Your message dated Mon, 7 Feb 2022 09:52:16 -0700
with message-id <[email protected]>
and subject line we don't ship this component
has caused the Debian Bug report #989988,
regarding CVE-2021-28213
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
989988: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989988
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: edk2
Severity: important
Tags: security
X-Debbugs-Cc: Debian Security Team <[email protected]>
This was assigned CVE-2021-28213:
https://bugzilla.tianocore.org/show_bug.cgi?id=1866
Cheers,
Moritz
--- End Message ---
--- Begin Message ---
While the upstream bug is private, the CVE notes that the vulnerable
code is in the IpSecDxe.efi module. The IpSecDxe code was removed
upstream prior to the version of edk2 in stable:
https://github.com/tianocore/edk2/commit/d55d9d0664366efe731db461e14c6fc380fca776
And while the code is present in buster, it is not built, so oldstable
should also not be vulnerable.
--- End Message ---
