Bug#912414: fwupd: Impossible to refresh metadata from remote server
This is still not fixed.
fwupd 0.7.4-2 ships with a DownloadURI value (s3.amazonaws.com) that points to
an unmaintained and unsupported metadata repository. CVE-2020-10759 (#962517)
was made readily exploitable against Debian Stretch users due to this stale
value.
Now that the S3 bucket is back in the safe hands of the LVFS/fwupd project,
CVE-2020-10759 is less exploitable against Debian Stretch. But the
functionality breakage remains, and users are needlessly running up the costs
of a deprecated S3 bucket.
Maintainer, can you please consider:
1. Backporting the fixes necessary to no longer use s3.amazonaws.com AND the
fixes necessary to fix the functionality breakage (i.e. to have 0.7.4 accept
the new metadata format); OR
2. Proposing an update so that Stretch uses the fwupd in Testing
If option 1 is taken, consider backporting the fix for CVE-2020-10759 at the
same time
The discussion on #961490 (A similar issue as it relates to Buster) might be
relevant.
--
Justin
Reply to: