Skip to content

v4.0.6
Compare
Choose a tag to compare
@github-actions github-actions released this 17 May 22:45
· 32 commits to refs/heads/main since this release
v4.0.6
ba354bc
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Learn about vigilant mode.

What's Changed

  • Update DfciUpdate.c to avoid unsigned comparison checking greater than zero @spbrogan (#215)
    Change Details
      # Description

    Resolve a CodeQL identified issue where an unsigned type was being checked against greater than or equal to zero. This will always be true and thus provides no value

    • Impacts functionality?
      • Functionality - Does the change ultimately impact how firmware functions?
      • Examples: Add a new library, publish a new PPI, update an algorithm, ...
    • Impacts security?
      • Security - Does the change have a direct security impact on an application,
        flow, or firmware?
      • Examples: Crypto algorithm change, buffer overflow fix, parameter
        validation improvement, ...
    • Breaking change?
      • Breaking change - Will anyone consuming this change experience a break
        in build or boot behavior?
      • Examples: Add a new library class, move a module to a different repo, call
        a function in a new library class in a pre-existing module, ...
    • Includes tests?
      • Tests - Does the change include any explicit test code?
      • Examples: Unit tests, integration tests, robot tests, ...
    • Includes documentation?
      • Documentation - Does the change contain explicit documentation additions
        outside direct code modifications (and comments)?
      • Examples: Update readme file, add feature readme file, link to documentation
        on an a separate Web page, ...

    How This Was Tested

    Was not tested other than basic CI

    Integration Instructions

    NA



  • Fixes the Deprecation Warning for return in Robot Framework @Flickdm (#205)
    Change Details
     

    Description

    Corrects deprecation warning in Robot Framework

    For each item, place an "x" in between [ and ] if true. Example: [x].
    (you can also check items in the GitHub UI)

    • Impacts functionality?
    • Impacts security?
    • Breaking change?
    • Includes tests?
      • All tests were updated
    • Includes documentation?

    How This Was Tested

    Ran before change - warnings
    Ran after change - no warnins

    Integration Instructions

    N / A



🔐 Security Impacting

  • Update/tls ciphers @Flickdm (#206)
    Change Details
      # Preface

    Description

    This change limits the TLS Ciphers provided by the Docker Container to strictly the four TLSv1.2 Ciphers that Intune currently uses.

    This will force firmware to OpenSSL TLSv1.2 and strictly the four algorithms currently supported

    namely

        cipher_list = [b'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384',
                 b'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256',
                 b'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384', 
                 b'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256']

    For each item, place an "x" in between [ and ] if true. Example: [x].
    (you can also check items in the GitHub UI)

    • [ ] Impacts functionality?

    • Impacts security?
      • Yes this will force the firmware to use the above mentioned ciphers
        validation improvement, ...
    • Breaking change?
    • [] Includes tests?
    • [] Includes documentation?

    How This Was Tested

    This nmap script can confirm the ssl siphers are what are expected

    nmap --script ssl-enum-ciphers -p 443 127.0.0.1

    Integration Instructions

    N/A



📖 Documentation Updates

  • Update/tls ciphers @Flickdm (#206)
    Change Details
      # Preface

    Description

    This change limits the TLS Ciphers provided by the Docker Container to strictly the four TLSv1.2 Ciphers that Intune currently uses.

    This will force firmware to OpenSSL TLSv1.2 and strictly the four algorithms currently supported

    namely

        cipher_list = [b'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384',
                 b'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256',
                 b'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384', 
                 b'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256']

    For each item, place an "x" in between [ and ] if true. Example: [x].
    (you can also check items in the GitHub UI)

    • [ ] Impacts functionality?

    • Impacts security?
      • Yes this will force the firmware to use the above mentioned ciphers
        validation improvement, ...
    • Breaking change?
    • [] Includes tests?
    • [] Includes documentation?

    How This Was Tested

    This nmap script can confirm the ssl siphers are what are expected

    nmap --script ssl-enum-ciphers -p 443 127.0.0.1

    Integration Instructions

    N/A



Full Changelog: v4.0.5...v4.0.6

Contributors

spbrogan and Flickdm
Assets 2
Loading