Package: fwupd Version: 1.3.2-1 Severity: normal When looking at the hashes used to check the integrity of firmware[0], all of them appear to be using SHA-1. In addition, the signatures over the firmware manifests downloaded appear to be using SHA-1 as well. SHA-1 is considered dangerously weak, and other, better alternatives have been available for some time. Fortunately, fwupd supports SHA-256 and SHA-512 as well[1], so it should be easy to switch over. Much like apt, fwupd should stop using or accepting MD5 or SHA-1 both in the manifests and signatures and only accept strong alternatives, such as SHA-2, SHA-3, or BLAKE2. [0] zcat /var/lib/fwupd/remotes.d/lvfs/metadata.xml.gz | grep checksum | perl -pe 's/^.*type="([^"]+)".*$/$1/g' | sort | uniq -c [1] https://github.com/fwupd/fwupd/blob/0917fb6aec177375a2241f57d63e21a71fe19cd6/libfwupd/fwupd-common. -- System Information: Debian Release: bullseye/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 5.3.0-trunk-amd64 (SMP w/8 CPU cores) Kernel taint flags: TAINT_WARN Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages fwupd depends on: ii libarchive13 3.4.0-1 ii libc6 2.29-2 ii libefiboot1 37-2 ii libefivar1 37-2 ii libelf1 0.176-1.1 ii libfwupd2 1.3.2-2 ii libgcab-1.0-0 1.2-5 ii libglib2.0-0 2.62.1-1 ii libgnutls30 3.6.9-5 ii libgpg-error0 1.36-7 ii libgpgme11 1.13.1-1 ii libgudev-1.0-0 233-1 ii libgusb2 0.3.0-1 ii libjson-glib-1.0-0 1.4.4-2 ii libpolkit-gobject-1-0 0.105-26 ii libsmbios-c2 2.4.1-1 ii libsoup2.4-1 2.68.1-2 ii libsqlite3-0 3.30.0-1 ii libtss2-esys0 2.1.0-4+b1 ii libxmlb1 0.1.8-1+b1 ii shared-mime-info 1.10-1 Versions of packages fwupd recommends: ii bolt 0.8-4 ii fwupd-amd64-signed [fwupd-signed] 1.3.2+1 ii python3 3.7.5-1 fwupd suggests no packages. -- Configuration Files: /etc/fwupd/remotes.d/lvfs-testing.conf changed: [fwupd Remote] Enabled=false Title=Linux Vendor Firmware Service (testing) Keyring=gpg MetadataURI=https://cdn.fwupd.org/downloads/firmware-testing.xml.gz ReportURI= Username= Password= OrderBefore=lvfs,fwupd ApprovalRequired=false /etc/fwupd/remotes.d/lvfs.conf changed: [fwupd Remote] Enabled=true Title=Linux Vendor Firmware Service Keyring=gpg MetadataURI=https://cdn.fwupd.org/downloads/firmware.xml.gz ReportURI= OrderBefore=fwupd ApprovalRequired=false -- no debconf information -- brian m. carlson: Houston, Texas, US OpenPGP: https://keybase.io/bk2204
Attachment:
signature.asc
Description: PGP signature