:For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.8 Release Notes linked from the References section.
Affected Software
Remediation
Event History
Frequently Asked Questions
What is the severity of RHSA-2023:2932?
The severity of RHSA-2023:2932 is critical due to the exposure to potential vulnerabilities in the EDK packages.
How do I fix RHSA-2023:2932?
To fix RHSA-2023:2932, update the affected packages to version 20220126gitbb1bba3d77-4.el8 or higher.
What vulnerabilities are addressed in RHSA-2023:2932?
RHSA-2023:2932 addresses a type confusion vulnerability in OpenSSL related to X.400 address types.
Which packages are affected by RHSA-2023:2932?
The affected packages include edk2, edk2-ovmf, and edk2-aarch64 up to version 20220126gitbb1bba3d77-4.el8.
Is RHSA-2023:2932 specific to a particular architecture?
RHSA-2023:2932 affects multiple architectures, including x86 and AArch64.